[Freeipa-users] SSSD dyndns_update on machine with multiple IP address
David Goudet
david.goudet at lyra-network.com
Mon Apr 17 17:42:34 UTC 2017
Hi,
Nobody has response about my questions?
The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)?
Thank you for your help.
Best regards,
On 03/27/2017 06:34 PM, David Goudet wrote:
> Hi,
>
> Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA.
> Everything is fine on machines which have only one IP adress on network interface.
> I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address.
>
> To reproduce the problem:
> Host have -IP1- and i add -IP2-
> ip addr add -IP2-/26 dev em1
>
> ip addr list:
> em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000
> link/ether xxxx
> inet -IP1-/26 brd XXXX scope global em1
> inet -IP2-/26 scope global secondary em1
> valid_lft forever preferred_lft forever
>
> DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2-
>
> In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)?
>
> dyndns_update (boolean)
> Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client.
> The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise
> specified by using the “dyndns_iface” option.
>
> Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine?
> Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)?
>
> My environment is:
> Client: Centos 7.2
> sssd-common-1.13.0-40.el7_2.12.x86_64
> sssd-ipa-1.13.0-40.el7_2.12.x86_64
> sssd-1.13.0-40.el7_2.12.x86_64
> sssd-client-1.13.0-40.el7_2.12.x86_64
> FreeIPA server: Centos 6.7
> ipa-server-3.0.0-47.el6.centos.2.x86_64
> bind-9.8.2-0.30.rc1.el6_6.3.x86_64
> bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64
> bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64
> rpcbind-0.2.0-11.el6_7.x86_64
> bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64
> rpcbind-0.2.0-11.el6.x86_64
> bind-dyndb-ldap-2.3-8.el6.x86_64
> bind-9.8.2-0.37.rc1.el6_7.7.x86_64
>
>
> SSSD configuration on client:
> [domain/<DOMAIN>]
>
> debug_level=18
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = <DOMAIN>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ds01.<SUBDOMAIN1>, ds01.<SUBDOMAIN2>
> dns_discovery_domain = <DOMAIN>
>
>
> Named FreeIPA logs:
> -------------------
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#36331: updating zone '<DNS ZONE>/IN': deleting rrset at '<hostname><DNS ZONE>' A
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: update_record (psearch) failed, dn 'idnsName=2,idnsname=<DNSZONE>.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. Records can be outdated, run `rndc reload`: not found
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: zone <SUBDOMAIN3>/IN: sending notifies (serial 1490615011)
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#46187: updating zone '<SUBDOMAIN3>/IN': deleting rrset at '<machine>.<SUBDOMAIN3>' AAAA
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#54691: updating zone '<SUBDOMAIN3>/IN': adding an RR at '<machine>.<SUBDOMAIN3>' A
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#54691: updating zone '<SUBDOMAIN3>/IN': adding an RR at '<machine>.<SUBDOMAIN3>' A
> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: zone <DNSZONE>.in-addr.arpa/IN: sending notifies (serial 1490627037)
> Mar 27 17:04:02 ds01.<SUBDOMAIN2> named[6607]: zone <SUBDOMAIN3>/IN: sending notifies (serial 1490627038)
>
> SSSD trace log on client during sssd restart:
> -----------------------
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [ipa_dyndns_update_send] (0x0400): Performing update
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_is_address] (0x4000): [<machine>.<SUBDOMAIN3>] does not look like an IP address
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of '<machine>.<SUBDOMAIN3>' in DNS
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [request_watch_destructor] (0x0400): Deleting request watch
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_is_address] (0x4000): [<machine>.<SUBDOMAIN3>] does not look like an IP address
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of '<machine>.<SUBDOMAIN3>' in DNS
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [request_watch_destructor] (0x0400): Deleting request watch
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_dyndns_addrs_diff] (0x1000): Address on localhost only: -IP2-
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_dyndns_dns_addrs_done] (0x0400): Detected IP addresses change, will perform an update
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm [<DOMAIN>].
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
> realm <DOMAIN>
> update delete <machine>.<SUBDOMAIN3>. in A
> send
> update delete <machine>.<SUBDOMAIN3>. in AAAA
> send
> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP2-
> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP1-
> send
> -- End nsupdate message --
> ..
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [ds01.<SUBDOMAIN2>] and realm [<DOMAIN>].
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
> server ds01.<SUBDOMAIN2>
> realm <DOMAIN>
> update delete <machine>.<SUBDOMAIN3>. in A
> send
> update delete <machine>.<SUBDOMAIN3>. in AAAA
> send
> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP2-
> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP1-
> send
> -- End nsupdate message --
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [20631]
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [child_handler_setup] (0x2000): Signal handler set up for pid [20631]
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [write_pipe_handler] (0x0400): All data has been sent!
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
> setup_system()
>
> Thank you for your help!
>
More information about the Freeipa-users
mailing list