search

cloudera-ps / prereq-checks

Prerequisites checker for Cloudera Manager and CDP PVC Base installations
GNU General Public License v3.0
57 stars 58 forks source link

AD Controller test does not seems to be fully correct #97

Open melvin-koh opened 6 years ago

melvin-koh commented 6 years ago

I did some testing in my own test environment and found some weird behaviour in the ADC test. After digging into the script, I see this line:

line 567: dig -t SRV "_kerberos_tcp.${DOMAIN}" > "${WORK_DIR}/dig1.tmp"

Shouldn't this be _kerberos._tcp.${DOMAIN} ?? (missing a dot between _kerberos and _tcp)

Because of this, the script basically does these few things via LDAP:

  1. Find the AD site of the dns authority of the SRV records
  2. Find the AD controllers belonging to that AD site
  3. List these AD controllers

This is not entirely foolproof as it heavily depends on which AD controller providing the DNS service you are querying from. If the wrong DNS server is configured, this script will give the wrong controllers.

Can anyone test this on a customer environment and share the output of the script here?

melvin-koh commented 6 years ago

We did not attempt to match the client and server AD site. The script returned "Singapore" AD controller but server is in "Australia", simply because my nameserver configured on CDH server is the "Australia" DNS server.

CDH server running the script (client) - AD Site "Australia" AD controller returned by the script (server) - AD Site "Singapore"

# perl /tmp/prereq-checks-cldap.pl meltest.com -s adc.meltest.com
Information for Domain Controller: adc.meltest.com

Response Type: SAMLOGON
GUID: d44f2d47-9a08-41ca-b84f-dc96e4bba312
Flags:
    Is a PDC:                                   yes
    Is a GC of the forest:                      yes
    Is an LDAP server:                          yes
    Supports DS:                                yes
    Is running a KDC:                           yes
    Is running time services:                   yes
    Is the closest DC:                          yes
    Is writable:                                yes
    Has a hardware clock:                       yes
    Is a non-domain NC serviced by LDAP server: no
Forest:         meltest.com
Domain:         meltest.com
Domain Controller:  adc.meltest.com
Pre-Win2k Domain:   MELTEST
Pre-Win2k Hostname: ADC
Unk:
Server Site Name:   Singapore
Client Site Name:   Australia
NT Version:     5
LMNT Token:     ffff
LM20 Token:     ffff

# ./prereq-check.sh -a meltest.com
AD Domain           : meltest.com
Authoritative Domain Controller : adc.meltest.com
Site Name           : Singapore
-----------------------------------------------------------------------------
# _service._proto.name.     TTL class   SRV priority    weight  port    target.
_ldap._tcp.Singapore._sites.dc._msdcs.meltest.com. 600 IN SRV 0 100 389 adc.meltest.com.

;; ADDITIONAL SECTION:
adc.meltest.com.    3600    IN  A   192.168.246.12