You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the SSSD is configured for AD using sssd-ad, it searches for _udp DNS Kerberos SRV entries and then _tcp entries. AD doesn't have any _udp entries for the individual sites but does for the domain so SSSD picks up these _udp entries and makes them all primary (and on large sites it may talk to a server on a slow link, etc.) What I expect it do would be to pick up the individual sites Kerberos _tcp entries to make primary before the domains _udp entries.
But I'm also curious how you ended up with the Kerberos service being searched? Normally for the AD service, we use a special 'AD' and 'AD_GC' services and only search for ldap service entries because we generally want to use the same server for identity connections and authentication.
Glad you could easily reproduce. All the providers are set to AD or LDAP, and confirmed AD and AD_GC sites were picked up correctly.
ldap_id_mapping = False
ldap_schema = ad
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
autofs_provider=ldap
The issue was only noticeable when trying to mount an NFSv4 mount with Fedora22/23 which was delayed for about 30 seconds where normally it's instant. Looks like rpc.gssd/gssproxy tries to negotiate with the server first even when with auth=sys options for mount and a tcpdump on Kerberos traffic showed that it was picking up remote servers. When manually added the _udp site Kerbero's entries in the DNS it only then used these primary servers (confirmed by tcpdump and the SSSD logs).
Could you please attach the full config? Or if it contains some sensitive data, feel free to send it directly to me (my nick at redhat dot com), also feel free to sanitize any sensitive data like hostnames, realm names etc.
I'd just like to make sure I know where the "kerberos" service comes from.
I think the best course would be to include autofs_provider=ad. It turned out to be really easy to write; can you test packages if I build them for you?
owner: somebody => jhrozek
status: new => assigned
Using the build, you should be able to comment out the last two paragraphs of your config file completely and instead just use:
autofs_provider = ad
So the resulting config file would look like this:
[domain/domain.com]
ldap_id_mapping = False
ldap_schema = ad
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
subdomains_provider = none
cache_credentials = true
override_homedir = /export/home/%u
dyndns_update = true
dyndns_refresh_interval = 86400
dyndns_updaye_ptr = true
dyndns_auth = gss-tsig
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_group_name = name
autofs_provider = ad
# Might still need to specified if it differs from the AD base
# Uncomment if needed
# ldap_autofs_search_base=ou=LinuxHome,dc=domain,dc=com
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2862
When the SSSD is configured for AD using sssd-ad, it searches for _udp DNS Kerberos SRV entries and then _tcp entries. AD doesn't have any _udp entries for the individual sites but does for the domain so SSSD picks up these _udp entries and makes them all primary (and on large sites it may talk to a server on a slow link, etc.) What I expect it do would be to pick up the individual sites Kerberos _tcp entries to make primary before the domains _udp entries.
Comments
Comment from robbo3312 at 2015-11-05 15:37:41
Log file entries for domain
sssd-ad.log
Comment from jhrozek at 2015-11-11 17:32:41
Sorry for the late response.
According to both https://technet.microsoft.com/en-us/library/cc961719.aspx and my local testing you are correct. We should take this into account in the AD site discovery code.
But I'm also curious how you ended up with the Kerberos service being searched? Normally for the AD service, we use a special 'AD' and 'AD_GC' services and only search for ldap service entries because we generally want to use the same server for identity connections and authentication.
Do you maybe use auth_provider=krb5 ?
Comment from robbo3312 at 2015-11-12 10:08:16
Glad you could easily reproduce. All the providers are set to AD or LDAP, and confirmed AD and AD_GC sites were picked up correctly.
ldap_id_mapping = False
ldap_schema = ad
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
autofs_provider=ldap
The issue was only noticeable when trying to mount an NFSv4 mount with Fedora22/23 which was delayed for about 30 seconds where normally it's instant. Looks like rpc.gssd/gssproxy tries to negotiate with the server first even when with auth=sys options for mount and a tcpdump on Kerberos traffic showed that it was picking up remote servers. When manually added the _udp site Kerbero's entries in the DNS it only then used these primary servers (confirmed by tcpdump and the SSSD logs).
Comment from jhrozek at 2015-11-12 10:18:41
Could you please attach the full config? Or if it contains some sensitive data, feel free to send it directly to me (my nick at redhat dot com), also feel free to sanitize any sensitive data like hostnames, realm names etc.
I'd just like to make sure I know where the "kerberos" service comes from.
Comment from robbo3312 at 2015-11-12 10:57:00
SSSD conf file
sssd.conf
Comment from robbo3312 at 2015-11-12 10:57:51
SSSD Config file attached.
Comment from robbo3312 at 2015-11-12 11:42:06
I've forwarded you the SSSD log files, it looks like it could be [autofs] bit.
Comment from jhrozek at 2015-11-12 12:24:03
Thank you, I was going to ask about them. I will take a look later today.
Comment from jhrozek at 2015-11-18 15:51:00
I think the best course would be to include autofs_provider=ad. It turned out to be really easy to write; can you test packages if I build them for you?
owner: somebody => jhrozek
status: new => assigned
Comment from robbo3312 at 2015-11-19 13:01:44
Confirmed can test packages.
Comment from jhrozek at 2015-11-19 13:12:44
Replying to [comment:8 robbo3312]:
Thanks, what OS, release and architecture?
Comment from robbo3312 at 2015-11-19 13:24:40
Replying to [comment:9 jhrozek]:
Fedora 23 x86_64
4.2.5-300.fc23.x86_64 #1 SMP Tue Oct 27 04:29:56 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Regards,
Richard.
Comment from jhrozek at 2015-11-19 14:02:42
OK, please try this build: http://koji.fedoraproject.org/koji/taskinfo?taskID=11906402
Using the build, you should be able to comment out the last two paragraphs of your config file completely and instead just use:
So the resulting config file would look like this:
Comment from jhrozek at 2015-11-23 11:49:55
Fields changed
patch: 0 => 1
Comment from jhrozek at 2015-11-25 15:24:42
Upstream should merge the patch into the current master.
Comment from jhrozek at 2015-11-26 17:02:02
This is a duplicate of #1632.
resolution: => duplicate
status: assigned => closed
Comment from robbo3312 at 2017-02-24 14:58:48
Metadata Update from @robbo3312:
The text was updated successfully, but these errors were encountered: