On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:
> Hi,
> Thanks to dyndns_update=True parameter, SSSD service on client machine 
> updating host DNS entry in FreeIPA.
> Everything is fine on machines which have only one IP adress on network 
> interface.
> I have problem with machines which have more that one IP address on network 
> interface: if machine have two IP address, SSSD update host DNS entry with 
> these two IP address.
> To reproduce the problem:
> Host have -IP1- and i add -IP2-
> ip addr add -IP2-/26 dev em1
> ip addr list:
> em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000
>     link/ether xxxx
>     inet -IP1-/26 brd XXXX scope global em1
>     inet -IP2-/26 scope global secondary em1
>        valid_lft forever preferred_lft forever
> DNS resolution (dig) before restarting sssd returns only -IP1-. After 
> restarting sssd returns -IP1- & -IP2-
> In dyndns_update manpage, we have "The IP address of the IPA LDAP connection 
> is used for the updates", what does it means? Is it IP address of the DNS 
> server (used to update the DNS entry)? or is it IP address on client machine 
> used during LDAP TCP bind (-IP1- in my case)?
> dyndns_update (boolean)
>            Optional. This option tells SSSD to automatically update the DNS 
> server built into FreeIPA v2 with the IP address of this client.
>            The update is secured using GSS-TSIG. The IP address of the IPA 
> LDAP connection is used for the updates, if it is not otherwise
>            specified by using the “dyndns_iface” option.
> Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on 
> client machine?

Looks like this was a deliberate change:
but to be honest, I forgot why exactly we did this. Martin, do you know?

> Is it possible to configure SSSD to update DNS with only IP address "primary" 
> in ip addr list or which is used to FreeIPA server communication (-IP1- used 
> on TCP binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to