net ads join seems to restrict itself to the first 5 DCs of those it finds
Alexey A Nikitin
nikitin at amazon.com
Fri Aug 9 16:15:50 UTC 2019
On Friday, 9 August 2019 09:07:21 PDT Richard Sharpe wrote:
> On Fri, Aug 9, 2019 at 8:33 AM Alexey A Nikitin <nikitin at amazon.com> wrote:
> >
> > On Thursday, 8 August 2019 15:26:43 PDT Richard Sharpe via samba-technical wrote:
> > > Hi folks,
> > >
> > > We are finding that net ads join is unable to join because it only
> > > issues cldap requests for the first five DCs it finds when looking up
> > > _ldap._tcp.realm ...
> > >
> > > Is this correct?
> > >
> > > The problem seems to be that sites and services is not correctly
> > > configured to return the closest DC first in the list and the one they
> > > should be contacting is around 16 out of 29 returned.
> > >
> > >
> >
> > I cannot confirm (yet) seeing this issue in `net ads join`, but I have seen something similar in `adcli info`, where the code selects only the first five entries among the SRV RR for _ldap._tcp, leading to domain discovery failure in some setups where DNS is configured to return non-site-specific DCs yet firewalls block communications from clients to those DCs. One could rightfully say that the setup itself is broken, yet Windows is robust enough to handle that, but adcli wasn't.
> >
> > I wrote a patch that fixes that behavior in adcli, it got accepted upstream some time ago. If someone can confirm this behavior with `net ads join` (or with Winbind in general - I have seen plenty cases where it fails to locate DCs, just haven't yet had time to pinpoint the root cause) then I imagine the patch for `net ads join` shouldn't be too difficult to write either.
>
> Thanks for the hint. Yes, Windows is robust in this situation.
>
> I will have an opportunity to determine if it is 'net ads join' doing
> this or 'realm join' issuing weird instructions to net ads join, but
> it looks like net ads join.
>
> I will also get a level 10 log.
>
>
My experience with `realm join` is that it is a bit of a simpleton. For example, it stumbles and falls flat on its face when you try to join a machine to a resource domain using service account from a user domain, I was unable to coax it into doing so. No matter the way I tried to court it it would demand an admin user from the resource domain. When I bypassed realmd and did `net ads join` directly it joined just fine right away, I just had to manually perform all the configurations beforehand that realmd automates.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190809/a24d0cbb/signature.sig>
More information about the samba-technical
mailing list