[SSSD-users] Re: nsupdate

2018-03-13 Thread Lukas Slebodnik
On (13/03/18 10:40), Roger Martensson wrote:
>After som serious digging I caved in and upgraded dnsutils on my Ubuntu.
>Seems that the future Ubuntu 18.04 has a non-working install of nsupdate.
>When upgrading to version 9.12 nsupdate (using ISC PPA) everything started
>to work.
>

Sounds to me like ubuntu version of fedora bug
https://bugzilla.redhat.com/show_bug.cgi?id=1484451

It should be already fixed in bind upstream (9.11)

LS
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


[SSSD-users] Re: nsupdate

2018-03-13 Thread Andreas Hasenack
On Tue, Mar 13, 2018 at 8:40 AM, Roger Martensson <
roger.martens...@gmail.com> wrote:

> Hi
>
> Den 13 mars 2018 12:09 skrev "Max DiOrio" :
>
>> Is your dns server set to secure updates only?
>>
>
> Yes it is and as is should be.
>
> I've filed a bugreport on the package at Ubunts launchpad so hopefully it
> gets resolved before release of 18.04.
>
>
This one, right?

https://bugs.launchpad.net/bugs/1755439
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


[SSSD-users] Re: nsupdate

2018-03-13 Thread Roger Martensson
Hi

Den 13 mars 2018 12:09 skrev "Max DiOrio" :

> Is your dns server set to secure updates only?
>

Yes it is and as is should be.

I've filed a bugreport on the package at Ubunts launchpad so hopefully it
gets resolved before release of 18.04.

On Tue, Mar 13, 2018, 5:40 AM Roger Martensson 
> wrote:
>
>> After som serious digging I caved in and upgraded dnsutils on my Ubuntu.
>> Seems that the future Ubuntu 18.04 has a non-working install of nsupdate.
>> When upgrading to version 9.12 nsupdate (using ISC PPA) everything
>> started to work.
>>
>> 2018-03-09 19:24 GMT+01:00 Roger Martensson :
>>
>>> Hi!
>>>
>>> Setup: Ubuntu 18.04 (future), SSSD 1.16.0, nsupdate/bind: 9.11.2.P1,
>>> 2008R2 DC/DNS
>>>
>>> I need some help and guidance with troubleshooting nsupdate-problems.
>>> I get the famous "TSIG error with server: tsig verify failure" when
>>> trying to update my A-record against our Microsoft DNS.
>>> I get the error in sssd-logs and the same error when running nsupdate
>>> manually with the same input as found in the logs (when cranking up debug
>>> level).
>>>
>>> I have tried with client keytab and with a user that I know have
>>> permission to update. (nsupdate with -g)
>>>
>>> SSSD is fully configured and I can do user lookups and logins.
>>> ldapsearch agains different domains in the forest with -Y GSSAPI works
>>> without problem.
>>>
>>> Our setup is a domain forest where the clients are in the subdomain and
>>> the DNS is in the parent domain. Parent DNS domain and subdomains is in the
>>> same Zone and has Secure Only updates enabled.
>>>
>>> Anyone have any ideas what I can do next to troubleshoot this issue?
>>>
>>>
>>>
>>>
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>>
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


[SSSD-users] Re: nsupdate

2018-03-13 Thread Max DiOrio
Is your dns server set to secure updates only?

On Tue, Mar 13, 2018, 5:40 AM Roger Martensson 
wrote:

> After som serious digging I caved in and upgraded dnsutils on my Ubuntu.
> Seems that the future Ubuntu 18.04 has a non-working install of nsupdate.
> When upgrading to version 9.12 nsupdate (using ISC PPA) everything started
> to work.
>
> 2018-03-09 19:24 GMT+01:00 Roger Martensson :
>
>> Hi!
>>
>> Setup: Ubuntu 18.04 (future), SSSD 1.16.0, nsupdate/bind: 9.11.2.P1,
>> 2008R2 DC/DNS
>>
>> I need some help and guidance with troubleshooting nsupdate-problems.
>> I get the famous "TSIG error with server: tsig verify failure" when
>> trying to update my A-record against our Microsoft DNS.
>> I get the error in sssd-logs and the same error when running nsupdate
>> manually with the same input as found in the logs (when cranking up debug
>> level).
>>
>> I have tried with client keytab and with a user that I know have
>> permission to update. (nsupdate with -g)
>>
>> SSSD is fully configured and I can do user lookups and logins. ldapsearch
>> agains different domains in the forest with -Y GSSAPI works without problem.
>>
>> Our setup is a domain forest where the clients are in the subdomain and
>> the DNS is in the parent domain. Parent DNS domain and subdomains is in the
>> same Zone and has Secure Only updates enabled.
>>
>> Anyone have any ideas what I can do next to troubleshoot this issue?
>>
>>
>>
>>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


[SSSD-users] Re: nsupdate

2018-03-13 Thread Roger Martensson
After som serious digging I caved in and upgraded dnsutils on my Ubuntu.
Seems that the future Ubuntu 18.04 has a non-working install of nsupdate.
When upgrading to version 9.12 nsupdate (using ISC PPA) everything started
to work.

2018-03-09 19:24 GMT+01:00 Roger Martensson :

> Hi!
>
> Setup: Ubuntu 18.04 (future), SSSD 1.16.0, nsupdate/bind: 9.11.2.P1,
> 2008R2 DC/DNS
>
> I need some help and guidance with troubleshooting nsupdate-problems.
> I get the famous "TSIG error with server: tsig verify failure" when trying
> to update my A-record against our Microsoft DNS.
> I get the error in sssd-logs and the same error when running nsupdate
> manually with the same input as found in the logs (when cranking up debug
> level).
>
> I have tried with client keytab and with a user that I know have
> permission to update. (nsupdate with -g)
>
> SSSD is fully configured and I can do user lookups and logins. ldapsearch
> agains different domains in the forest with -Y GSSAPI works without problem.
>
> Our setup is a domain forest where the clients are in the subdomain and
> the DNS is in the parent domain. Parent DNS domain and subdomains is in the
> same Zone and has Secure Only updates enabled.
>
> Anyone have any ideas what I can do next to troubleshoot this issue?
>
>
>
>
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


[SSSD-users] Re: nsupdate/sss_ssh_authorized_keys not working until sssd.conf is touched

2017-03-03 Thread Jakub Hrozek
On Fri, Mar 03, 2017 at 08:59:34AM -0500, Michael Smith wrote:
> On Fri, Mar 3, 2017 at 3:36 AM, Jakub Hrozek  wrote:
> 
> > On Thu, Mar 02, 2017 at 10:20:53PM -0500, Michael Smith wrote:
> > > I've been using sssd with AD on Ubuntu 16.04 for several months (sssd
> > > 1.13.4). I've joined probably a few dozen VMs to a domain. More often
> > than
> >
> 
> 
> > > I can reboot or restart sssd as many times as I like and it won't fix it.
> > > But as soon as I would bump up the debuglevel in /etc/sssd/sssd.conf and
> > > "systemctl restart sssd", everything would work.
> >
> > The only explanation I have is that 'something', either some join script
> > or whatever is used updates sssd.conf after sssd is started. The way
> > sssd reads its configuration is that on sssd startup, we check the
> > timestamp of sssd.conf, compare it with the timestamp of sssd's internal
> > configuration database (/var/lib/sss/db/config.ldb) and if sssd.conf is
> > newer, sssd regenerates the configuration database.
> >
> > And perhaps the problem is that the resolution of the timestamp is only
> > down to seconds, so if you update the config file on the same second as
> > the last restart, sssd migth not detect the config file was changed?
> 
> 
> Oh, thanks, that must be it. I'm using Puppet to join so it may very well
> all happen within the same second. In fact, I see the module I'm using
> (walkamongus/realmd) has a block to remove the cache after updating
> sssd.conf, but there must be a race condition somewhere.
> 
> I'll add a line to the systemd unit to delete config.ldb before each start,
> something like "ExecStartPre=/bin/rm /var/lib/sss/db/config.ldb".

I think touching the config file might be simpler?

btw the sssd bug that causes this is
https://pagure.io/SSSD/sssd/issue/3020

> Or is
> there a config option to force config.ldb to be generated each time sssd
> starts? I looked at it with tdbdump and it seems pretty small, probably not
> worth caching really. Or is there something in there that needs to be
> retained between runs?
> 

No, the confdb cache is there only to make it easy to read config values
using the same API we use for reading cache entries.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org