From Fedora Project Wiki

Description

This test case verifies an Active Directory client is able to connect to a particular DNS site as defined on the AD server

Setup

  1. Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
  2. Run through the test case to join the domain.
  3. Inspect the sssd.conf to ensure that the SSSD would attempt to connect using service discovery only:
     ad_servers = _srv_ 
  4. More information on AD sites can be found in this technet article

How to test

  1. Open dssite.msc MMC
    Open Start, Run..
    enter dssite.msc
  2. Create a new site and assign a domain controller to the site
    In the "Active Directory Sites and Services" MMC, right-click the "Sites" folder
    Select "New", "Site.."
    Name the new site, select the default IP transport and click OK
  3. Create a new subnet and link it with the site
    In the "Active Directory Sites and Services" MMC, right-click the "Subnets" folder
    Select "New", "Subnet.."
    The subnet must be the same as the client's. It can even match the client's IP address and use the /32 mask.
    Link the subnet with the site you just created
  4. Make sure SSSD is up and running
     # service start sssd 
  5. Force SSSD to connect to the Active Directory, for example using 'getent passwd <account>'

Expected Results

  1. Verify with netstat that the SSSD has connected to the AD server you'd expect it to connect to using netstat:
     # netstat -tpn | grep 389 
  2. The command above should yield the IP address of the server in the site you specified for the client.

Cleanup after the test

  1. You should make sure to remove the site and the subnet to prevent them from interfering with the rest of the tests.
  2. If you changed the ad_servers directive, revert the change to the original value

Troubleshooting

  1. The logs says which site and domain controller were found by SSSD. The following command will print name of the site the client is part of.
     # fgrep "Found site" /var/log/sssd/sssd_AD.log
    For example:
    <pre> (Mon May 6 08:22:11 2013) [sssd[be[AD]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name
  2. This command will print all primary servers found by SSSD. Primary servers are all domain controllers for the client's site.
     # grep "Inserted primary server '.*' to service 'AD'" /var/log/sssd/sssd_AD.log 
    For example:
     (Mon May  6 08:22:11 2013) [sssd[be[AD.PB]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'ad-server.ad.pb:389' to service 'AD' 
  3. The following command will print all backup servers found by SSSD, except those that are already listed in primary servers. Backup servers are all domain controllers that have SRV records in _ldap._tcp.ad.domain domain.
     # grep "Inserted backup server '.*' to service 'AD'" /var/log/sssd/sssd_AD.log 
    For example:
     (Mon May  6 08:22:11 2013) [sssd[be[AD.PB]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'ad-server2.ad.pb:389' to service 'AD'