6 Replies Latest reply: Sep 7, 2012 10:07 AM by 957315 RSS

    AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN

    957315
      Hi,

      I'm not able to use Active Directory integration with kerberos :

      Our domain name is TEST.DOMAIN.COM.

      when running the nslookup query request for the GC in this domain, getting the below output :

      # nslookup -query=any gc.tcp.test.domain.com
      Server: 10.10.2.6
      Address: 10.10.2.6#53

      ** server can't find gc.tcp.test.domain.com: NXDOMAIN

      there is no answer.

      _______________________________________________________________________________

      But when runing the same query without test, GC are getting resolved in nslookup :

      # nslookup -query=any gc.tcp.domain.com | grep sis
      gc.tcp.domain.com service = 0 100 3268 server1.test.domain.com.
      gc.tcp.domain.com service = 0 100 3268 server2.test.domain.com.
      bash-3.00#

      Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?

      Appreciate, if someone could help me out to get this resolved.



      Thank you.
        • 1. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
          AKAErnie
          Hello

          Looks like your GC records are in the domain.com zone. What does your krb5.conf file look like? Can you post a copy?

          Thanks,
          • 2. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
            957315
            Hi,

            Please find the krb5.conf output below.

            [logging]
            default = FILE:/var/log/krb5libs.log
            kdc = FILE:/var/log/krb5kdc.log
            admin_server = FILE:/var/log/kadmind.log

            [libdefaults]
            default_realm = TEST.DOMAIN.COM
            dns_lookup_realm = true
            dns_lookup_kdc = true
            ticket_lifetime = 24h
            forwardable = yes

            [realms]
            EXAMPLE.COM = {
            kdc = kerberos.example.com:88
            admin_server = kerberos.example.com:749
            default_domain = example.com
            }

            TEST.DOMAIN.COM = {
            kdc = dc02.test.domain.com
            admin_server = dc03.test.domain.com
            }

            DOMAIN.COM = {
            kdc = dc01.domain.com
            admin_server = dc01.domain.com
            }

            [domain_realm]
            .example.com = EXAMPLE.COM
            example.com = EXAMPLE.COM

            test.domain.com = TEST.DOMAIN.COM
            .test.domain.com = TEST.DOMAIN.COM
            domain.com = DOMAIN.COM
            .domain.com = DOMAIN.COM
            [appdefaults]
            pam = {
            debug = false
            ticket_lifetime = 36000
            renew_lifetime = 36000
            forwardable = true
            krb4_convert = false
            }


            thanks.
            • 3. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
              fherrera - oracle
              I suggest you to use vda directory-add command line, and add the gc on the whitelit field.

              BRgds,
              F.
              • 4. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
                957315
                Hi,

                thanks for your reply.

                Since SGD is totaly new product for me, appreciate your help if you could guide me with steps to get his done.


                Regards,
                KC
                • 5. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
                  fherrera - oracle
                  Ok,
                  I thought you had the problem with Oracle VDI, on any case both are the exactly the same for Directory management. So on your case:

                  bash-3.00# /opt/tarantella/bin/tarantella service new --help

                  Creates a new service object

                  tarantella service new <options>

                  Creates a new service object from the <options>:

                  --name <name>     An identifier for the service object
                  --type ldap|ad    The type of the service object
                  --url <url>       The url(s) for the service
                  [--position <pos>] The position in the list of service objects at which
                  the new entry is added. Starts at 1 for the top of the
                  list. The default is the end of the list.
                  [--enabled 0|1] Whether the service object is enabled for use.
                  [--operation-timeout <timeout>]
                  The timeout for an operation to a directory service.
                  [--base-domain <domain>]
                  The base domain for the service.
                  [--default-domain <domain>]
                  The default domain for the service.
                  [--black-list <list>]
                  A list of servers which should not be used for queries.
                  [--white-list <list>]
                  A list of servers which should be used for queries.
                  [--security-mode ""|clientcerts]
                  The current security mode.
                  [--auth-mode kerberos|ssl]
                  The current authentication mode.
                  [--site-aware 0|1]
                  Whether the service object is site aware.
                  [--site-name <name>]
                  The name of the site.
                  [--check-pwd-policy 0|1]
                  Whether a user's password policy should be checked at
                  authentication time.
                  [--pwd-expiry-warn-threshold <threshold>]
                  The time before a password expiry within which a user
                  will be warned. The value is in seconds.
                  [--pwd-expiry-fail-threshold <threshold>]
                  The time before a password expiry within which a user
                  will fail authentication and be forced to update their
                  password. The value is in seconds.
                  [--domain-list <domains>]
                  The list of domains to be initialised when an AD forest
                  service is initialised.
                  [--password-update-mode ldapuser|ldapadmin]
                  The mode used for password updates. The default is
                  "ldapuser".
                  [--lookupcache-timeout <timeout>]
                  The length of time, in seconds, for which lookup cache
                  entries are held.
                  [--ad-alwaysusegc 0|1]
                  Whether the global catalogue should always be used for
                  lookups.
                  [--suffix-mappings <mappings>]
                  A list of user suffixes to use for authentication
                  domains/realms. The value should be in the form
                  "suffix=domain".

                  tarantella service new --file <file>

                  Creates multiple service objects at once

                  --file <file>   The batch file to process. This contains one line
                  per set of settings, each line using the <options> above.
                  Use "--file -" to read from stdin.

                  So would be something like:
                  /opt/tarantella/bin/tarantella service new name TEST type ad url ad://test.com  white-list "server1,server2"


                  HTH
                  • 6. Re: AD integration : server can't find _gc._tcp.test.domain.com: NXDOMAIN
                    957315
                    Hi,

                    I have re-installed entire SGD setup and tried to run below mentioned command but getting error "error : the name supplied is invalid".

                    command :- /opt/tarantella/bin/tarantella service new name GCSERVERS type ad url ad://test.com white-list "server1.example.test.com,server2.example.test.com,server3.example.test.com,server4.example.test.com"

                    Regards,
                    KC