subject:"\[Freeipa\-users\] SSSD dyndns_update on machine with multiple IP address"

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-04-20 Thread Martin Bašti




On 19.04.2017 17:14, David Goudet wrote:


On 04/19/2017 12:31 PM, Martin Bašti wrote:



On 17.04.2017 19:42, David Goudet wrote:

Hi,

Nobody has response about my questions?

The main question is: Is it possible to configure SSSD to update DNS 
(option dyndns_update) with only IP address "primary" in ip addr 
list or which is used to FreeIPA server communication (-IP1- used on 
TCP binding)?


Thank you for your help.

Best regards,

On 03/27/2017 09:40 PM, Jakub Hrozek wrote:

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine 
updating host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
interface.
I have problem with machines which have more that one IP address on 
network interface: if machine have two IP address, SSSD update host DNS entry 
with these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP qlen 
1000
  link/ether 
  inet -IP1-/26 brd  scope global em1
  inet -IP2-/26 scope global secondary em1
 valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After 
restarting sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection 
is used for the updates", what does it means? Is it IP address of the DNS server 
(used to update the DNS entry)? or is it IP address on client machine used during LDAP 
TCP bind (-IP1- in my case)?

dyndns_update (boolean)
 Optional. This option tells SSSD to automatically update 
the DNS server built into FreeIPA v2 with the IP address of this client.
 The update is secured using GSS-TSIG. The IP address of 
the IPA LDAP connection is used for the updates, if it is not otherwise
 specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs 
enabled on client machine?

IIRC we added this to support multiple interfaces (user can choose 
which one to use) and to update both IPv6 () and IPv4 (A) 
records. IPA/SSSD cannot reliably determine which IP address to use, 
it is all or none from interface. With the previous behavior users 
want to use different/more addresses than the one which has been 
detected from LDAP connection and it was not possible previously.

Do you have set  dyndns_iface in sssd.conf?

Martin

Looks like this was a deliberate change:
  https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?

Is it possible to configure SSSD to update DNS with only IP address 
"primary" in ip addr list or which is used to FreeIPA server communication 
(-IP1- used on TCP binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.





I asked question here

https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html





Hi,

Thank you for your response.

In sssd.conf parameter dyndns_iface is not defined, we are in case:
Default: Use the IP addresses of the interface which is used for IPA 
LDAP connection


This point (dyndns_iface) is ok, every IPs of this interface and only 
this interface is updated on IPA host DNS entry.
I use only IPv4, so it is not possible to filter on only one IP 
("primary") it is "none" or "all" on one interface.


In my case i see two solutions:
- Split IP "primary" on one interface (bond0 for exemple) and other 
virtual IPs on one other interface (bond0.1 or bond1 for exemple)

- Disable dyndns_update functionality on this machine

You confirm, i have no other solutions?




Well, then you have only choices you wrote. Sorry.

--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-04-19 Thread David Goudet



On 04/19/2017 12:31 PM, Martin Bašti wrote:



On 17.04.2017 19:42, David Goudet wrote:

Hi,

Nobody has response about my questions?

The main question is: Is it possible to configure SSSD to update DNS 
(option dyndns_update) with only IP address "primary" in ip addr list 
or which is used to FreeIPA server communication (-IP1- used on TCP 
binding)?


Thank you for your help.

Best regards,

On 03/27/2017 09:40 PM, Jakub Hrozek wrote:

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine 
updating host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
interface.
I have problem with machines which have more that one IP address on 
network interface: if machine have two IP address, SSSD update host DNS entry 
with these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP qlen 
1000
  link/ether 
  inet -IP1-/26 brd  scope global em1
  inet -IP2-/26 scope global secondary em1
 valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After 
restarting sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection 
is used for the updates", what does it means? Is it IP address of the DNS server 
(used to update the DNS entry)? or is it IP address on client machine used during LDAP 
TCP bind (-IP1- in my case)?

dyndns_update (boolean)
 Optional. This option tells SSSD to automatically update 
the DNS server built into FreeIPA v2 with the IP address of this client.
 The update is secured using GSS-TSIG. The IP address of 
the IPA LDAP connection is used for the updates, if it is not otherwise
 specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs 
enabled on client machine?

IIRC we added this to support multiple interfaces (user can choose 
which one to use) and to update both IPv6 () and IPv4 (A) 
records. IPA/SSSD cannot reliably determine which IP address to use, 
it is all or none from interface. With the previous behavior users 
want to use different/more addresses than the one which has been 
detected from LDAP connection and it was not possible previously.

Do you have set  dyndns_iface in sssd.conf?

Martin

Looks like this was a deliberate change:
  https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?

Is it possible to configure SSSD to update DNS with only IP address 
"primary" in ip addr list or which is used to FreeIPA server communication 
(-IP1- used on TCP binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.





I asked question here

https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html





Hi,

Thank you for your response.

In sssd.conf parameter dyndns_iface is not defined, we are in case:
Default: Use the IP addresses of the interface which is used for IPA 
LDAP connection


This point (dyndns_iface) is ok, every IPs of this interface and only 
this interface is updated on IPA host DNS entry.
I use only IPv4, so it is not possible to filter on only one IP 
("primary") it is "none" or "all" on one interface.


In my case i see two solutions:
- Split IP "primary" on one interface (bond0 for exemple) and other 
virtual IPs on one other interface (bond0.1 or bond1 for exemple)

- Disable dyndns_update functionality on this machine

You confirm, i have no other solutions?


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-04-19 Thread Martin Bašti




On 17.04.2017 19:42, David Goudet wrote:

Hi,

Nobody has response about my questions?

The main question is: Is it possible to configure SSSD to update DNS 
(option dyndns_update) with only IP address "primary" in ip addr list 
or which is used to FreeIPA server communication (-IP1- used on TCP 
binding)?


Thank you for your help.

Best regards,


On 03/27/2017 06:34 PM, David Goudet wrote:

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client 
machine updating host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on 
network interface.
I have problem with machines which have more that one IP address on 
network interface: if machine have two IP address, SSSD update host 
DNS entry with these two IP address.


To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP 
qlen 1000

 link/ether 
 inet -IP1-/26 brd  scope global em1
 inet -IP2-/26 scope global secondary em1
valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After 
restarting sssd returns -IP1- & -IP2-


In dyndns_update manpage, we have "The IP address of the IPA LDAP 
connection is used for the updates", what does it means? Is it IP 
address of the DNS server (used to update the DNS entry)? or is it IP 
address on client machine used during LDAP TCP bind (-IP1- in my case)?


dyndns_update (boolean)
Optional. This option tells SSSD to automatically update 
the DNS server built into FreeIPA v2 with the IP address of this client.
The update is secured using GSS-TSIG. The IP address of 
the IPA LDAP connection is used for the updates, if it is not otherwise

specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs 
enabled on client machine?
Is it possible to configure SSSD to update DNS with only IP address 
"primary" in ip addr list or which is used to FreeIPA server 
communication (-IP1- used on TCP binding)?


My environment is:
Client: Centos 7.2
sssd-common-1.13.0-40.el7_2.12.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
sssd-1.13.0-40.el7_2.12.x86_64
sssd-client-1.13.0-40.el7_2.12.x86_64
FreeIPA server: Centos 6.7
ipa-server-3.0.0-47.el6.centos.2.x86_64
bind-9.8.2-0.30.rc1.el6_6.3.x86_64
bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64
bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64
rpcbind-0.2.0-11.el6_7.x86_64
bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64
rpcbind-0.2.0-11.el6.x86_64
bind-dyndb-ldap-2.3-8.el6.x86_64
bind-9.8.2-0.37.rc1.el6_7.7.x86_64


SSSD configuration on client:
[domain/]

debug_level=18
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = 
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ds01., ds01.
dns_discovery_domain = 


Named FreeIPA logs:
---
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: 
updating zone '/IN': deleting rrset at 'ZONE>' A
Mar 27 17:03:57 ds01. named[6607]: update_record 
(psearch) failed, dn 
'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' 
change type 0x4. Records can be outdated, run `rndc reload`: not found
Mar 27 17:03:57 ds01. named[6607]: zone /IN: 
sending notifies (serial 1490615011)
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: 
updating zone '/IN': deleting rrset at 
'.' 
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: 
updating zone '/IN': adding an RR at 
'.' A
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: 
updating zone '/IN': adding an RR at 
'.' A
Mar 27 17:03:57 ds01. named[6607]: zone 
.in-addr.arpa/IN: sending notifies (serial 1490627037)
Mar 27 17:04:02 ds01. named[6607]: zone /IN: 
sending notifies (serial 1490627038)


SSSD trace log on client during sssd restart:
---
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[ipa_dyndns_update_send] (0x0400): Performing update
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] 
(0x4000): releasing operation connection
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] 
(0x4000): [.] does not look like an IP address
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record 
of '.' in DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[]]]

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-04-18 Thread David Goudet


Hi,

Nobody has response about my questions?

The main question is: Is it possible to configure SSSD to update DNS (option 
dyndns_update) with only IP address "primary" in ip addr list or which is used 
to FreeIPA server communication (-IP1- used on TCP binding)?

Thank you for your help.

Best regards,


On 03/27/2017 06:34 PM, David Goudet wrote:

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine updating 
host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
interface.
I have problem with machines which have more that one IP address on network 
interface: if machine have two IP address, SSSD update host DNS entry with 
these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP qlen 1000
 link/ether 
 inet -IP1-/26 brd  scope global em1
 inet -IP2-/26 scope global secondary em1
valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting 
sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used 
for the updates", what does it means? Is it IP address of the DNS server (used to 
update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind 
(-IP1- in my case)?

dyndns_update (boolean)
Optional. This option tells SSSD to automatically update the DNS 
server built into FreeIPA v2 with the IP address of this client.
The update is secured using GSS-TSIG. The IP address of the IPA 
LDAP connection is used for the updates, if it is not otherwise
specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on 
client machine?
Is it possible to configure SSSD to update DNS with only IP address "primary" 
in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP 
binding)?

My environment is:
Client: Centos 7.2
sssd-common-1.13.0-40.el7_2.12.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
sssd-1.13.0-40.el7_2.12.x86_64
sssd-client-1.13.0-40.el7_2.12.x86_64
FreeIPA server: Centos 6.7
ipa-server-3.0.0-47.el6.centos.2.x86_64
bind-9.8.2-0.30.rc1.el6_6.3.x86_64
bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64
bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64
rpcbind-0.2.0-11.el6_7.x86_64
bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64
rpcbind-0.2.0-11.el6.x86_64
bind-dyndb-ldap-2.3-8.el6.x86_64
bind-9.8.2-0.37.rc1.el6_7.7.x86_64


SSSD configuration on client:
[domain/]

debug_level=18
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = 
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ds01., ds01.
dns_discovery_domain = 


Named FreeIPA logs:
---
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: updating zone '/IN': deleting rrset at '' A
Mar 27 17:03:57 ds01. named[6607]: update_record (psearch) failed, dn 
'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. 
Records can be outdated, run `rndc reload`: not found
Mar 27 17:03:57 ds01. named[6607]: zone /IN: sending 
notifies (serial 1490615011)
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: updating zone 
'/IN': deleting rrset at '.' 
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone 
'/IN': adding an RR at '.' A
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone 
'/IN': adding an RR at '.' A
Mar 27 17:03:57 ds01. named[6607]: zone .in-addr.arpa/IN: 
sending notifies (serial 1490627037)
Mar 27 17:04:02 ds01. named[6607]: zone /IN: sending 
notifies (serial 1490627038)

SSSD trace log on client during sssd restart:
---
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [ipa_dyndns_update_send] 
(0x0400): Performing update
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_connect_step] 
(0x4000): reusing cached connection
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] (0x4000): 
releasing operation connection
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): 
[.] does not look like an IP address
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] 
(0x2000): Querying DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_query] (0x0100): 
Trying to resolve A record of '.' in DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] 
(0x2000): Scheduling a timeout of 6 seconds
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] 
(0x2000): Scheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] 
(0x4000): Unscheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(Mon Mar 27

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-03-28 Thread Martin Basti




On 03/27/2017 09:40 PM, Jakub Hrozek wrote:

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine updating 
host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
interface.
I have problem with machines which have more that one IP address on network 
interface: if machine have two IP address, SSSD update host DNS entry with 
these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP qlen 1000
 link/ether 
 inet -IP1-/26 brd  scope global em1
 inet -IP2-/26 scope global secondary em1
valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting 
sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used 
for the updates", what does it means? Is it IP address of the DNS server (used to 
update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind 
(-IP1- in my case)?

dyndns_update (boolean)
Optional. This option tells SSSD to automatically update the DNS 
server built into FreeIPA v2 with the IP address of this client.
The update is secured using GSS-TSIG. The IP address of the IPA 
LDAP connection is used for the updates, if it is not otherwise
specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on 
client machine?


IIRC we added this to support multiple interfaces (user can choose which 
one to use) and to update both IPv6 () and IPv4 (A) records.


IPA/SSSD cannot reliably determine which IP address to use, it is all or 
none from interface. With the previous behavior users want to use 
different/more addresses than the one which has been detected from LDAP 
connection and it was not possible previously.



Do you have set  dyndns_iface in sssd.conf?

Martin

Looks like this was a deliberate change:
 https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?


Is it possible to configure SSSD to update DNS with only IP address "primary" 
in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP 
binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-03-27 Thread Jakub Hrozek

On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:
> Hi,
> 
> Thanks to dyndns_update=True parameter, SSSD service on client machine 
> updating host DNS entry in FreeIPA.
> Everything is fine on machines which have only one IP adress on network 
> interface.
> I have problem with machines which have more that one IP address on network 
> interface: if machine have two IP address, SSSD update host DNS entry with 
> these two IP address.
> 
> To reproduce the problem:
> Host have -IP1- and i add -IP2-
> ip addr add -IP2-/26 dev em1
> 
> ip addr list:
> em1:  mtu 1496 qdisc mq state UP qlen 1000
> link/ether 
> inet -IP1-/26 brd  scope global em1
> inet -IP2-/26 scope global secondary em1
>valid_lft forever preferred_lft forever
> 
> DNS resolution (dig) before restarting sssd returns only -IP1-. After 
> restarting sssd returns -IP1- & -IP2-
> 
> In dyndns_update manpage, we have "The IP address of the IPA LDAP connection 
> is used for the updates", what does it means? Is it IP address of the DNS 
> server (used to update the DNS entry)? or is it IP address on client machine 
> used during LDAP TCP bind (-IP1- in my case)?
> 
> dyndns_update (boolean)
>Optional. This option tells SSSD to automatically update the DNS 
> server built into FreeIPA v2 with the IP address of this client.
>The update is secured using GSS-TSIG. The IP address of the IPA 
> LDAP connection is used for the updates, if it is not otherwise
>specified by using the “dyndns_iface” option.
> 
> Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on 
> client machine?

Looks like this was a deliberate change:
https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?

> Is it possible to configure SSSD to update DNS with only IP address "primary" 
> in ip addr list or which is used to FreeIPA server communication (-IP1- used 
> on TCP binding)?

Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSSD dyndns_update on machine with multiple IP address

2017-03-27 Thread David Goudet

Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine updating 
host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network 
interface.
I have problem with machines which have more that one IP address on network 
interface: if machine have two IP address, SSSD update host DNS entry with 
these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1:  mtu 1496 qdisc mq state UP qlen 1000
link/ether 
inet -IP1-/26 brd  scope global em1
inet -IP2-/26 scope global secondary em1
   valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After 
restarting sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is 
used for the updates", what does it means? Is it IP address of the DNS server 
(used to update the DNS entry)? or is it IP address on client machine used 
during LDAP TCP bind (-IP1- in my case)?

dyndns_update (boolean)
   Optional. This option tells SSSD to automatically update the DNS 
server built into FreeIPA v2 with the IP address of this client.
   The update is secured using GSS-TSIG. The IP address of the IPA LDAP 
connection is used for the updates, if it is not otherwise
   specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on 
client machine?
Is it possible to configure SSSD to update DNS with only IP address "primary" 
in ip addr list or which is used to FreeIPA server communication (-IP1- used on 
TCP binding)?

My environment is:
Client: Centos 7.2
sssd-common-1.13.0-40.el7_2.12.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
sssd-1.13.0-40.el7_2.12.x86_64
sssd-client-1.13.0-40.el7_2.12.x86_64
FreeIPA server: Centos 6.7
ipa-server-3.0.0-47.el6.centos.2.x86_64
bind-9.8.2-0.30.rc1.el6_6.3.x86_64
bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64
bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64
rpcbind-0.2.0-11.el6_7.x86_64
bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64
rpcbind-0.2.0-11.el6.x86_64
bind-dyndb-ldap-2.3-8.el6.x86_64
bind-9.8.2-0.37.rc1.el6_7.7.x86_64


SSSD configuration on client:
[domain/]

debug_level=18
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = 
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ds01., ds01.
dns_discovery_domain = 


Named FreeIPA logs:
---
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: updating 
zone '/IN': deleting rrset at '' A
Mar 27 17:03:57 ds01. named[6607]: update_record (psearch) failed, 
dn 'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change 
type 0x4. Records can be outdated, run `rndc reload`: not found
Mar 27 17:03:57 ds01. named[6607]: zone /IN: sending 
notifies (serial 1490615011)
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: updating 
zone '/IN': deleting rrset at '.' 
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating 
zone '/IN': adding an RR at '.' A
Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating 
zone '/IN': adding an RR at '.' A
Mar 27 17:03:57 ds01. named[6607]: zone .in-addr.arpa/IN: 
sending notifies (serial 1490627037)
Mar 27 17:04:02 ds01. named[6607]: zone /IN: sending 
notifies (serial 1490627038)

SSSD trace log on client during sssd restart:
---
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [ipa_dyndns_update_send] 
(0x0400): Performing update
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_connect_step] 
(0x4000): reusing cached connection
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] (0x4000): 
releasing operation connection
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): 
[.] does not look like an IP address
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] 
(0x2000): Querying DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 
'.' in DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] 
(0x2000): Scheduling a timeout of 6 seconds
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] 
(0x2000): Scheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] 
(0x4000): Unscheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] 
[resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [request_watch_destructor] 
(0x0400): Deleting request watch
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): 
[.] does not look like an IP address
(Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] 
(0x2000): Querying DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[]]]

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address

[Freeipa-users] SSSD dyndns_update on machine with multiple IP address

7 matches

Site Navigation

Mail list logo

Footer information