This discussion is archived
6 Replies Latest reply: Sep 7, 2012 8:07 AM by 957315 RSS

AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN

957315 Newbie
Currently Being Moderated
Hi,

I'm not able to use Active Directory integration with kerberos :

Our domain name is TEST.DOMAIN.COM.

when running the nslookup query request for the GC in this domain, getting the below output :

# nslookup -query=any gc.tcp.test.domain.com
Server: 10.10.2.6
Address: 10.10.2.6#53

** server can't find gc.tcp.test.domain.com: NXDOMAIN

there is no answer.

_______________________________________________________________________________

But when runing the same query without test, GC are getting resolved in nslookup :

# nslookup -query=any gc.tcp.domain.com | grep sis
gc.tcp.domain.com service = 0 100 3268 server1.test.domain.com.
gc.tcp.domain.com service = 0 100 3268 server2.test.domain.com.
bash-3.00#

Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?

Appreciate, if someone could help me out to get this resolved.



Thank you.
  • 1. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
    AKAErnie Newbie
    Currently Being Moderated
    Hello

    Looks like your GC records are in the domain.com zone. What does your krb5.conf file look like? Can you post a copy?

    Thanks,
  • 2. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
    957315 Newbie
    Currently Being Moderated
    Hi,

    Please find the krb5.conf output below.

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = TEST.DOMAIN.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes

    [realms]
    EXAMPLE.COM = {
    kdc = kerberos.example.com:88
    admin_server = kerberos.example.com:749
    default_domain = example.com
    }

    TEST.DOMAIN.COM = {
    kdc = dc02.test.domain.com
    admin_server = dc03.test.domain.com
    }

    DOMAIN.COM = {
    kdc = dc01.domain.com
    admin_server = dc01.domain.com
    }

    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

    test.domain.com = TEST.DOMAIN.COM
    .test.domain.com = TEST.DOMAIN.COM
    domain.com = DOMAIN.COM
    .domain.com = DOMAIN.COM
    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }


    thanks.
  • 3. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
    fherrera - oracle Newbie
    Currently Being Moderated
    I suggest you to use vda directory-add command line, and add the gc on the whitelit field.

    BRgds,
    F.
  • 4. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
    957315 Newbie
    Currently Being Moderated
    Hi,

    thanks for your reply.

    Since SGD is totaly new product for me, appreciate your help if you could guide me with steps to get his done.


    Regards,
    KC
  • 5. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
    fherrera - oracle Newbie
    Currently Being Moderated
    Ok,
    I thought you had the problem with Oracle VDI, on any case both are the exactly the same for Directory management. So on your case:

    bash-3.00# /opt/tarantella/bin/tarantella service new --help

    Creates a new service object

    tarantella service new <options>

    Creates a new service object from the <options>:

    --name <name>     An identifier for the service object
    --type ldap|ad    The type of the service object
    --url <url>       The url(s) for the service
    [--position <pos>] The position in the list of service objects at which
    the new entry is added. Starts at 1 for the top of the
    list. The default is the end of the list.
    [--enabled 0|1] Whether the service object is enabled for use.
    [--operation-timeout <timeout>]
    The timeout for an operation to a directory service.
    [--base-domain <domain>]
    The base domain for the service.
    [--default-domain <domain>]
    The default domain for the service.
    [--black-list <list>]
    A list of servers which should not be used for queries.
    [--white-list <list>]
    A list of servers which should be used for queries.
    [--security-mode ""|clientcerts]
    The current security mode.
    [--auth-mode kerberos|ssl]
    The current authentication mode.
    [--site-aware 0|1]
    Whether the service object is site aware.
    [--site-name <name>]
    The name of the site.
    [--check-pwd-policy 0|1]
    Whether a user's password policy should be checked at
    authentication time.
    [--pwd-expiry-warn-threshold <threshold>]
    The time before a password expiry within which a user
    will be warned. The value is in seconds.
    [--pwd-expiry-fail-threshold <threshold>]
    The time before a password expiry within which a user
    will fail authentication and be forced to update their
    password. The value is in seconds.
    [--domain-list <domains>]
    The list of domains to be initialised when an AD forest
    service is initialised.
    [--password-update-mode ldapuser|ldapadmin]
    The mode used for password updates. The default is
    "ldapuser".
    [--lookupcache-timeout <timeout>]
    The length of time, in seconds, for which lookup cache
    entries are held.
    [--ad-alwaysusegc 0|1]
    Whether the global catalogue should always be used for
    lookups.
    [--suffix-mappings <mappings>]
    A list of user suffixes to use for authentication
    domains/realms. The value should be in the form
    "suffix=domain".

    tarantella service new --file <file>

    Creates multiple service objects at once

    --file <file>   The batch file to process. This contains one line
    per set of settings, each line using the <options> above.
    Use "--file -" to read from stdin.

    So would be something like:
    /opt/tarantella/bin/tarantella service new name TEST type ad url ad://test.com  white-list "server1,server2"


    HTH
  • 6. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
    957315 Newbie
    Currently Being Moderated
    Hi,

    I have re-installed entire SGD setup and tried to run below mentioned command but getting error "error : the name supplied is invalid".

    command :- /opt/tarantella/bin/tarantella service new name GCSERVERS type ad url ad://test.com white-list "server1.example.test.com,server2.example.test.com,server3.example.test.com,server4.example.test.com"

    Regards,
    KC

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points