dsconfigad use preferred server has no effect
| Originator: | calum.h | ||
| Number: | rdar://25101089 | Date Originated: | 11-Mar-2016 01:16 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.11.3 |
| Classification: | Performance | Reproducible: | Always |
Summary:
When a Mac is bound to AD and the preferred server option is used with dsconfigad. The server listed as the preferred domain controller _should_ be used for all authentication and ldap lookups. However using TCP Dumps and netstat, it is clear that the preferred server is being ignored. Authentication and ldap lookups continue to go out to the domain controller that is assigned for the site in AD sites and services
I have tested this back as far as 10.9.5 and the issue is present in all current versions of 10.11 and 10.10 as well
Steps to Reproduce:
1. Install 10.11.3
2. Bind to AD
3. Perform an ldap lookup using dscl or the id command.
eg.
:~ $ id <username>
or
:~ $ dscl /Search -read /Users/<username>
4. Use netstat to list established connections
eg.
:~ $ netstat -W | grep ESTAB
tcp4 0 0 10.10.10.10.49390 dc001.contoso.com.ldap ESTABLISHED
tcp4 0 0 10.10.10.10.49388 dc001.contoso.com.msft-gc ESTABLISHED
Notice the server listed, in the above example it is dc001.contoso.com
4. Set the preferred domain controller to use with dsconfigad
eg:
:~ $ dsconfigad -preferred “dc002.contoso.com”
5. Reboot machine
6. Config preferred server is set with dsconfigad -show
eg.
:~ $dsconfigad -show
Advanced Options - Administrative
Preferred Domain controller = dc002.contoso.com
7. Repeat step 3 with different usernames to avoid any caching of user records
8. Repeat step 4 and notice the server names of the established connections for ldap and msft-gc
eg.
$ netstat -W | grep ESTAB
tcp4 0 0 10.10.10.10.49704 dc001.contoso.com.ldap ESTABLISHED
tcp4 0 0 10.10.10.10.49702 dc001.contoso.com.msft-gc ESTABLISHED
Note that the server name is _NOT_ the name of the preferred server we set with dsconfigad
Expected Results:
When a preferred domain controller is set using dsconfigad -preferred. All authentication and ldap looks should first attempt to use this server. If this preferred server is non-responsive or otherwise offline, authentication and ldap lookups will fail over to servers provided via DNS service records.
As per the manual entry for -preferred:
-preferred server
Use the specified server for all Directory lookups and authentications. If the server is no longer available, it will fail-over to other servers.
Actual Results:
The server set with dsconfigad -preferred is not used for authentication of ldap lookups
Regression:
Test in OS X 10.9.5, 10.10.5 and 10.11.3. All three versions of the system exhibit this issue.
Notes:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!