[Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Martin Bašti mbasti at redhat.com
Wed Apr 19 10:31:03 UTC 2017 


On 17.04.2017 19:42, David Goudet wrote:
> Hi,
>
> Nobody has response about my questions?
>
> The main question is: Is it possible to configure SSSD to update DNS 
> (option dyndns_update) with only IP address "primary" in ip addr list 
> or which is used to FreeIPA server communication (-IP1- used on TCP 
> binding)?
>
> Thank you for your help.
>
> Best regards,
>
>
> On 03/27/2017 06:34 PM, David Goudet wrote:
>> Hi,
>>
>> Thanks to dyndns_update=True parameter, SSSD service on client 
>> machine updating host DNS entry in FreeIPA.
>> Everything is fine on machines which have only one IP adress on 
>> network interface.
>> I have problem with machines which have more that one IP address on 
>> network interface: if machine have two IP address, SSSD update host 
>> DNS entry with these two IP address.
>>
>> To reproduce the problem:
>> Host have -IP1- and i add -IP2-
>> ip addr add -IP2-/26 dev em1
>>
>> ip addr list:
>> em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP 
>> qlen 1000
>>      link/ether xxxx
>>      inet -IP1-/26 brd XXXX scope global em1
>>      inet -IP2-/26 scope global secondary em1
>>         valid_lft forever preferred_lft forever
>>
>> DNS resolution (dig) before restarting sssd returns only -IP1-. After 
>> restarting sssd returns -IP1- & -IP2-
>>
>> In dyndns_update manpage, we have "The IP address of the IPA LDAP 
>> connection is used for the updates", what does it means? Is it IP 
>> address of the DNS server (used to update the DNS entry)? or is it IP 
>> address on client machine used during LDAP TCP bind (-IP1- in my case)?
>>
>> dyndns_update (boolean)
>>             Optional. This option tells SSSD to automatically update 
>> the DNS server built into FreeIPA v2 with the IP address of this client.
>>             The update is secured using GSS-TSIG. The IP address of 
>> the IPA LDAP connection is used for the updates, if it is not otherwise
>>             specified by using the “dyndns_iface” option.
>>
>> Is it normal behaviour that SSSD add in host DNS entry every IPs 
>> enabled on client machine?
>> Is it possible to configure SSSD to update DNS with only IP address 
>> "primary" in ip addr list or which is used to FreeIPA server 
>> communication (-IP1- used on TCP binding)?
>>
>> My environment is:
>> Client: Centos 7.2
>> sssd-common-1.13.0-40.el7_2.12.x86_64
>> sssd-ipa-1.13.0-40.el7_2.12.x86_64
>> sssd-1.13.0-40.el7_2.12.x86_64
>> sssd-client-1.13.0-40.el7_2.12.x86_64
>> FreeIPA server: Centos 6.7
>> ipa-server-3.0.0-47.el6.centos.2.x86_64
>> bind-9.8.2-0.30.rc1.el6_6.3.x86_64
>> bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64
>> bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64
>> rpcbind-0.2.0-11.el6_7.x86_64
>> bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64
>> rpcbind-0.2.0-11.el6.x86_64
>> bind-dyndb-ldap-2.3-8.el6.x86_64
>> bind-9.8.2-0.37.rc1.el6_7.7.x86_64
>>
>>
>> SSSD configuration on client:
>> [domain/<DOMAIN>]
>>
>> debug_level=18
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = <DOMAIN>
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> chpass_provider = ipa
>> dyndns_update = True
>> ipa_server = _srv_, ds01.<SUBDOMAIN1>, ds01.<SUBDOMAIN2>
>> dns_discovery_domain = <DOMAIN>
>>
>>
>> Named FreeIPA logs:
>> -------------------
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#36331: 
>> updating zone '<DNS ZONE>/IN': deleting rrset at '<hostname><DNS 
>> ZONE>' A
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: update_record 
>> (psearch) failed, dn 
>> 'idnsName=2,idnsname=<DNSZONE>.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' 
>> change type 0x4. Records can be outdated, run `rndc reload`: not found
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: zone <SUBDOMAIN3>/IN: 
>> sending notifies (serial 1490615011)
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#46187: 
>> updating zone '<SUBDOMAIN3>/IN': deleting rrset at 
>> '<machine>.<SUBDOMAIN3>' AAAA
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#54691: 
>> updating zone '<SUBDOMAIN3>/IN': adding an RR at 
>> '<machine>.<SUBDOMAIN3>' A
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#54691: 
>> updating zone '<SUBDOMAIN3>/IN': adding an RR at 
>> '<machine>.<SUBDOMAIN3>' A
>> Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: zone 
>> <DNSZONE>.in-addr.arpa/IN: sending notifies (serial 1490627037)
>> Mar 27 17:04:02 ds01.<SUBDOMAIN2> named[6607]: zone <SUBDOMAIN3>/IN: 
>> sending notifies (serial 1490627038)
>>
>> SSSD trace log on client during sssd restart:
>> -----------------------
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [ipa_dyndns_update_send] (0x0400): Performing update
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [sdap_id_op_connect_step] (0x4000): reusing cached connection
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_id_op_destroy] 
>> (0x4000): releasing operation connection
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_is_address] 
>> (0x4000): [<machine>.<SUBDOMAIN3>] does not look like an IP address
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_step] (0x2000): Querying DNS
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record 
>> of '<machine>.<SUBDOMAIN3>' in DNS
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [request_watch_destructor] (0x0400): Deleting request watch
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_is_address] 
>> (0x4000): [<machine>.<SUBDOMAIN3>] does not look like an IP address
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_step] (0x2000): Querying DNS
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA 
>> record of '<machine>.<SUBDOMAIN3>' in DNS
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [request_watch_destructor] (0x0400): Deleting request watch
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_next] (0x0200): No more address families to retry
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [sdap_dyndns_addrs_diff] (0x1000): Address on localhost only: -IP2-
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [sdap_dyndns_dns_addrs_done] (0x0400): Detected IP addresses change, 
>> will perform an update
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [nsupdate_msg_create_common] (0x0200): Creating update message for 
>> realm [<DOMAIN>].
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message --
>> realm <DOMAIN>
>> update delete <machine>.<SUBDOMAIN3>. in A
>> send
>> update delete <machine>.<SUBDOMAIN3>. in AAAA
>> send
>> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP2-
>> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP1-
>> send
>>   -- End nsupdate message --
>> ..
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [nsupdate_msg_create_common] (0x0200): Creating update message for 
>> server [ds01.<SUBDOMAIN2>] and realm [<DOMAIN>].
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message --
>> server ds01.<SUBDOMAIN2>
>> realm <DOMAIN>
>> update delete <machine>.<SUBDOMAIN3>. in A
>> send
>> update delete <machine>.<SUBDOMAIN3>. in AAAA
>> send
>> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP2-
>> update add <machine>.<SUBDOMAIN3>. 1200 in A -IP1-
>> send
>>   -- End nsupdate message --
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [child_handler_setup] 
>> (0x2000): Setting up signal handler up for pid [20631]
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [child_handler_setup] 
>> (0x2000): Signal handler set up for pid [20631]
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [write_pipe_handler] 
>> (0x0400): All data has been sent!
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] 
>> [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
>> (Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_args] 
>> (0x0200): nsupdate auth type: GSS-TSIG
>> setup_system()
>>
>> Thank you for your help!
>>
>
>

I asked question here

https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html



-- 
Martin Bašti
Software Engineer
Red Hat Czech

More information about the Freeipa-users mailing list