Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On 19.04.2017 17:14, David Goudet wrote: On 04/19/2017 12:31 PM, Martin Bašti wrote: On 17.04.2017 19:42, David Goudet wrote: Hi, Nobody has response about my questions? The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Thank you for your help. Best regards, On 03/27/2017 09:40 PM, Jakub Hrozek wrote: On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? IIRC we added this to support multiple interfaces (user can choose which one to use) and to update both IPv6 () and IPv4 (A) records. IPA/SSSD cannot reliably determine which IP address to use, it is all or none from interface. With the previous behavior users want to use different/more addresses than the one which has been detected from LDAP connection and it was not possible previously. Do you have set dyndns_iface in sssd.conf? Martin Looks like this was a deliberate change: https://pagure.io/SSSD/sssd/issue/2558 but to be honest, I forgot why exactly we did this. Martin, do you know? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Only if the IP addresses are of different families (v4/v6), then it's possible to restrict one of the families. I asked question here https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html Hi, Thank you for your response. In sssd.conf parameter dyndns_iface is not defined, we are in case: Default: Use the IP addresses of the interface which is used for IPA LDAP connection This point (dyndns_iface) is ok, every IPs of this interface and only this interface is updated on IPA host DNS entry. I use only IPv4, so it is not possible to filter on only one IP ("primary") it is "none" or "all" on one interface. In my case i see two solutions: - Split IP "primary" on one interface (bond0 for exemple) and other virtual IPs on one other interface (bond0.1 or bond1 for exemple) - Disable dyndns_update functionality on this machine You confirm, i have no other solutions? Well, then you have only choices you wrote. Sorry. -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On 04/19/2017 12:31 PM, Martin Bašti wrote: On 17.04.2017 19:42, David Goudet wrote: Hi, Nobody has response about my questions? The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Thank you for your help. Best regards, On 03/27/2017 09:40 PM, Jakub Hrozek wrote: On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? IIRC we added this to support multiple interfaces (user can choose which one to use) and to update both IPv6 () and IPv4 (A) records. IPA/SSSD cannot reliably determine which IP address to use, it is all or none from interface. With the previous behavior users want to use different/more addresses than the one which has been detected from LDAP connection and it was not possible previously. Do you have set dyndns_iface in sssd.conf? Martin Looks like this was a deliberate change: https://pagure.io/SSSD/sssd/issue/2558 but to be honest, I forgot why exactly we did this. Martin, do you know? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Only if the IP addresses are of different families (v4/v6), then it's possible to restrict one of the families. I asked question here https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html Hi, Thank you for your response. In sssd.conf parameter dyndns_iface is not defined, we are in case: Default: Use the IP addresses of the interface which is used for IPA LDAP connection This point (dyndns_iface) is ok, every IPs of this interface and only this interface is updated on IPA host DNS entry. I use only IPv4, so it is not possible to filter on only one IP ("primary") it is "none" or "all" on one interface. In my case i see two solutions: - Split IP "primary" on one interface (bond0 for exemple) and other virtual IPs on one other interface (bond0.1 or bond1 for exemple) - Disable dyndns_update functionality on this machine You confirm, i have no other solutions? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On 17.04.2017 19:42, David Goudet wrote: Hi, Nobody has response about my questions? The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Thank you for your help. Best regards, On 03/27/2017 06:34 PM, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? My environment is: Client: Centos 7.2 sssd-common-1.13.0-40.el7_2.12.x86_64 sssd-ipa-1.13.0-40.el7_2.12.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 sssd-client-1.13.0-40.el7_2.12.x86_64 FreeIPA server: Centos 6.7 ipa-server-3.0.0-47.el6.centos.2.x86_64 bind-9.8.2-0.30.rc1.el6_6.3.x86_64 bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64 bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64 rpcbind-0.2.0-11.el6_7.x86_64 bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64 rpcbind-0.2.0-11.el6.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.37.rc1.el6_7.7.x86_64 SSSD configuration on client: [domain/] debug_level=18 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ds01., ds01. dns_discovery_domain = Named FreeIPA logs: --- Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: updating zone '/IN': deleting rrset at 'ZONE>' A Mar 27 17:03:57 ds01. named[6607]: update_record (psearch) failed, dn 'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. Records can be outdated, run `rndc reload`: not found Mar 27 17:03:57 ds01. named[6607]: zone /IN: sending notifies (serial 1490615011) Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: updating zone '/IN': deleting rrset at '.' Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: zone .in-addr.arpa/IN: sending notifies (serial 1490627037) Mar 27 17:04:02 ds01. named[6607]: zone /IN: sending notifies (serial 1490627038) SSSD trace log on client during sssd restart: --- (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [ipa_dyndns_update_send] (0x0400): Performing update (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): [.] does not look like an IP address (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of '.' in DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]]
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
Hi, Nobody has response about my questions? The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Thank you for your help. Best regards, On 03/27/2017 06:34 PM, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? My environment is: Client: Centos 7.2 sssd-common-1.13.0-40.el7_2.12.x86_64 sssd-ipa-1.13.0-40.el7_2.12.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 sssd-client-1.13.0-40.el7_2.12.x86_64 FreeIPA server: Centos 6.7 ipa-server-3.0.0-47.el6.centos.2.x86_64 bind-9.8.2-0.30.rc1.el6_6.3.x86_64 bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64 bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64 rpcbind-0.2.0-11.el6_7.x86_64 bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64 rpcbind-0.2.0-11.el6.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.37.rc1.el6_7.7.x86_64 SSSD configuration on client: [domain/] debug_level=18 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ds01., ds01. dns_discovery_domain = Named FreeIPA logs: --- Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: updating zone '/IN': deleting rrset at '' A Mar 27 17:03:57 ds01. named[6607]: update_record (psearch) failed, dn 'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. Records can be outdated, run `rndc reload`: not found Mar 27 17:03:57 ds01. named[6607]: zone /IN: sending notifies (serial 1490615011) Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: updating zone '/IN': deleting rrset at '.' Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: zone .in-addr.arpa/IN: sending notifies (serial 1490627037) Mar 27 17:04:02 ds01. named[6607]: zone /IN: sending notifies (serial 1490627038) SSSD trace log on client during sssd restart: --- (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [ipa_dyndns_update_send] (0x0400): Performing update (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): [.] does not look like an IP address (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of '.' in DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Mar 27
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On 03/27/2017 09:40 PM, Jakub Hrozek wrote: On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? IIRC we added this to support multiple interfaces (user can choose which one to use) and to update both IPv6 () and IPv4 (A) records. IPA/SSSD cannot reliably determine which IP address to use, it is all or none from interface. With the previous behavior users want to use different/more addresses than the one which has been detected from LDAP connection and it was not possible previously. Do you have set dyndns_iface in sssd.conf? Martin Looks like this was a deliberate change: https://pagure.io/SSSD/sssd/issue/2558 but to be honest, I forgot why exactly we did this. Martin, do you know? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Only if the IP addresses are of different families (v4/v6), then it's possible to restrict one of the families. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote: > Hi, > > Thanks to dyndns_update=True parameter, SSSD service on client machine > updating host DNS entry in FreeIPA. > Everything is fine on machines which have only one IP adress on network > interface. > I have problem with machines which have more that one IP address on network > interface: if machine have two IP address, SSSD update host DNS entry with > these two IP address. > > To reproduce the problem: > Host have -IP1- and i add -IP2- > ip addr add -IP2-/26 dev em1 > > ip addr list: > em1:mtu 1496 qdisc mq state UP qlen 1000 > link/ether > inet -IP1-/26 brd scope global em1 > inet -IP2-/26 scope global secondary em1 >valid_lft forever preferred_lft forever > > DNS resolution (dig) before restarting sssd returns only -IP1-. After > restarting sssd returns -IP1- & -IP2- > > In dyndns_update manpage, we have "The IP address of the IPA LDAP connection > is used for the updates", what does it means? Is it IP address of the DNS > server (used to update the DNS entry)? or is it IP address on client machine > used during LDAP TCP bind (-IP1- in my case)? > > dyndns_update (boolean) >Optional. This option tells SSSD to automatically update the DNS > server built into FreeIPA v2 with the IP address of this client. >The update is secured using GSS-TSIG. The IP address of the IPA > LDAP connection is used for the updates, if it is not otherwise >specified by using the “dyndns_iface” option. > > Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on > client machine? Looks like this was a deliberate change: https://pagure.io/SSSD/sssd/issue/2558 but to be honest, I forgot why exactly we did this. Martin, do you know? > Is it possible to configure SSSD to update DNS with only IP address "primary" > in ip addr list or which is used to FreeIPA server communication (-IP1- used > on TCP binding)? Only if the IP addresses are of different families (v4/v6), then it's possible to restrict one of the families. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SSSD dyndns_update on machine with multiple IP address
Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1:mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? My environment is: Client: Centos 7.2 sssd-common-1.13.0-40.el7_2.12.x86_64 sssd-ipa-1.13.0-40.el7_2.12.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 sssd-client-1.13.0-40.el7_2.12.x86_64 FreeIPA server: Centos 6.7 ipa-server-3.0.0-47.el6.centos.2.x86_64 bind-9.8.2-0.30.rc1.el6_6.3.x86_64 bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64 bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64 rpcbind-0.2.0-11.el6_7.x86_64 bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64 rpcbind-0.2.0-11.el6.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.37.rc1.el6_7.7.x86_64 SSSD configuration on client: [domain/] debug_level=18 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ds01., ds01. dns_discovery_domain = Named FreeIPA logs: --- Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: updating zone '/IN': deleting rrset at '' A Mar 27 17:03:57 ds01. named[6607]: update_record (psearch) failed, dn 'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. Records can be outdated, run `rndc reload`: not found Mar 27 17:03:57 ds01. named[6607]: zone /IN: sending notifies (serial 1490615011) Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: updating zone '/IN': deleting rrset at '.' Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: zone .in-addr.arpa/IN: sending notifies (serial 1490627037) Mar 27 17:04:02 ds01. named[6607]: zone /IN: sending notifies (serial 1490627038) SSSD trace log on client during sssd restart: --- (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [ipa_dyndns_update_send] (0x0400): Performing update (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): [.] does not look like an IP address (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of '.' in DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): [.] does not look like an IP address (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]]