On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote: > On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote: > > > > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote: > > > > > > Looks like adcli was unable to detect your site - you found a bug in > > > adcli. > > > O. > > > > # > adcli info infinera.com > > [domain] > > domain-name = infinera.com > > domain-short = INFINERA > > domain-forest = infinera.com > > domain-controller = se-dc01.infinera.com > > domain-controller-site = Sweden > > domain-controller-flags = gc ldap ds kdc timeserv writable full-secret > > ads-web > > domain-controller-usable = maybe > > domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com > > pa-dc02.infinera.com md-dc02.infinera.com > > in- > > dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com > > ch-dc02.infinera.com sv-dc04.infinera.com pa- > > dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com > > sv-dc03.infinera.com uk-dc01.infinera.com > > [computer] > > computer-site = > > > > So it seems computer-site above is empty and domain-controller-usable = > > maybe looks odd too. > > I think it could be caused by our DNS server but I don't know what to look > > for > > The site discovery is not related to DNS. adcli (and btw SSSD as well) > run a LDAP search like: > > ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > The result is a base64 encoded blob which contains various data about > the domain. This data might include the site of the client but it might > be empty if the AD server cannot determine to which site the client > belongs. Please note that the only information the AD server gets from > the client is the IP address. > > But I agree with Ondrej that this should be fixed in adcli. If the > client site is not available or empty a site aware DNS lookup should not > be tried. > > Nevertheless I would like to ask you to send me the base64 output of the > ldapsearch command from above so that I can check if e.g. the blob is in > a format adcli currently does not expect. > > bye, > Sumit
This is still odd(patch from https://bugs.freedesktop.org/show_bug.cgi?id=98143 added): #> adcli info -v infinera.com * Discovering domain controllers: _ldap._tcp.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Sending netlogon pings to domain controller: cldap://10.220.32.14 * Sending netlogon pings to domain controller: cldap://10.120.2.22 * Sending netlogon pings to domain controller: cldap://10.120.2.21 * Sending netlogon pings to domain controller: cldap://10.100.98.21 * Received NetLogon info from: se-dc01.infinera.com * Received NetLogon info from: SV-DC01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = SV-DC01.infinera.com domain-controller-site = Sunnyvale domain-controller-flags = gc ldap ds kdc timeserv closest writable full-secret ads-web domain-controller-usable = yes domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com ch-dc02.infinera.com md-dc02.infinera.com md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com in-dc01.infinera.com sv-dc02.infinera.com uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com se-dc02.infinera.com sv-dc03.infinera.com [computer] computer-site = Sunnyvale It still answers with Sunnyvale even though se-dc01 answers first. LDAP search returns: ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s base "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon dn: netlogon:: FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACVN1bm55dmFsZQAFAAAA/////w== _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
