Bug 1161564

Summary: [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option
Product: Red Hat Enterprise Linux 6 Reporter: toni <amarirom>
Component: sssdAssignee: Pavel Reichl <preichl>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 6.6CC: aglotov, ahoness, cww, grajaiya, javier.ramirez, jhrozek, kbanerje, lslebodn, mkosek, pbrezina, preichl, rmainz, salmy, savsingh, sssd-maint
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.12.4-1.el6 Doc Type: Release Note
Doc Text:
sssd supports overriding automatically discovered AD site The Active Directory (AD) DNS site to which the client connects is discovered automatically by default. However, the default automatic search might not discover the most suitable AD site in certain setups. In such situations, you can now define the DNS site manually using the *ad_site* parameter in the *[domain/NAME]* section of the */etc/sssd/sssd.conf* file. For more information about *ad_site*, see the Identity Management Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html
 Story Points: ---
Clone Of:
: 1163806 (view as bug list) Environment:
Last Closed: 2015-07-22 06:42:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1075802, 1163806    

Description toni 2014-11-07 10:58:05 UTC 
Version-Release number of selected component (if applicable):
sssd-ad-1.11.6-30.el6.x86_64

Description of problem:

We are integrating a bunch of RHEL6.6 clients on a AD domain sites with sssd-ad and we would like to be able to force the use of a AD site from sssd configuration (instead of network assignment to sites in AD controllers).The reason is to avoid the creation of the 3000 subnets in AD where our RHEL clients are configured to be assigned to the same site. 

We tested ad provider using dns_discovery domain with the especific dns domain SiteName._sites.example.com and we observe dns requests with tcpdump. The conclusion is that:
- The ldap discovery that sssd does work uses the dns_discovery_domain, but
- Kerberos server discovery uses the realm name for the DNS query, not the dns_discovery_domain.

How reproducible:
We need a AD with sites configuration

Steps to Reproduce:
1. Use the ad provider in sssd
2. Edit sssd.conf and add a dns_discovery_domain = SiteName._sites.example.com
3. tcpdump on port 53

Actual results:

 rhel6host1.example.com.46958 > adserver.example.com.domain: 45800+ SRV? _ldap._tcp.Valencia._sites.example.com. (56)

adserver.example.com.domain > rhel6host1.example.com.46958: 45800* 1/0/1 SRV adserver.example.com.:389 0 100 (112)

For kerberos
rhel6host1.example.com.47799 > adserver.example.com.domain: 48324+ SRV? _kerberos._udp.EXAMPLE.COM. (44)
rhel6host1.example.com.48368 > adserver.example.com.domain: 53003+ PTR? 60.122.168.192.in-addr.arpa. (45)
adserver.example.com.domain > rhel6host1.example.com.47799: 48324* 1/0/1 SRV adserver.example.com.:88 0 100 (100)
rhel6host1.example.com.40558 > adserver.example.com.domain: 15231+ SRV? _kerberos._tcp.EXAMPLE.COM. (44)

Expected results:
Ldap is correctly using dns_discovery_domain but kerberos is not using it.

Additional info:
Comment 2 Jakub Hrozek 2014-11-07 11:46:51 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2486
Comment 17 Jakub Hrozek 2015-01-26 22:39:49 UTC 
Fixed upstream:

    master:
        b22e0da9e644f5eb84ee0c8986979fec3fe7eb56
        e438fbf102c3d787902504bdae177e84230cbbc9 
    sssd-1-12:
        6992f203c2b37d130287eae11f3929d0000e6d44
        e2f4a87ef4a657d27c3ec544fd75a21eefcf3ce7
Comment 19 Kaushik Banerjee 2015-05-19 07:13:31 UTC 
Verified with sssd-1.12.4-40.el6.x86_64

Report from beaker test output
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: dns_site_02: ad_site=LocalSite but AD has Default-First-Site-Name as default
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'getent passwd test_user_01' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad2012r2.com.log' should contain 'Found site: Default-First-Site-Name' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad2012r2.com.log' should contain 'Ignoring AD site found by DNS discovery: 'Default-First-Site-Name', using configured value: 'LocalSite' instead' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad2012r2.com.log' should contain 'Inserted primary server 'bsod2-bdc.sssdad2012r2.com:389'' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad2012r2.com.log' should contain 'Inserted backup server 'bsod2.sssdad2012r2.com:389'' 
:: [   PASS   ] :: File '/var/lib/sss/pubconf/kdcinfo.SSSDAD2012R2.COM' should contain '10.8.63.41' 
:: [   PASS   ] :: Command 'netstat -antp | grep 10.8.63.41 | grep 389' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success test_user_01 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File 'krbauth_tcpdump' should contain '10.8.63.41' 
:: [   PASS   ] :: File 'krbauth_tcpdump' should not contain '10.8.63.40' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain '10.8.63.41:88' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should not contain '10.8.63.40:88' 
:: [   LOG    ] :: Duration: 15s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: dns_site_02: ad_site=LocalSite but AD has Default-First-Site-Name as default
Comment 27 Kaushik Banerjee 2015-06-29 10:47:30 UTC 
The content looks correct and good. Thanks Aneta.
Comment 30 errata-xmlrpc 2015-07-22 06:42:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html