Problems with Active Directory auth on SGD 4.41 in solaris zone.
807578Oct 7 2009 — edited Oct 8 2009Hi, I have some problem after integrating Active Directory as auth method for SGD (sgd installed in a zone).
I have synced the clock via a windows 2003 server (AD server) and configured my /opt/tarantella/bin/jre/lib/security/krb5.conf exactly the same as for my VDI 3.0 server where AD auth works perfectly.
I logged in to the admin web interface to set up AD auth and everything seamed to work fine. But now I can't log in the either the SGD or the SGD admin interface, when I try I get the message "invalid credentials".
What I have logwise is from the SGD jserver log:
[Domain is test.com], [AD-server is "adserver" and SGD zone is sgd1.test.com.
2009/10/07 16:18:14.907 (pid 7602) server/ldap/error #1254925094907
Sun Secure Global Desktop Software (4.41) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=TEST,DC=COM") 666ms javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.
A call to LDAP failed. This might mean LDAP users cannot log in.
Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.
2009/10/07 16:18:40.046 (pid 7602) server/ldap/error #1254925120046
Sun Secure Global Desktop Software (4.41) ERROR:
NSLookup failed to find: "sgd1": error was "javax.naming.ServiceUnavailableException: DNS server failure [response code 2]; remaining name 'sgd1'"
Failed to look up a DNS name that is related to Active Directory.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure the name exists in DNS.
2009/10/07 16:18:40.046 (pid 7602) server/ldap/error #1254925120047
Sun Secure Global Desktop Software (4.41) ERROR:
Active Directory service discovery failed: Failed to get IP addresses for the peer DNS name
Looking up Global Catalog DNS name: _gc._tcp.TEST.COM. - HIT
Looking for GC on server: Active Directory:adserver.test.com:/192.168.109.17:3268:Up - HIT
Checking for CN=Configuration: DC=test,DC=com - MISS
Checking for CN=Configuration: CN=Configuration,DC=test,DC=com - HIT
Looking up domain root context: DC=test,DC=com - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: sgd1 - HIT
Failed to discover Active Directory Site, Domain and server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
2009/10/07 16:18:40.056 (pid 7602) server/ldap/error #1254925120056
Sun Secure Global Desktop Software (4.41) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=TEST,DC=COM") 591ms javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.
A call to LDAP failed. This might mean LDAP users cannot log in.
Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.
I can run a nslookup against the LDAP:
root@sgd1 # nslookup -query=any _ldap._tcp.TEST.COM
Server: 192.168.109.17
Address: 192.168.109.17#53
_ldap._tcp.TEST.COM service = 0 100 389 adserver.test.com
Global catalog is available:
root@sgd1 # nslookup -querytype=any _gc._tcp.TEST.COM
Server: 192.168.109.17
Address: 192.168.109.17#53
_gc._tcp.TEST.COM service = 0 100 3268 adserver.test.com
And sgd server can resolve adserver both ways.
root@sgd1 # ping 192.168.109.17
192.168.109.17 is alive
root@sgd1 # ping adserver.TEST.COM
adserver.TEST.COM is alive
And the sgd server is registered for reverse lookup i adserver's DNS.
Has anyone encountered this problem before? Or if anyone have any good tips on how to troubleshoot this error.