On 22/05/14 12:37, steve wrote:
On 21/05/14 22:14, Jakub Hrozek wrote:
On Wed, May 21, 2014 at 09:07:23PM +0200, steve wrote:
So why does nsupdate work but sssd doesn't?
Can you show me how do you invoke nsupdate manually ?
(sssd just invokes nsupate itself, so it must be some difference in
the
command file I guess).
Simo.
Ah just saw this in your other reply:
steve@lubuntu-laptop:/tmp$ nsupdate -g -d
> server 192.168.1.16
> realm HH3.SITE
> update delete lubuntu-laptop.hh3.site 3600 A
> update add lubuntu-laptop.hh3.site 3600 A 192.168.1.22
> send
So I guess the trick is finding out what sssd puts in the 'server'
field, I suspect it puts the AD DC name, and then nsupdate somehow has
issues resolving which DNS server that refers to ..
If you raise the SSSD debug level to include SSSDBG_TRACE_FUNC messages
you should see a dump of the generated nsupdate msg file. Then you can
use it manually with nsupdate to find out what breaks in your setup.
simo.
Hi
OK. How do I 'include SSSDBG_TRACE_FUNC messages'?
The thing is that 1.11.5 works fine with our openSUSE clients but
not with the package which comes with Ubuntu 14.04. Anyway, we would
like to know why.
Thanks.
Steve
Put debug_level=7 (or higher, up to 10) to the [domain] section of the
sssd.conf and run the test case again.
The logs should then include the full nsupdate message.
Also, did you kinit as the same principal the SSSD uses? Typically we'd
use shortname$@realm. That should be visible from the logs as well.
Hi
sssd sends:
update add lubuntu-laptop. 3600 in A 192.168.1.22
this fails with the short hostname, dot or no dot.
It works with nsupdate manually only with the fqdn:
update add lubuntu-laptop.hh3.site 3600 A 192.168.1.22
Can we get sssd to send the fqdn rather than the short hostname?
Cheers,
Steve
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[nsupdate_msg_create_common] (0x0200): Creating update message for realm
[HH3.SITE].
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
realm HH3.SITE
update delete lubuntu-laptop. in A
send
update delete lubuntu-laptop. in AAAA
send
update add lubuntu-laptop. 3600 in A 192.168.1.22
send
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[be_nsupdate_create_fwd_msg] (0x0400): -- End nsupdate message --
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[sdap_get_generic_ext_done] (0x0400): (Thu May 22 12:18:20 2014)
[sssd[be[hh3.site]]] [be_nsupdate_args] (0x0200): Search result:
Success(0), no errmsg set
nsupdate auth type: GSS-TSIG
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[ad_subdomains_get_slave_domain_done] (0x1000): There are no changes
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server not found in Kerberos
database.
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [child_sig_handler]
(0x1000): Waiting for child [3529].
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [child_sig_handler]
(0x0020): child [3529] failed with status [1].
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [nsupdate_child_handler]
(0x0040): Dynamic DNS child failed with status [256]
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [be_nsupdate_done]
(0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS
update failed
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]]
[sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying with
server name
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]]
[nsupdate_msg_create_common] (0x0200): Creating update message for
server [hh16.hh3.site] and realm [HH3.SITE]
.(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]]
[be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
server hh16.hh3.site
realm HH3.SITE
update delete lubuntu-laptop. in A
send
update delete lubuntu-laptop. in AAAA
send
update add lubuntu-laptop. 3600 in A 192.168.1.22
send
here is the DC:
]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:50954
for DNS/a.root-servers....@hh3.site [canonicalize, renewable]
Kerberos: Searching referral for a.root-servers.net
Kerberos: Returning a referral to realm ROOT-SERVERS.NET for server
DNS/a.root-servers....@hh3.site that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))):
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database:
krbtgt/root-servers....@hh3.site: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:50954
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from ipv4:192.168.1.22:50955
for DNS/a.root-servers....@hh3.site [renewable]
Kerberos: Server not found in database: DNS/a.root-servers....@hh3.site:
no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:50955
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
