DNS Inquiry

I have several Solaris 10 boxes that have the QAS bits installed on them.  Ready to join. Preflight succeeds.   join fails apparently because upon join - VAS does a reverse lookup on the IP of the host joining the domain.  We pre-create our machine objects in AD and delegate a group of people the right to 'join' those objects from the Unix host.  On these few machines - they have multiple NIC cards.  Each NIC has a unique Unix DNS name associated with it.  They are joining as hostX - but the reverse lookup is returning one of the hyphenated DNS names for the specific NIC card.  i.e. hostX-app1 .... VAS cant authenticate the host - and the join fails ...

Options for bypassing this reverse lookup during join ?
  • Hi Donny,

    Use the -n option to force the hostname.

    Examples:
    /opt/quest/bin/vastool -u myadmin join -n hostabc1 example.com
    /opt/quest/bin/vastool -u myadmin join -n `hostname` example.com

    Thanks!
    Kyle
  • Could it be that simple Kyle ?!?  Matt suggested same answer end of last week too.   Maybe I'm over-thinking this one...  I have a call with the Unix peopile in half an hour to trial this solution.
  • You say that VAS can't authenticate the host when trying to join?

    What is the exact error message? Please cut & paste it here.

    It could be how  you're delegating out the permissions to the "admin" that's joining the computer object. Since it's joining and re-establishing the Kerberos credentials, you should be delegating the allow reset password on the computer object.

    Also, seeing you're pre-creating the computer object, you need to specify "-f" to vastool when joining.

    -Gregg

  • We pre-create the machine object as hostX and delegate the right to 'join', update spn, dnshostname, upn, servicepack etc  to this group.
    at the host - we have the unix admin run the command:

    vastool -u loginName@domain join -f domain

    As part of the join - vas does a reverse lookup on the ip address and one of the hyphenated named for the nic cards is returned.  Vas sees the host name and the reverse lookup do not match and the join fails.

    I'll find and post the exact message to this thread.

    The command Kyle has offered added the '-n' option to force the hostname to be the hostX.  I'm hoping that '-n' also instructs vas to "ignore" the hostX-app1 name that gets returned in the reverse lookup.   If not - I may be back at square one.

    This is what we're going to try ...

    vastool -u loginName@domain join -f -n hostX  domain

    to add .. We've successfully joined hundreds of Unix systems to our AD using this same method.  We've hit this snag with hosts that have more than one NIC card. The unix machines have their own DNS infrastructure - and defined in that environment - each NIC has it's own dns record.  During join - vas identifies the IP address of the host and does a reverse lookup.  The name that comes back isnt the host name that is being joined - it's a hyphenated version of it - with the application running from that NIC card.   i.e. hostX-app1


    Message was edited by: Donny
  • The -n option that Kyle mentioned should do the trick. If not, please post the complete output here.

    -Gregg
  • The -n option was tried and failed - see transcript below ...  Note the non hyphenated name was specificed - but vas attempts to join the hyphenated host name.


    # /opt/quest/bin/vastool  -u USER@domain join -n hostX -f domain

    Checking whether computer is already joined to a domain ... no
    Password for USER@domain:
    Configuring forest root ... root.Domain ... OK
    Configuring site ... SITENAME ... OK
    Joining computer to the domain ashost/hostX-app1.domain ... Failed
    ERROR: Unable to join computer object
    ERROR: Could not join to the domain
    VAS_ERR_LDAP: Error encountered processing ldap result for dn [CN=hostX-app1,CN=Computers,DC=domain], err=00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    .
       Caused by:
       LDAP_INSUFFICIENT_ACCESS: Insufficient access to complete operation
     
    The problem with insufficient access is – we don’t allow the Unix admins to create machines on the domain.  We pre-create them.   The hostname is ‘hostX’ – however, the NIC card has a separate dns name that is being return by the DNS reverselookup – and is attempting to join as hostX-app1

    Message was edited by: Donny
  • Hi Donny,

    Not really well documented, but if VAS doesn't find a "." in the hostname it will attempt to resolve it to a FQDN. Please use the -n option with a FQDN to see if that is sufficient for your use case.

    # /opt/quest/bin/vastool -u USER@domain join -n hostX.domain -f domain

    Another solution is the make sure the proper FQDN is listed first in the /etc/hosts file, but this might not be relevant for your scenario where you have multiple interfaces.

    Thanks!
    Kyle
  • Hi Donny,

    Can you try using -n with the fully qualified hostname please?

    Kind Regards, Karl.

  • followup - we retried the command with the FQDN of the non-hyphenated host name followed by the AD domain suffix and voila! it worked.

    Awesome!



    Message was edited by: Donny
  • Not a dumb question. If you plan on using Transparent SSO (SSH GSS-API, mod_auth_vas, SAP or Sybase SSO), then it is best to match the FQDN to the DNS name which the host is known by publicly. Otherwise, it doesn't really matter since the name will only be used internally by VAS.