On Fri, 2016-10-28 at 16:52 +0200, Sumit Bose wrote: > On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote: > > > > On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote: > > > > > > On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote: > > > > > > > > > > > > > > > Looks like adcli was unable to detect your site - you found a bug in > > > > > adcli. > > > > > O. > > > > > > > > # > adcli info infinera.com > > > > [domain] > > > > domain-name = infinera.com > > > > domain-short = INFINERA > > > > domain-forest = infinera.com > > > > domain-controller = se-dc01.infinera.com > > > > domain-controller-site = Sweden > > > > domain-controller-flags = gc ldap ds kdc timeserv writable full-secret > > > > ads-web > > > > domain-controller-usable = maybe > > > > domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com > > > > pa-dc02.infinera.com md- > > > > dc02.infinera.com > > > > in- > > > > dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com > > > > ch-dc02.infinera.com sv-dc04.infinera.com > > > > pa- > > > > dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com > > > > sv-dc03.infinera.com uk-dc01.infinera.com > > > > [computer] > > > > computer-site = > > > > > > > > So it seems computer-site above is empty and domain-controller-usable = > > > > maybe looks odd too. > > > > I think it could be caused by our DNS server but I don't know what to > > > > look for > > > > > > The site discovery is not related to DNS. adcli (and btw SSSD as well) > > > run a LDAP search like: > > > > > > ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base > > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > > > > > The result is a base64 encoded blob which contains various data about > > > the domain. This data might include the site of the client but it might > > > be empty if the AD server cannot determine to which site the client > > > belongs. Please note that the only information the AD server gets from > > > the client is the IP address. > > > > > > But I agree with Ondrej that this should be fixed in adcli. If the > > > client site is not available or empty a site aware DNS lookup should not > > > be tried. > > > > > > Nevertheless I would like to ask you to send me the base64 output of the > > > ldapsearch command from above so that I can check if e.g. the blob is in > > > a format adcli currently does not expect. > > > > > > bye, > > > Sumit > > > > This is still odd(patch from > > https://bugs.freedesktop.org/show_bug.cgi?id=98143 added): > > #> adcli info -v infinera.com > > * Discovering domain controllers: _ldap._tcp.infinera.com > > * Sending netlogon pings to domain controller: cldap://10.210.34.21 > > * Sending netlogon pings to domain controller: cldap://10.220.32.14 > > * Sending netlogon pings to domain controller: cldap://10.120.2.22 > > * Sending netlogon pings to domain controller: cldap://10.120.2.21 > > * Sending netlogon pings to domain controller: cldap://10.100.98.21 > > * Received NetLogon info from: se-dc01.infinera.com > > * Received NetLogon info from: SV-DC01.infinera.com > > [domain] > > domain-name = infinera.com > > domain-short = INFINERA > > domain-forest = infinera.com > > domain-controller = SV-DC01.infinera.com > > domain-controller-site = Sunnyvale > > domain-controller-flags = gc ldap ds kdc timeserv closest writable > > full-secret ads-web > > domain-controller-usable = yes > > domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com > > ch-dc02.infinera.com md-dc02.infinera.com > > md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com > > in-dc01.infinera.com sv-dc02.infinera.com > > uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com > > se-dc02.infinera.com sv-dc03.infinera.com > > [computer] > > computer-site = Sunnyvale > > > > It still answers with Sunnyvale even though se-dc01 answers first. > > LDAP search returns: > > > > ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s > > base > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > dn: > > netlogon:: > > FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACV > > N1bm55dmFsZQAFAAAA/////w== > > I'm not sure what you think might be wrong here? The client site name > should not change even if a server from a different site is queried. So > even if the server is in the site Sweden the client is still in > Sunnyvale.
The way around, the site is Sweden and the server is in Sunnyvale. Why is not the server in Sweden chosen? Jocke _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
