On 03/27/2017 09:40 PM, Jakub Hrozek wrote:
On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:

Thanks to dyndns_update=True parameter, SSSD service on client machine updating 
host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
I have problem with machines which have more that one IP address on network 
interface: if machine have two IP address, SSSD update host DNS entry with 
these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000
     link/ether xxxx
     inet -IP1-/26 brd XXXX scope global em1
     inet -IP2-/26 scope global secondary em1
        valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting 
sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used 
for the updates", what does it means? Is it IP address of the DNS server (used to 
update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind 
(-IP1- in my case)?

dyndns_update (boolean)
            Optional. This option tells SSSD to automatically update the DNS 
server built into FreeIPA v2 with the IP address of this client.
            The update is secured using GSS-TSIG. The IP address of the IPA 
LDAP connection is used for the updates, if it is not otherwise
            specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on 
client machine?

IIRC we added this to support multiple interfaces (user can choose which one to use) and to update both IPv6 (AAAA) and IPv4 (A) records.

IPA/SSSD cannot reliably determine which IP address to use, it is all or none from interface. With the previous behavior users want to use different/more addresses than the one which has been detected from LDAP connection and it was not possible previously.

Do you have set  dyndns_iface in sssd.conf?

Looks like this was a deliberate change:
but to be honest, I forgot why exactly we did this. Martin, do you know?

Is it possible to configure SSSD to update DNS with only IP address "primary" 
in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP 
Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to