Package: sssd-ad Version: 2.4.1-2 Severity: normal Dear Maintainer,
sssd-ad supports dynamically updating DNS recource records on Active Directory-based authoritative DNS servers after the system has joined their AD domain. To use this feature, a number of dyndns-specific sssd options have to be configured in sssd.conf. I spent close to a day of work finding out what made this mechanism work on one of our hosts, but not another - the root cause was determined to be that the host which had this feature working right away had the bind9-dnsutils package installed, which happens to provide `/usr/bin/nsupdate`. Even if this executable is not present, sssd will willingly let itself be configured with AD-based dyndns updates, but cannot actually perform them. The dyndns update mechanism repeatedly execv()s `nsupdate` if it was found during initialization at src/providers/be_dyndns.c:1188 as per the source package of sssd-ad 2.4.1 in bullseye. I therefore think it's a sound idea to have bind9-dnsutils in either Suggests or Recommends of the sssd-ad package, as an arguably significant portion of its functionality depends on it having been installed. Thanks for your consideration, and the great work on sssd in Debian!