Dynamic DNS updates with sssd
Hi there
We are using sssd for AD integration on our RHEL 7 servers which works really well.
Now I'm trying to enable dyndns updates so we don't have to request dns changes manually.
Forward entries are created successfully but reverse are not, I think it's because there is no kerberos ticket.
Is it not possible to disable GSS-TSIG in sssd? I can't find anything in the man pages or documentation.
This is the debug log..
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [write_pipe_handler] (0x0400): (Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [be_nsupdate_args] (0x0200): All data has been sent!
nsupdate auth type: GSS-TSIG
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [ad_online_cb] (0x0400): The AD provider is online
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [child_sig_handler] (0x0020): child [27195] failed with status [2].
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS update failed
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying with server name
(Mon Feb 23 09:41:51 2015) [sssd[be[fqdn.local]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [dc1.fqdn.local] and realm [fqdn.local]
Running the nsupdate commands manually works fine if I invoke nsupdate without -g option.
Any help is appreciated.
Thanks
Sandro
Responses
Hi Sandro,
We're using 6.6 rather than 7. I've seen the same thing here.
What I think is happening is that sssd needs to do the dynamic DNS update in two stages as it needs to update the forward and reverse zones. Each stage is executed by spawning off nsupdate. The forward zone update works at the server end, but the gssapi library on the client detects an error and returns status 2 (which is what you're seeing above). As a result, the reverse update isn't applied.
In our case, I found the forward zone on the Windows server (2012R2) was allowing "nonsecure and secure updates". I set this to "secure only" and the update completed without error. Your zone must be set the same because you can run nsupdate without the -g option. If you're able to try setting "secure only" it's possibly worth a punt.
Community Member
20 points
The AD DDNS settings are described here.
Bigger question: What settings are needed in AD to enable DNS updates with GSS-TSIG from sssd?
I am looking into this, and do not have it working yet. Are the DNS updates made by sssd really to DHCP? Articles online I've found that show actual success indicate this is the case, eg this link
The following blog might be helpful: https://blogs.technet.microsoft.com/jeffbutte/2016/12/18/265/
Pro
469 points
Hi Sandro,
Others already gave you useful links.
Please be careful with DDNS.
DDNS (Dynamic DNS) can be very bad in flat zone. The better way to allow DDNS would be to separate subdomains and leave master zone with only static records, and ensure some kind of control who can update the DNS resource records.
Scenario:
I built a new VM and deliberately assigned it a hostname that had already been in use by a very critical server.
The new VM joined AD domain with “dyndns_update = True” option in SSSD config.
The new VM simply overwrote the valid DNS resource records for a critical server.
The point of this exercise:
By human error, or deliberately, anyone with domain rights can overwrite records via script or various tools because DDNS is allowed.
Careful setup of DDNS is required.
Regards,
Dusan Baljevic (Amateur Radio VK2COT)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.