3

I am a Windows admin who manages our AD infrastructure. Our Linux team have been building some CentOS 7 VMs and configuring them to use SSSD to join the domain.

The initial config was querying a DC in a different site (not domain as previously written), so I asked them to look into using AD Sites with SSSD.

The server now returns the 3 _ldap DC records from DNS. The first it tries is from a different site so it cannot access it. The second works and it retrieves the correct site name. For a period of time (not sure exactly how long) it will use the DC that responded and after that time has passed it will start back getting the 3 _ldap records from DNS.

This causes some delays in logging in which we have been asked to solve. If we set the site name in the config, then it works all the time, but we have to consider that we restore these VMs from a backup to the other site where the set site name would now be wrong.

I don't know much of the config in CentOS but is there a way for this to work correctly or is that what it is already doing?

neildeadman
  • 684
  • 4
  • 20
  • 34
  • `The initial config was querying a DC in a different domain, so I asked them to look into using AD Sites with SSSD` - That doesn't make sense. Why would it query a different domain? Did you mean a different site in the domain? `The server now returns the 3 _ldap DC records from DNS. The first it tries is from a different site so it cannot access it` - Why not? Is there no connectivity between sites? If AD Sites and Services is set up correctly then a Windows client should authenticate to a DC in the site closest to it. You'll need to see if CentOs has similar functionallity. – joeqwerty Nov 10 '17 at 12:27
  • @joeqwerty you are correct, I meant site not domain. Other than the DCs the sites cannot communicate. Windows appears to work as expected, it is purely the CentOS clients that have the issues. Time for retry seems to be a sudo rule refresh and then srv records showing as expired. – neildeadman Nov 10 '17 at 12:33

1 Answers1

5

You'll need to tell SSSD Which site to use.

[domain/example.com]
dns_discovery_domain = MyLocalSite._sites.example.com

This will do the following DNS lookup for ldap/kerberos

dig SRV +short _ldap._tcp.MyLocalSite._sites.example.com
dig SRV +short _kerberos._tcp.MyLocalSite._sites.example.com

You can get a list of these sites from AD DNS or Sites and Services

IMHO Microsoft does a really poor job at doing this, pending your change rate you may want to set up a discovery subdomain yourself or use FreeIPA

Sample query dig SRV +short _ldap._tcp.MyLocalSite._sites.example.com

Microsoft Sites and Services DNS

_ldap._tcp.MyLocalSite._sites.example.com 600 IN SRV 0 100 389 dc1.example.com

IPA Locations DNS

_ldap._tcp.MyLocalSite._sites.example.com 600 IN SRV 0 100 389 dc1.example.com
_ldap._tcp.MyLocalSite._sites.example.com 600 IN SRV 100 100 389 dc2.example.com

IPA will always list all ipa servers when you configure locations, and modify dns SRV record priority based on geoDNS, hopefully Server 2016 will add support for this, I do not have examples on how to use 2016 server to provide local SRV Records.

If you want to MANUALLY create a site under another domain, you can, nothing says you can't.

Example

SSSD.conf

dns_discovery_domain = MyLocalSite._linux_sites.example.com

DNS

_ldap._tcp.MyLocalSite._linux_sites.example.com 600 IN SRV 0 100 389 dc1.example.com
_ldap._tcp.MyLocalSite._linux_sites.example.com 600 IN SRV 100 100 389 dc2.example.com
Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • Is the only way to do it to tell it which site? What about our DR scenario mentioned above? – neildeadman Nov 10 '17 at 13:19
  • Add your other DCs to those sites with lower service metrics, you could define your own site and use SRV records is a better way then Microsoft defaults. – Jacob Evans Nov 10 '17 at 13:21
  • I think your Linux team needs to evaluate FreeIPA/Redhat IDm, which comes with it's own set of problems but does a really good job at theses issues. – Jacob Evans Nov 10 '17 at 13:33
  • 1
    I have 6 DCs, 2 per site, and embarked on the journey of getting my Linux servers in each site to leverage SSSD/AD. I truly didn't understand why logins were slow or the "Provider is offline" until I read this and understood what `dns_discovery_domain` is doing. Thank you @jacobevans this is an underrated post. – Joe Jul 02 '19 at 22:49