1 2 3 Previous Next 34 Replies Latest reply: Apr 14, 2011 6:37 PM by 838745 Go to original post RSS
      • 15. Re: Assigned User Profile / AD groups /
        DeanyDean
        Hi Habib,

        At first glance this looks fine. Can you check for any errors in the SGD logs? These are located in /opt/tarantella/var/log. Please post the output of any errors caused when trying to login.

        Thanks,

        Matt
        • 16. Re: Assigned User Profile / AD groups /
          838745
          Hi Matt,

          i was not sure exactly what log file to look for. Below is jserver20735_error.log based on time stamp. Thansk.

          Habib.

          -------------------------------------------------------------------------------------------------------------------------------------------------------------------

          2011/03/31 07:41:13.280     (pid 20735)     server/ad/warningerror     #1301582473280
          Sun Secure Global Desktop Software (4.5) WARNING:

          DNS lookup failed to find infodev-globaldesk

          Reason:
          javax.naming.ServiceUnavailableException: DNS server failure [response code 2]; remaining name 'infodev-globaldesk'

          infodev-globaldesk
          cannot be used by SGD.

          Make sure the DNS server contains a valid entry for this host.

          2011/03/31 07:41:13.285     (pid 20735)     server/ad/warningerror     #1301582473285
          Sun Secure Global Desktop Software (4.5) WARNING:

          Active Directory service discovery failed
          Failed to get IP addresses for the peer DNS name

          Current state:
          Looking up Global Catalog DNS name: gc.tcp.hs.uci.edu. - HIT
          Looking for GC on server: Active Directory(ldap://160.87.13.147:3268::orgds3.hs.uci.edu[160.87.13.147]:[Up]) - HIT
          Checking for CN=Configuration: DC=hs,DC=uci,DC=edu - MISS
          Checking for CN=Configuration: CN=Configuration,DC=hs,DC=uci,DC=edu - HIT
          Looking up domain root context: DC=hs,DC=uci,DC=edu - HIT
          Looking up site context: CN=Sites,CN=Configuration
          Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
          Looking up addresses for peer DNS: infodev-globaldesk - HIT


          Failed to discover Active Directory Site, Domain and server data.

          Make sure the DNS server contains the Active Directory service
          records for the forest. Make sure a Global Catalog server is available.

          2011/03/31 07:41:13.287     (pid 20735)     server/ldap/warningerror     #1301582473287
          Sun Secure Global Desktop Software (4.5) WARNING:

          LDAP call failed:
          null lookupLink-.../_ldapmulti/forest/("DC=HS,DC=UCI,DC=EDU")
          Call took 30183ms.

          Reason:
          javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.

          The call to the directory server failed.

          Check the operation was correct, the LDAP configuration is valid, and the
          LDAP server is still running.

          2011/03/31 08:32:52.474     (pid 20735)     server/ad/warningerror     #1301585572474
          Sun Secure Global Desktop Software (4.5) WARNING:

          DNS lookup failed to find infodev-globaldesk

          Reason:
          javax.naming.ServiceUnavailableException: DNS server failure [response code 2]; remaining name 'infodev-globaldesk'

          infodev-globaldesk
          cannot be used by SGD.

          Make sure the DNS server contains a valid entry for this host.

          2011/03/31 08:32:52.474     (pid 20735)     server/ad/warningerror     #1301585572475
          Sun Secure Global Desktop Software (4.5) WARNING:

          Active Directory service discovery failed
          Failed to get IP addresses for the peer DNS name

          Current state:
          Looking up Global Catalog DNS name: gc.tcp.hs.uci.edu. - HIT
          Looking for GC on server: Active Directory(ldap://128.200.145.93:3268::directory.hs.uci.edu[128.200.145.93]:[Up]) - HIT
          Checking for CN=Configuration: DC=hs,DC=uci,DC=edu - MISS
          Checking for CN=Configuration: CN=Configuration,DC=hs,DC=uci,DC=edu - HIT
          Looking up domain root context: DC=hs,DC=uci,DC=edu - HIT
          Looking up site context: CN=Sites,CN=Configuration
          Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
          Looking up addresses for peer DNS: infodev-globaldesk - HIT


          Failed to discover Active Directory Site, Domain and server data.

          Make sure the DNS server contains the Active Directory service
          records for the forest. Make sure a Global Catalog server is available.

          2011/03/31 08:32:52.475     (pid 20735)     server/ldap/warningerror     #1301585572476
          Sun Secure Global Desktop Software (4.5) WARNING:

          LDAP call failed:
          null lookupLink-.../_ldapmulti/forest/("DC=HS,DC=UCI,DC=EDU")
          Call took 30185ms.

          Reason:
          javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.

          The call to the directory server failed.

          Check the operation was correct, the LDAP configuration is valid, and the
          LDAP server is still running.
          • 17. Re: Assigned User Profile / AD groups /
            838745
            Hi Matt,

            I googled on the error log and found this thread:

            Problems with Active Directory auth on SGD 4.41 in solaris zone.

            Renaming the server name from infodev-globaldesk to infodev-globaldesk.hs.uci.edu, it try to login (doesn't give me 'Invalid Credential' message any more), however i get the dialog box saying:

            Cannot connect to the server infodev-globaldesk:5307 Unknown error.

            I am searching for this error but so far no luck.

            Any insight?

            Thanks.

            habib.
            • 18. Re: Assigned User Profile / AD groups /
              Mrbrown-Oracle
              firewall/proxy and DNS

              have you read the install/config requirements?
              • 19. Re: Assigned User Profile / AD groups /
                838745
                Hi,

                Thanks for suggestion.

                Yes, I did check and port 5307 is enable already. Confusing part is, it was working before switch to ad authentication.

                Habib.
                • 20. Re: Assigned User Profile / AD groups /
                  DeanyDean
                  Hi Habib,

                  The problem here is that the SGD server cannot resolve its own peer DNS name "infodev-globaldesk". For more information on this see the doc reference:

                  http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter1.html#d0e955.

                  To verify if the peer name can be resolved by DNS, perform a DNS lookup of "infodev-globaldesk" from the SGD server:

                  $ nslookup infodev-globaldesk

                  If you cannot resolve the peer DNS name of the SGD server, SGD AD authentication will not work as it requires working DNS.

                  Hope this helps,

                  Matt

                  Edited by: DeanyDean on 05-Apr-2011 09:10

                  Edited by: DeanyDean on 05-Apr-2011 09:12
                  • 21. Re: Assigned User Profile / AD groups /
                    838745
                    Thanks again Matt,

                    I am going through with the docment right now to see if i missed anything, however in the mean time if I run

                    $ nslookup infodev-globaldesk

                    I get following responce:

                    Server: 160.87.7.31
                    Address: 160.87.7.31#53

                    Name: infodev-globaldesk.hs.uci.edu
                    Address: 160.87.9.122

                    This is right name and address of the server.

                    Should I be expecting something different?

                    Thanks.

                    Habib.
                    • 22. Re: Assigned User Profile / AD groups /
                      DeanyDean
                      Hi Habib,

                      I think your DNS error is being triggered because the full DNS name infodev-globaldesk.hs.uci.edu is not being used as the peer name for the SGD server. When you install the SGD server, you should always use the full DNS name of the host.

                      To change the peer DNS name of the server, you should read the following docs:

                      http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter1.html#d0e1237

                      I suggest you change the peer name from "infodev-globaldesk" to "infodev-globaldesk.hs.uci.edu". Doing this should (at least) get rid of the peer name error from the logs.

                      Hope this helps,

                      Matt
                      • 23. Re: Assigned User Profile / AD groups /
                        838745
                        Hi Matt,

                        Thanks for being persistent with helping me to resolve this issue.

                        I had changed peerdns to infodev-globaldesk.hs.uci.edu last week, as I mentioned in my previous post on 3/31.

                        Just to make sure, I ran it again and I got following error:

                        Peer DNS name is already infodev-globaldesk.hs.uci.edu: it will not be changed.
                        Nothing to do: exiting

                        Did I miss something obvious?

                        Thanks again.

                        habib.
                        • 24. Re: Assigned User Profile / AD groups /
                          DeanyDean
                          Hi Habib,

                          Yep, missed that post, sorry about that.

                          So, you got the DNS error in the logs, fixed the DNS issue from AD auth and now you get the error:

                          "Cannot connect to the server infodev-globaldesk:5307 Unknown error."

                          The good news is that I think this means AD authentication is working. The problem now appears to be that the client cannot connect to the SGD server, which I think has been caused by the changing of the peer DNS name. I'm fairly sure this error is related to the external DNS name config. By default after an install, peer DNS name and external DNS name are set to the same value. If you change the peer DNS name, it doesn't automatically change the external DNS name configuration. You have to do this manually:

                          http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter1.html#d0e1065

                          I think you should set the "External DNS names" value to "*:infodev-globaldesk.hs.uci.edu" so that the client can connect to the SGD server.

                          If you think this is already set up correctly, can you send me what you currently have set for "External DNS names" for your SGD server.

                          Thanks,

                          Matt
                          • 25. Re: Assigned User Profile / AD groups /
                            838745
                            You are right Matt, this means AD authentication is working.

                            I looked under external dsn name and found extra period. it was showing *:infodev-globaldesk.hs..uci.edu instead of *:infodev-globaldesk.hs.uci.edu and probably it was over riding to peerdsn name.

                            After I fixed it, error message is changed as follows:

                            Cannot connect to the server infodev-globaldesk.hs.uci.edu:5307 Unknown error

                            We are getting closer :-) thanks for all the help.
                            • 26. Re: Assigned User Profile / AD groups /
                              DeanyDean
                              We need to make sure the SGD client can connect to port 5307 of the SGD server using the hostname infodev-globaldesk.hs.uci.edu. If you have a solaris/linux or mac client you can use:

                              $ telnet infodev-globaldesk.hs.uci.edu 5307

                              You won't be able to do anything, just verify you can connect.

                              Also, to check the SGD server is listening on the correct network interfaces, you can use something like:

                              $ netstat -na | grep 5307

                              I'd expect a LISTEN on 0.0.0.0:5307 from the netstat call.

                              Matt
                              • 27. Re: Assigned User Profile / AD groups /
                                838745
                                Hi Matt,

                                telnet infodev-globaldesk.hs.uci.edu 5307

                                produce this result:

                                Connected to infodev-globaldesk.hs.uci.edu (160.87.9.122)
                                Escape character is '^]'.

                                and output for netstat -na | grep 5307 is:

                                tcp 0 0 0.0.0.0:5307 0.0.0.0:* LISTEN

                                Thanks again.

                                Habib.
                                • 28. Re: Assigned User Profile / AD groups /
                                  DeanyDean
                                  Hi Habib,

                                  I've tried to reproduce your problem here but have had no luck. As you now seem to be having client issues, can you provide me with information about the clients you are using? Client O/S and version should be sufficient.

                                  Also, when you editted the "External DNS Name" config, was this done from the SGD Admin Console?

                                  Thanks,

                                  Matt
                                  • 29. Re: Assigned User Profile / AD groups /
                                    838745
                                    Hi Matt,

                                    We are typical Microsoft shop. I was using Windows XP, Windows 7 and Windows server 2003 all with IE 8. It didn't occur to me that it could be client issue since it was working before I made all those changes from Windows authentication to AD authentication.

                                    Good news and bad news.

                                    After you mentioned, I downloaded Safari and Firefox. Good news is, I was able get in with Safari (not with Firefox and Internet Explorer).

                                    Bad news is, even I was able to pass this error message in Safari, I still see the application that I am not suppose to see base on AD group membership.

                                    I am back to square one now :-(

                                    Any other suggestion?

                                    Thanks again.

                                    Habib.