#2765 ad_site parameter does not work
Closed: Fixed None Opened 3 years ago by ondrejv2.

When I specify ad_site in my config, and then run:
netstat -alp | grep sss

I see sssd_be process is connected to an ldap server not corresponding to the site I have specified


From logs:

(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.dublin.ad.s3group.com'
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0x248edb0]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dcpra2.dublin.ad.s3group.com' in files
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dcpra2.dublin.ad.s3group.com' in files
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dcpra2.dublin.ad.s3group.com' in DNS
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0x248da80]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [NSS]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Dublin._sites.dublin.ad.s3group.com'
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.dublin.ad.s3group.com'

That's bad - I have specified "ad_site = Dublin" so we should rather search in:

_ldap._tcp.Dublin._sites.dublin.ad.s3group.com

looks like this parameter is happily ignored

_comment0: From logs:
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD'
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.dublin.ad.s3group.com'
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0x248edb0]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [PAM]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dcpra2.dublin.ad.s3group.com' in files
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dcpra2.dublin.ad.s3group.com' in files
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dcpra2.dublin.ad.s3group.com' in DNS
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Cancel DP ID timeout [0x248da80]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [client_registration] (0x0100): Added Frontend client [NSS]
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Dublin._sites.dublin.ad.s3group.com'
(Thu Aug 20 11:03:44 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.dublin.ad.s3group.com'

That's bad - I have specified "ad_site = Dublin" so we should rather search in:

_ldap._tcp.Dublin._sites.dublin.ad.s3group.com

looks like this parameter is happily ignored => 1440066689059067

Can you provide full logs please?

Log attached. My configuration:
[domain/default]
debug_level = 5
ldap_id_mapping = False
ad_domain = DUBLIN.AD.S3GROUP.COM

ad_enable_dns_sites = false

ad_site = Dublin
id_provider = ad
auth_provider = ad
chpass_provider = ad
autofs_provider = ldap
cache_credentials = True
dns_discovery_domain = dublin.ad.s3group.com
krb5_realm = DUBLIN.AD.S3GROUP.COM

Note that forest root domain is ad.s3group.com.

Can you increase the debug level, say to 0x3ff0? Unfortunately this level does not contain information I was looking for. Thank you.

cc: => pbrezina

log file attached (debug level= 0x3ff0). Different machine, so "ad_site = Prague" here.

Hi, the logs says that you are connecting to the right server.

(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain dublin.ad.s3group.com
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_getsrv_done] (0x1000): Using TTL [600]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_srv_done] (0x0400): Got answer. Processing...
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_srv_done] (0x0400): Got 15 servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_get_dc_servers_done] (0x0400): Found 15 domain controllers in domain dublin.ad.s3group.com
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_connect_host_send] (0x0400): Resolving host dcpra.dublin.ad.s3group.com
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dcpra.dublin.ad.s3group.com' in files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dcpra.dublin.ad.s3group.com' in files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dcpra.dublin.ad.s3group.com' in DNS
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dcpra.dublin.ad.s3group.com:389
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dcpra.dublin.ad.s3group.com:389/??base] with fd [23].
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dcpra.dublin.ad.s3group.com:389
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_print_server] (0x2000): Searching 192.168.60.12
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=dublin.ad.s3group.com)(NtVer=\14\00\00\00))][].
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1109c90], connected[1], ops[0x1109b20], ldap[0x1100850]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_parse_entry] (0x1000): OriginalDN: [].
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [netlogon]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x1109c90], connected[1], ops[0x1109b20], ldap[0x1100850]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x1109c90], connected[1], ops[(nil)], ldap[0x1100850], destructor_lock[0], release_memory[0]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_get_client_site_done] (0x0400): Found site: Prague
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_srv_plugin_site_done] (0x2000): Ignoring AD site found by DNS discovery: 'Prague', using configured value: 'Prague' instead.
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_servers_send] (0x0400): Looking up primary servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Prague._sites.dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Prague._sites.dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_getsrv_done] (0x1000): Using TTL [458]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_srv_done] (0x0400): Got answer. Processing...
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_srv_done] (0x0400): Got 2 servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_getsrv_done] (0x1000): Using TTL [600]
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_srv_done] (0x0400): Got answer. Processing...
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_discover_srv_done] (0x0400): Got 15 servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_srv_plugin_servers_done] (0x0400): Got 2 primary and 15 backup servers
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dcpra2.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'dcpra.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcwro1.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcwro3.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcsjc2.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcsjc3.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dccork2.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dclis1.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcwro7.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcdub1.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dccork1.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcwro2.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcduba.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Server 'dcpra.dublin.ad.s3group.com:389' for service 'AD' is already present
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Server 'dcpra2.dublin.ad.s3group.com:389' for service 'AD' is already present
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dcphil1.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'dclisaa.dublin.ad.s3group.com:389' to service 'AD'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD' as 'resolved'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [get_server_status] (0x1000): Status of server 'dcpra2.dublin.ad.s3group.com' is 'name not resolved'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dcpra2.dublin.ad.s3group.com' in files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'dcpra2.dublin.ad.s3group.com' as 'resolving name'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dcpra2.dublin.ad.s3group.com' in files
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dcpra2.dublin.ad.s3group.com' in DNS
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [request_watch_destructor] (0x0400): Deleting request watch
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'dcpra2.dublin.ad.s3group.com' as 'name resolved'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [be_resolve_server_process] (0x0200): Found address for server dcpra2.dublin.ad.s3group.com: [192.168.60.209] TTL 1793
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://dcpra2.dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://dcpra2.dublin.ad.s3group.com'
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Aug 27 16:00:07 2015) [sssd[be[default]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://dcpra2.dublin.ad.s3group.com:389/??base] with fd [23].

Can you send me the output of netstat -alp | grep sss ?

Well, check the logs later on:

(Thu Aug 27 16:18:04 2015) [sssd[be[default]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dcsjc3.dublin.ad.s3group.com:389
(Thu Aug 27 16:18:04 2015) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Aug 27 16:18:08 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x239f760], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_me
mory[0]
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [be_resolve_server_done] (0x1000): Server resolution failed: 14
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [be_mark_offline] (0x2000): Going offline!

I mean - mostly it gets connected after all, but there are times when sssd goes offline because it tries to connect to the wrong DC. With ad_site configured, this should never happen.

Ondrej

_comment0: Well, check the logs later on:
(Thu Aug 27 16:18:04 2015) [sssd[be[default]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dcsjc3.dublin.ad.s3group.com:389
(Thu Aug 27 16:18:04 2015) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Aug 27 16:18:08 2015) [sssd[be[default]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x239f760], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_me
mory[0]
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [be_resolve_server_done] (0x1000): Server resolution failed: 14
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Thu Aug 27 16:18:10 2015) [sssd[be[default]]] [be_mark_offline] (0x2000): Going offline!

I mean - mostly it gets connected after all, but there are times when sssd goes offline because it tries to connect to the wrong DC. With ad_site configured, this should never happen.

Ondrej
=> 1441282971490299

Hi,
the service resolution has several steps:

1) Obtain list of domain controllers - no matter which site.
2) Connect to a dc and send "ldap ping", we will get site name and forest name.
3) Resolve service from site.

The failures you see come from step 2). Even if a site is set manually, we still have to do step 2) to obtain forest name. Maybe we can allow both of it to be set manually or we can prefer dc from configured site in this step.

Are those domain controllers just timing out or are they completely unreachable?

Hi,
Ok I understand. The DCs are timing out because they are on a different geographic region so firewall is dropping access to them - firewall only allows inter-DC communication for replication purposes.
I think if we preferred site-local DCs for step 2) it would make a most sense here.

This is probably also related to #2702

Yes, I agree. Thank you!

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.2

Fields changed

owner: somebody => pbrezina

We would like to release the 1.13.2 tarball soon and this ticket is not a release blocker, therefore I'm moving it out of 1.13.2 into 1.13.3

milestone: SSSD 1.13.2 => SSSD 1.13.3

We would like to release the 1.13.3 tarball soon and this ticket is not a release blocker, therefore I'm moving it out of 1.13.3 into 1.13.4

milestone: SSSD 1.13.3 => SSSD 1.13.4

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Metadata Update from @ondrejv2:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.

Metadata