On Thu, May 09, 2013 at 01:00:02PM +0200, steve wrote:
Hi sssd seems to be sending the wrong request to the DNS server:
(Thu May 9 12:57:04 2013) [sssd[be[default]]] [ad_dyndns_nsupdate_done] (0x0040): DNS update finished (Thu May 9 12:57:06 2013) [sssd[be[default]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Error de entrada/salida (Thu May 9 12:57:06 2013) [sssd[be[default]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Error de entrada/salida, resolver returned: [11]: Could not contact DNS servers
The logs are telling you that the SSSD cannot resolve the machine's host name. Can you try overriding it with "ad_hostname" or adding the hostname to /ec/hosts ?
(Thu May 9 12:57:06 2013) [sssd[be[default]]] [nsupdate_get_addrs_done] (0x0040): (Thu May 9 12:57:07 2013) [sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
Kerberos: TGS-REQ PINOSO$@HH3.SITE from ipv4:192.168.1.21:35144 for DNS/a.root-servers.net@HH3.SITE [canonicalize, renewable] Kerberos: Searching referral for a.root-servers.net Kerberos: Returning a referral to realm ROOT-SERVERS.NET for server DNS/a.root-servers.net@HH3.SITE that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/ROOT-SERVERS.NET@HH3.SITE: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.21:35144 Kerberos: TGS-REQ PINOSO$@HH3.SITE from ipv4:192.168.1.21:57031 for DNS/a.root-servers.net@HH3.SITE [renewable] Kerberos: Server not found in database: DNS/a.root-servers.net@HH3.SITE: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.21:57031
It is querying DNS/a.root-servers@HH3.SITE We do not have that spn. Why doesn't it try DNS/hh16.hh3.site@HH3.SITE which we do have? Thanks Steve
Where do these errors come from? I suspect this is actually nsupdate, not sssd. We simply call out nsupdate with GSS-TSIG.