Learn more about these different git repos.
Other Git URLs
Hello,
We are experiencing a bug in our environment, where we have 2 domains: asia.example.com and europe.example.com on a Debian-based (Ubuntu) SSSD. The problem exists in Ubuntu Precise (SSSD 1.8.2), Quantal (SSSD 1.9.1), but I believe it is in master as well. I can try to reproduce it there if you like.
Symptoms: machines with FQDN of machine.europe.example.com resolve users and groups from both domains, but it is only possible to log in from europe.example.com domain accounts.
Reason: Kerberos resolution for domain aisa.example.com queries europe.example.com.
Wild guess from the log excerpt: SSSD tries to get the FQDN of the machine by doing reverse DNS query & DNS query and uses the FQDN for any domain.
Workaround: It seems that removing the line: 127.0.1.1 machine1.europe.example.com machine1 from /etc/hosts solves the issue. I am aware though, that reverse DNS does not work in this environment, so it might be that the problem is not only related to Debian-based as only those seem to have this line in /etc/hosts.
While it seems "acceptable" to remove this line from /etc/hosts, it seems bizarre that SSSD ignores config file /etc/sssd/sssd.conf and resolves domain based on hosts FQDN.
config file sssd.conf
gzipped log excerpt sssd_asia.example.com.log.gz
From the SSSD manpage:
dns_discovery_domain (string) If service discovery is used in the back end, specifies the domain part of the service discovery DNS query. Default: Use the domain part of machine's hostname
The problem here is that you're relying on SRV records to locate your KDC, but you aren't telling it which DNS domain to use for this location. If it's unspecified, we do a local lookup of the machine's hostname and then use that for the search domain.
Try setting:
[domain/europe.example.com] ... dns_discovery_domain = europe.example.com ... [domain/asia.example.com] ... dns_discovery_domain = asia.example.com ...
Tested and works. Sorry for not reading the docs well enough :)
Fields changed
resolution: => worksforme status: new => closed
Metadata Update from @ballock: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2675
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.