On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: > Hi, > > Thanks to dyndns_update=True parameter, SSSD service on client machine > updating host DNS entry in FreeIPA. > Everything is fine on machines which have only one IP adress on network > interface. > I have problem with machines which have more that one IP address on network > interface: if machine have two IP address, SSSD update host DNS entry with > these two IP address. > > To reproduce the problem: > Host have -IP1- and i add -IP2- > ip addr add -IP2-/26 dev em1 > > ip addr list: > em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000 > link/ether xxxx > inet -IP1-/26 brd XXXX scope global em1 > inet -IP2-/26 scope global secondary em1 > valid_lft forever preferred_lft forever > > DNS resolution (dig) before restarting sssd returns only -IP1-. After > restarting sssd returns -IP1- & -IP2- > > In dyndns_update manpage, we have "The IP address of the IPA LDAP connection > is used for the updates", what does it means? Is it IP address of the DNS > server (used to update the DNS entry)? or is it IP address on client machine > used during LDAP TCP bind (-IP1- in my case)? > > dyndns_update (boolean) > Optional. This option tells SSSD to automatically update the DNS > server built into FreeIPA v2 with the IP address of this client. > The update is secured using GSS-TSIG. The IP address of the IPA > LDAP connection is used for the updates, if it is not otherwise > specified by using the “dyndns_iface” option. > > Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on > client machine?
Looks like this was a deliberate change: https://pagure.io/SSSD/sssd/issue/2558 but to be honest, I forgot why exactly we did this. Martin, do you know? > Is it possible to configure SSSD to update DNS with only IP address "primary" > in ip addr list or which is used to FreeIPA server communication (-IP1- used > on TCP binding)? Only if the IP addresses are of different families (v4/v6), then it's possible to restrict one of the families. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project