[Authentication] realm discover seems to only query the first five DCs returned from looking up the DCs
Sumit Bose
sbose at redhat.com
Wed Sep 18 05:22:18 UTC 2019
On Tue, Sep 17, 2019 at 09:50:42AM -0700, Richard Sharpe wrote:
> Hi folks,
>
> I am dealing with a situation where I think the customer has
> configured sites and services incorrectly and is not returning the
> local DC first in the list of DCs in the request for
> _ldag._tcp.<realm>.
>
> There are 31 responses (which seems to be their world-wide network).
>
> realm discover consistently only sends cldap requests to the first
> five entries and because they have blocked access on that site out of
> geographic location, they never find the local DC because it is
> unlikely to be within the first five in the responses returned.
>
> Is there some way to change this behavior?
>
> I am very unfamiliar with the code base, but would increasing the
> symbol DISCO_FEVER in service/realm-disco-mscldap.c change behavior?
>
> Would a better approach be to rotate the IPs queried? I wouldn't know
> how to do that because the learning curve looks large but I wondered.
>
> I have a capture of the behavior that I could possibly share ...
Hi,
for adcli this was discussed in
https://gitlab.freedesktop.org/realmd/adcli/issues/13 and fixed by
https://gitlab.freedesktop.org/realmd/adcli/merge_requests/4. With this
fix adcli should try all DCs returned by DNS with decreasing timeouts.
HTH
bye,
Sumit
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/authentication
More information about the Authentication
mailing list