On Fri, 2016-10-28 at 17:15 +0200, Sumit Bose wrote: > On Tue, Oct 25, 2016 at 12:58:06PM +0000, Joakim Tjernlund wrote: > > > > On Tue, 2016-10-25 at 13:40 +0200, Joakim Tjernlund wrote: > > > > > > On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote: > > > > > > > > > > > > On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote: > > > > > > > > > > > > > > > > > > > > > > > > Looks like adcli was unable to detect your site - you found a bug > > > > > > in adcli. > > > > > > O. > > > > > > > > > > # > adcli info infinera.com > > > > > [domain] > > > > > domain-name = infinera.com > > > > > domain-short = INFINERA > > > > > domain-forest = infinera.com > > > > > domain-controller = se-dc01.infinera.com > > > > > domain-controller-site = Sweden > > > > > domain-controller-flags = gc ldap ds kdc timeserv writable > > > > > full-secret ads-web > > > > > domain-controller-usable = maybe > > > > > domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com > > > > > pa-dc02.infinera.com md- > > > > > dc02.infinera.com > > > > > in- > > > > > dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com > > > > > ch-dc02.infinera.com sv- > > > > > dc04.infinera.com > > > > > pa- > > > > > dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com > > > > > sv-dc03.infinera.com uk- > > > > > dc01.infinera.com > > > > > [computer] > > > > > computer-site = > > > > > > > > > > So it seems computer-site above is empty and domain-controller-usable > > > > > = maybe looks odd too. > > > > > I think it could be caused by our DNS server but I don't know what to > > > > > look for > > > > > > > > The site discovery is not related to DNS. adcli (and btw SSSD as well) > > > > run a LDAP search like: > > > > > > > > ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base > > > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > > > > > > > The result is a base64 encoded blob which contains various data about > > > > the domain. This data might include the site of the client but it might > > > > be empty if the AD server cannot determine to which site the client > > > > belongs. Please note that the only information the AD server gets from > > > > the client is the IP address. > > > > > > > > But I agree with Ondrej that this should be fixed in adcli. If the > > > > client site is not available or empty a site aware DNS lookup should not > > > > be tried. > > > > > > > > Nevertheless I would like to ask you to send me the base64 output of the > > > > ldapsearch command from above so that I can check if e.g. the blob is in > > > > a format adcli currently does not expect. > > > > > > > > bye, > > > > Sumit > > > > > > This is still odd(patch from > > > https://bugs.freedesktop.org/show_bug.cgi?id=98143 added): > > > #> adcli info -v infinera.com > > > * Discovering domain controllers: _ldap._tcp.infinera.com > > > * Sending netlogon pings to domain controller: cldap://10.210.34.21 > > > * Sending netlogon pings to domain controller: cldap://10.220.32.14 > > > * Sending netlogon pings to domain controller: cldap://10.120.2.22 > > > * Sending netlogon pings to domain controller: cldap://10.120.2.21 > > > * Sending netlogon pings to domain controller: cldap://10.100.98.21 > > > * Received NetLogon info from: se-dc01.infinera.com > > > * Received NetLogon info from: SV-DC01.infinera.com > > > [domain] > > > domain-name = infinera.com > > > domain-short = INFINERA > > > domain-forest = infinera.com > > > domain-controller = SV-DC01.infinera.com > > > domain-controller-site = Sunnyvale > > > domain-controller-flags = gc ldap ds kdc timeserv closest writable > > > full-secret ads-web > > > domain-controller-usable = yes > > > domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com > > > ch-dc02.infinera.com md-dc02.infinera.com > > > md- > > > dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com > > > in-dc01.infinera.com sv-dc02.infinera.com > > > uk- > > > dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com > > > se-dc02.infinera.com sv-dc03.infinera.com > > > [computer] > > > computer-site = Sunnyvale > > > > > > It still answers with Sunnyvale even though se-dc01 answers first. > > > LDAP search returns: > > > > > > ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s > > > base > > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > > dn: > > > netlogon:: > > > FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4A > > > CVN1 > > > bm55dmFsZQAFAAAA/////w== > > > > > > > Here is why it can fail completely on occasion: > > /* Number of servers to do discovery against */ > > #define DISCO_COUNT 5 > > > > and > > # > dig @10.210.34.21 _ldap._tcp.infinera.com -t SRV > > > > ; <<>> DiG 9.10.4-P3 <<>> @10.210.34.21 _ldap._tcp.infinera.com -t SRV > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 15 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4000 > > ;; QUESTION SECTION: > > ;_ldap._tcp.infinera.com. IN SRV > > > > ;; ANSWER SECTION: > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > sv-dc01.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > in-dc02.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > pa-dc01.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > ch-dc02.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > in-dc01.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > md-dc02.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > se-dc01.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > sv-dc03.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > md-dc01.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > se-dc02.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > sv-dc04.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > uk-dc01.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > pa-dc02.infinera.com. > > _ldap._tcp.infinera.com. 600 IN SRV 0 100 389 > > sv-dc02.infinera.com. > > .... > > > > Så there are lots of servers but only the 5 first vill be queried and most > > of them > > will not answer our requests. > > Should local DNS be configured differently? > > I think the original idea was that if 5 servers do not reply there might > be something wrong in the environment and it does not make sense to > query more and more servers. Do you think DISCO_COUNT should be > configurable or wouldn't it be easier to use the -S option to specify a > suitable DC?
That makes sense, I think we have a mess somewhere ... This is a bit odd thogh: adcli info -v -S se-dc01.infinera.com * Sending netlogon pings to domain controller: cldap://10.210.34.21 * Received NetLogon info from: se-dc01.infinera.com [domain] domain-name = infinera.com domain-short = INFINERA domain-forest = infinera.com domain-controller = se-dc01.infinera.com domain-controller-site = Sweden domain-controller-flags = gc ldap ds kdc timeserv writable full-secret ads-web domain-controller-usable = maybe [computer] computer-site = Sunnyvale Still says computer-site = Sunnyvale when I am in Sweden. I guess we need to check where our network belongs Jocke _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org