This test case verifies an Active Directory client is able to connect to a particular DNS site as defined on the AD server
- Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
- Run through the test case to join the domain.
- Inspect the
sssd.confto ensure that the SSSD would attempt to connect using service discovery only:
ad_servers = _srv_
- More information on AD sites can be found in this technet article
How to test
- Open dssite.msc MMC
- Open Start, Run..
- Create a new site and assign a domain controller to the site
- In the "Active Directory Sites and Services" MMC, right-click the "Sites" folder
- Select "New", "Site.."
- Name the new site, select the default IP transport and click OK
- Create a new subnet and link it with the site
- In the "Active Directory Sites and Services" MMC, right-click the "Subnets" folder
- Select "New", "Subnet.."
- The subnet must be the same as the client's. It can even match the client's IP address and use the /32 mask.
- Link the subnet with the site you just created
- Make sure SSSD is up and running
# service start sssd
- Force SSSD to connect to the Active Directory, for example using 'getent passwd <account>'
- Verify with netstat that the SSSD has connected to the AD server you'd expect it to connect to using netstat:
# netstat -tpn | grep 389
- The command above should yield the IP address of the server in the site you specified for the client.
Cleanup after the test
- You should make sure to remove the site and the subnet to prevent them from interfering with the rest of the tests.
- If you changed the
ad_serversdirective, revert the change to the original value
- The logs says which site and domain controller were found by SSSD. The following command will print name of the site the client is part of.
# fgrep "Found site" /var/log/sssd/sssd_AD.log
- For example:
- <pre> (Mon May 6 08:22:11 2013) [sssd[be[AD]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name
- This command will print all primary servers found by SSSD. Primary servers are all domain controllers for the client's site.
# grep "Inserted primary server '.*' to service 'AD'" /var/log/sssd/sssd_AD.log
- For example:
(Mon May 6 08:22:11 2013) [sssd[be[AD.PB]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'ad-server.ad.pb:389' to service 'AD'
- The following command will print all backup servers found by SSSD, except those that are already listed in primary servers. Backup servers are all domain controllers that have SRV records in _ldap._tcp.ad.domain domain.
# grep "Inserted backup server '.*' to service 'AD'" /var/log/sssd/sssd_AD.log
- For example:
(Mon May 6 08:22:11 2013) [sssd[be[AD.PB]]] [fo_add_server_to_list] (0x0400): Inserted backup server 'ad-server2.ad.pb:389' to service 'AD'