On Fri, Oct 28, 2016 at 03:20:35PM +0000, Joakim Tjernlund wrote: > On Fri, 2016-10-28 at 16:52 +0200, Sumit Bose wrote: > > On Tue, Oct 25, 2016 at 11:39:33AM +0000, Joakim Tjernlund wrote: > > > > > > On Mon, 2016-08-29 at 09:52 +0200, Sumit Bose wrote: > > > > > > > > On Mon, Aug 29, 2016 at 07:20:33AM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > On Mon, 2016-08-29 at 06:55 +0000, Ondrej Valousek wrote: > > > > > > > > > > > > > > > > > > Looks like adcli was unable to detect your site - you found a bug > > > > > > in adcli. > > > > > > O. > > > > > > > > > > # > adcli info infinera.com > > > > > [domain] > > > > > domain-name = infinera.com > > > > > domain-short = INFINERA > > > > > domain-forest = infinera.com > > > > > domain-controller = se-dc01.infinera.com > > > > > domain-controller-site = Sweden > > > > > domain-controller-flags = gc ldap ds kdc timeserv writable > > > > > full-secret ads-web > > > > > domain-controller-usable = maybe > > > > > domain-controllers = se-dc01.infinera.com SV-DC01.infinera.com > > > > > pa-dc02.infinera.com md- > > > > > dc02.infinera.com > > > > > in- > > > > > dc01.infinera.com in-dc02.infinera.com se-dc02.infinera.com > > > > > ch-dc02.infinera.com sv-dc04.infinera.com > > > > > pa- > > > > > dc01.infinera.com md-dc01.infinera.com sv-dc02.infinera.com > > > > > sv-dc03.infinera.com uk-dc01.infinera.com > > > > > [computer] > > > > > computer-site = > > > > > > > > > > So it seems computer-site above is empty and domain-controller-usable > > > > > = maybe looks odd too. > > > > > I think it could be caused by our DNS server but I don't know what to > > > > > look for > > > > > > > > The site discovery is not related to DNS. adcli (and btw SSSD as well) > > > > run a LDAP search like: > > > > > > > > ldapsearch -H cldap://se-dc01.infinera.com -b '' -s base > > > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > > > > > > > The result is a base64 encoded blob which contains various data about > > > > the domain. This data might include the site of the client but it might > > > > be empty if the AD server cannot determine to which site the client > > > > belongs. Please note that the only information the AD server gets from > > > > the client is the IP address. > > > > > > > > But I agree with Ondrej that this should be fixed in adcli. If the > > > > client site is not available or empty a site aware DNS lookup should not > > > > be tried. > > > > > > > > Nevertheless I would like to ask you to send me the base64 output of the > > > > ldapsearch command from above so that I can check if e.g. the blob is in > > > > a format adcli currently does not expect. > > > > > > > > bye, > > > > Sumit > > > > > > This is still odd(patch from > > > https://bugs.freedesktop.org/show_bug.cgi?id=98143 added): > > > #> adcli info -v infinera.com > > > * Discovering domain controllers: _ldap._tcp.infinera.com > > > * Sending netlogon pings to domain controller: cldap://10.210.34.21 > > > * Sending netlogon pings to domain controller: cldap://10.220.32.14 > > > * Sending netlogon pings to domain controller: cldap://10.120.2.22 > > > * Sending netlogon pings to domain controller: cldap://10.120.2.21 > > > * Sending netlogon pings to domain controller: cldap://10.100.98.21 > > > * Received NetLogon info from: se-dc01.infinera.com > > > * Received NetLogon info from: SV-DC01.infinera.com > > > [domain] > > > domain-name = infinera.com > > > domain-short = INFINERA > > > domain-forest = infinera.com > > > domain-controller = SV-DC01.infinera.com > > > domain-controller-site = Sunnyvale > > > domain-controller-flags = gc ldap ds kdc timeserv closest writable > > > full-secret ads-web > > > domain-controller-usable = yes > > > domain-controllers = SV-DC01.infinera.com se-dc01.infinera.com > > > ch-dc02.infinera.com md-dc02.infinera.com > > > md-dc01.infinera.com sv-dc04.infinera.com pa-dc01.infinera.com > > > in-dc01.infinera.com sv-dc02.infinera.com > > > uk-dc01.infinera.com in-dc02.infinera.com pa-dc02.infinera.com > > > se-dc02.infinera.com sv-dc03.infinera.com > > > [computer] > > > computer-site = Sunnyvale > > > > > > It still answers with Sunnyvale even though se-dc01 answers first. > > > LDAP search returns: > > > > > > ldapsearch -LLL -o ldif-wrap=no -H cldap://se-dc01.infinera.com -b '' -s > > > base > > > "(&(DnsDomain=infinera.com)(NtVer=\06\00\00\00))" NetLogon > > > dn: > > > netlogon:: > > > FwAAAHwxAACMaRc/i2sHQZC6zHfuHI3SCGluZmluZXJhA2NvbQDAGAdzZS1kYzAxwBgISU5GSU5FUkEAB1NFLURDMDEAAAZTd2VkZW4ACV > > > N1bm55dmFsZQAFAAAA/////w== > > > > I'm not sure what you think might be wrong here? The client site name > > should not change even if a server from a different site is queried. So > > even if the server is in the site Sweden the client is still in > > Sunnyvale. > > The way around, the site is Sweden and the server is in Sunnyvale. Why is not > the > server in Sweden chosen?
Both SV-DC01.infinera.com (from the adcli output) and se-dc01.infinera.com (fomr the NetLogon reply) say the site is Sunnyvale, maybe this is the default site? adcli will take the response from the first server that replied, if it is from the same site as the child. If not it will wait for another reply. This is what you see the in output. The first server that replied se-dc01 is in a different site (Sweden vs Sunnyvale), so adcli waits and the second reply from sv-dc01 is taken. If all servers replied or a timeout of 15s is passed an no DCs from the same site replied adcli with pick the first proper reply. HTH bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
