SSSD/Active directory problem

jstilby · 01-02-2017, 07:49 AM

Hi,
I am having some problems with sssd site discovery.
Our Active Directory has several sites, each with associated subnets.
I installed two RHEL 7.1 servers, and joind our domain using realmd join
Everything works quite nicel and I can login with AD users to my machines.

HOWEVER:
For some reason, one of my hosts decides that he is in site A, while the other one sees itself as part of site B - and therefore uses a far away DC, which causes some problems.

When I define the DC manually with ad_server in sssd.conf, it works ok - but then I lose the site discovery option.

Both machines have:
1. The same sssd.conf file
2. The same resolv.conf file
3. Are residing in the same subnet.

Here is the sssd.conf:

[sssd]
domains = my.domain
config_file_version = 2
services = nss, pam

[domain/my.domain]

ad_domain = my.domain
krb5_realm = MY.DOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
ad_gpo_access_control = enforcing
fallback_homedir = /home/%d/%u
access_provider = ad
ignore_group_members = true
debug_level = 9

Here are some of the log lines from the problematic host (incorrectly finding the 'B' site):

[root@mongodev sssd]# grep "Found site" /var/log/sssd/sssd_ad.boi.gov.il.log*

/var/log/sssd/sssd_ad.boi.gov.il.log

Sun Jan 1 04:09:34 2017) [sssd[be[ad.boi.gov.il]]] [ad_master_domain_netlogon_done] (0x0400): Found site [B].
/var/log/sssd/sssd_ad.boi.gov.il.log

Sun Jan 1 04:30:51 2017) [sssd[be[ad.boi.gov.il]]] [ad_get_client_site_done] (0x0400): Found site: B
<many such lines...>

...While the other host returns correctly:
[root@dbalnx1 sssd]# grep "Found site" /var/log/sssd/sssd_ad.boi.gov.il.log*
/var/log/sssd/sssd_ad.boi.gov.il.log

Sun Jan 1 06:11:36 2017) [sssd[be[ad.boi.gov.il]]] [ad_master_domain_netlogon_done] (0x0400): Found site [A].
/var/log/sssd/sssd_ad.boi.gov.il.log

Sun Jan 1 06:18:29 2017) [sssd[be[ad.boi.gov.il]]] [ad_get_client_site_done] (0x0400): Found site: A
<many such lines>

Can anyone help? Why is the incorrect site/DC selected consistently on one host?

gradinaruvasile · 01-15-2017, 11:09 AM

That is auto discovery. We use sssd and unless we specify the DC manually it randomly selected one of our DCs, some are thousands of miles and several hundred ms away and incurring a few seconds of waiting (sometimes timeouts).
There is a setting that adds auto discovery fall back if the first server is not found:

ad_server = dc.your.domain,_srv_

It does work consistently using the specified first server and it does seem to fall back to auto discovered DCs.