Hi guys,
I've noticed that dynamic DNS updates aren't working with my setup. Client is Ubuntu 12.04 using SSSD 1.11.1. Server 2008 AD on backend.
Here's my config: [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN
[pam] debug_level = 0
[nss] debug_level = 10 filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm filter_groups = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm reconnection_retries = 3
[domain/DOMAIN] debug_level = 10 ad_domain = DOMAIN.local id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = true cache_credentials = true # Will check unixHomeDirectory LDAP attribute for a value first fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory dyndns_update = true dyndns_update_ptr = true dyndns_refresh_interval = 30 ldap_schema = ad ldap_id_mapping = true
When viewing debug output, I saw this under the domain log: (Mon Oct 14 10:33:01 2013) [sssd[be[wysu]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server milkdud.DOMAIN.local realm DOMAIN.LOCAL update delete snickers. in A send update delete snickers. in AAAA send update add snickers. 3600 in A 10.11.12.41 send
When I try to perform this update manually using `nsupdate -g` it will fail with the following error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
However, if I replace 'snickers.' with the FQDN 'snickers.DOMAIN.local' the update will happen fine.
I'm assuming this is an SSSD configuration error since the FQDN is not being used during the update. Any ideas how to solve this?
Thanks!
-Chris
On Mon, Oct 14, 2013 at 11:10:47AM -0400, Chris Hartman wrote:
Hi guys,
I've noticed that dynamic DNS updates aren't working with my setup. Client is Ubuntu 12.04 using SSSD 1.11.1. Server 2008 AD on backend.
Here's my config: [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN
[pam] debug_level = 0
[nss] debug_level = 10 filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm filter_groups = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm reconnection_retries = 3
[domain/DOMAIN] debug_level = 10 ad_domain = DOMAIN.local id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = true cache_credentials = true # Will check unixHomeDirectory LDAP attribute for a value first fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory dyndns_update = true dyndns_update_ptr = true dyndns_refresh_interval = 30 ldap_schema = ad ldap_id_mapping = true
When viewing debug output, I saw this under the domain log: (Mon Oct 14 10:33:01 2013) [sssd[be[wysu]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server milkdud.DOMAIN.local realm DOMAIN.LOCAL update delete snickers. in A send update delete snickers. in AAAA send update add snickers. 3600 in A 10.11.12.41 send
When I try to perform this update manually using `nsupdate -g` it will fail with the following error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
However, if I replace 'snickers.' with the FQDN 'snickers.DOMAIN.local' the update will happen fine.
I'm assuming this is an SSSD configuration error since the FQDN is not being used during the update. Any ideas how to solve this?
Does the hostname command on the shell return just snickers or the FQDN?
bye, Sumit
Thanks!
-Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Sumit,
Just 'snickers'
-Chris
On Mon, Oct 14, 2013 at 11:21 AM, Sumit Bose sbose@redhat.com wrote:
On Mon, Oct 14, 2013 at 11:10:47AM -0400, Chris Hartman wrote:
Hi guys,
I've noticed that dynamic DNS updates aren't working with my setup.
Client
is Ubuntu 12.04 using SSSD 1.11.1. Server 2008 AD on backend.
Here's my config: [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN
[pam] debug_level = 0
[nss] debug_level = 10 filter_users =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3
[domain/DOMAIN] debug_level = 10 ad_domain = DOMAIN.local id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = true cache_credentials = true # Will check unixHomeDirectory LDAP attribute for a value first fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory dyndns_update = true dyndns_update_ptr = true dyndns_refresh_interval = 30 ldap_schema = ad ldap_id_mapping = true
When viewing debug output, I saw this under the domain log: (Mon Oct 14 10:33:01 2013) [sssd[be[wysu]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server milkdud.DOMAIN.local realm DOMAIN.LOCAL update delete snickers. in A send update delete snickers. in AAAA send update add snickers. 3600 in A 10.11.12.41 send
When I try to perform this update manually using `nsupdate -g` it will
fail
with the following error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
However, if I replace 'snickers.' with the FQDN 'snickers.DOMAIN.local'
the
update will happen fine.
I'm assuming this is an SSSD configuration error since the FQDN is not being used during the update. Any ideas how to solve this?
Does the hostname command on the shell return just snickers or the FQDN?
bye, Sumit
Thanks!
-Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hmm. It appears that setting the hostname to the FQDN using the `hostname $FQDN` command solves this problem until a reboot. For a permanent solution, I'm adding the FQDN to /etc/hostname and ensuring /etc/hosts has '127.0.1.1 $HOST $FQDN'.
However, I have a followup question. I notice that SSSD is only updating IPv4 records. How can I ensure IPv6 updates? Thanks!
-Chris
On Mon, Oct 14, 2013 at 11:24 AM, Chris Hartman qrstuv@gmail.com wrote:
Sumit,
Just 'snickers'
-Chris
On Mon, Oct 14, 2013 at 11:21 AM, Sumit Bose sbose@redhat.com wrote:
On Mon, Oct 14, 2013 at 11:10:47AM -0400, Chris Hartman wrote:
Hi guys,
I've noticed that dynamic DNS updates aren't working with my setup.
Client
is Ubuntu 12.04 using SSSD 1.11.1. Server 2008 AD on backend.
Here's my config: [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN
[pam] debug_level = 0
[nss] debug_level = 10 filter_users =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3
[domain/DOMAIN] debug_level = 10 ad_domain = DOMAIN.local id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = true cache_credentials = true # Will check unixHomeDirectory LDAP attribute for a value first fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory dyndns_update = true dyndns_update_ptr = true dyndns_refresh_interval = 30 ldap_schema = ad ldap_id_mapping = true
When viewing debug output, I saw this under the domain log: (Mon Oct 14 10:33:01 2013) [sssd[be[wysu]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server milkdud.DOMAIN.local realm DOMAIN.LOCAL update delete snickers. in A send update delete snickers. in AAAA send update add snickers. 3600 in A 10.11.12.41 send
When I try to perform this update manually using `nsupdate -g` it will
fail
with the following error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
However, if I replace 'snickers.' with the FQDN 'snickers.DOMAIN.local'
the
update will happen fine.
I'm assuming this is an SSSD configuration error since the FQDN is not being used during the update. Any ideas how to solve this?
Does the hostname command on the shell return just snickers or the FQDN?
bye, Sumit
Thanks!
-Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, Oct 14, 2013 at 12:13:22PM -0400, Chris Hartman wrote:
Hmm. It appears that setting the hostname to the FQDN using the `hostname $FQDN` command solves this problem until a reboot. For a permanent solution, I'm adding the FQDN to /etc/hostname and ensuring /etc/hosts has '127.0.1.1 $HOST $FQDN'.
as an alternative you can try to use the FQDN in the ad_hostname option in sssd.conf.
However, I have a followup question. I notice that SSSD is only updating IPv4 records. How can I ensure IPv6 updates? Thanks!
In general it should. Maybe try to use the dyndns_iface option. Feel free to send more detailed logs so that I can have a closer look.
bye, Sumit
-Chris
On Mon, Oct 14, 2013 at 11:24 AM, Chris Hartman qrstuv@gmail.com wrote:
Sumit,
Just 'snickers'
-Chris
On Mon, Oct 14, 2013 at 11:21 AM, Sumit Bose sbose@redhat.com wrote:
On Mon, Oct 14, 2013 at 11:10:47AM -0400, Chris Hartman wrote:
Hi guys,
I've noticed that dynamic DNS updates aren't working with my setup.
Client
is Ubuntu 12.04 using SSSD 1.11.1. Server 2008 AD on backend.
Here's my config: [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN
[pam] debug_level = 0
[nss] debug_level = 10 filter_users =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3
[domain/DOMAIN] debug_level = 10 ad_domain = DOMAIN.local id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = true cache_credentials = true # Will check unixHomeDirectory LDAP attribute for a value first fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory dyndns_update = true dyndns_update_ptr = true dyndns_refresh_interval = 30 ldap_schema = ad ldap_id_mapping = true
When viewing debug output, I saw this under the domain log: (Mon Oct 14 10:33:01 2013) [sssd[be[wysu]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server milkdud.DOMAIN.local realm DOMAIN.LOCAL update delete snickers. in A send update delete snickers. in AAAA send update add snickers. 3600 in A 10.11.12.41 send
When I try to perform this update manually using `nsupdate -g` it will
fail
with the following error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
However, if I replace 'snickers.' with the FQDN 'snickers.DOMAIN.local'
the
update will happen fine.
I'm assuming this is an SSSD configuration error since the FQDN is not being used during the update. Any ideas how to solve this?
Does the hostname command on the shell return just snickers or the FQDN?
bye, Sumit
Thanks!
-Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Maybe try to use the dyndns_iface option
This forced an IPv6 record update :)
How come this wasn't done automatically, though?
While entirely possible, it's a bit of a pain to set the interface for all hosts, especially because there is no guarantee that it will be the same interface for every host. If I could get around setting this explicitly, that would be a better option.
Thanks!
-Chris
On Mon, Oct 14, 2013 at 12:46 PM, Sumit Bose sbose@redhat.com wrote:
On Mon, Oct 14, 2013 at 12:13:22PM -0400, Chris Hartman wrote:
Hmm. It appears that setting the hostname to the FQDN using the `hostname $FQDN` command solves this problem until a reboot. For a permanent solution, I'm adding the FQDN to /etc/hostname and ensuring /etc/hosts
has
'127.0.1.1 $HOST $FQDN'.
as an alternative you can try to use the FQDN in the ad_hostname option in sssd.conf.
However, I have a followup question. I notice that SSSD is only updating IPv4 records. How can I ensure IPv6 updates? Thanks!
In general it should. Maybe try to use the dyndns_iface option. Feel free to send more detailed logs so that I can have a closer look.
bye, Sumit
-Chris
On Mon, Oct 14, 2013 at 11:24 AM, Chris Hartman qrstuv@gmail.com
wrote:
Sumit,
Just 'snickers'
-Chris
On Mon, Oct 14, 2013 at 11:21 AM, Sumit Bose sbose@redhat.com wrote:
On Mon, Oct 14, 2013 at 11:10:47AM -0400, Chris Hartman wrote:
Hi guys,
I've noticed that dynamic DNS updates aren't working with my setup.
Client
is Ubuntu 12.04 using SSSD 1.11.1. Server 2008 AD on backend.
Here's my config: [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = DOMAIN
[pam] debug_level = 0
[nss] debug_level = 10 filter_users =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups =
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3
[domain/DOMAIN] debug_level = 10 ad_domain = DOMAIN.local id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad enumerate = true cache_credentials = true # Will check unixHomeDirectory LDAP attribute for a value first fallback_homedir = /home/%u ldap_user_home_directory = unixHomeDirectory dyndns_update = true dyndns_update_ptr = true dyndns_refresh_interval = 30 ldap_schema = ad ldap_id_mapping = true
When viewing debug output, I saw this under the domain log: (Mon Oct 14 10:33:01 2013) [sssd[be[wysu]]]
[be_nsupdate_create_fwd_msg]
(0x0400): -- Begin nsupdate message -- server milkdud.DOMAIN.local realm DOMAIN.LOCAL update delete snickers. in A send update delete snickers. in AAAA send update add snickers. 3600 in A 10.11.12.41 send
When I try to perform this update manually using `nsupdate -g` it
will
fail
with the following error: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
Minor
code may provide more information, Minor = Server not found in
Kerberos
database.
However, if I replace 'snickers.' with the FQDN
'snickers.DOMAIN.local'
the
update will happen fine.
I'm assuming this is an SSSD configuration error since the FQDN is
not
being used during the update. Any ideas how to solve this?
Does the hostname command on the shell return just snickers or the
FQDN?
bye, Sumit
Thanks!
-Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/14/2013 12:55 PM, Chris Hartman wrote:
Maybe try to use the dyndns_iface option
This forced an IPv6 record update :)
How come this wasn't done automatically, though?
While entirely possible, it's a bit of a pain to set the interface for all hosts, especially because there is no guarantee that it will be the same interface for every host. If I could get around setting this explicitly, that would be a better option.
It's very difficult to determine exactly which interface is the public one. When we don't have the dyndns_iface option specified, our default behavior is to assume that the IP address we are using to connect to LDAP is the public one.
Probably would be a good RFE to make sure it updates DNS with any and all IP addresses assigned to that interface though, rather than simply the one that's actually connected to LDAP.
On Mon, 2013-10-14 at 12:13 -0400, Chris Hartman wrote:
Hmm. It appears that setting the hostname to the FQDN using the `hostname $FQDN` command solves this problem until a reboot. For a permanent solution, I'm adding the FQDN to /etc/hostname and ensuring /etc/hosts has '127.0.1.1 $HOST $FQDN'.
This may break some apps that do reverse lookups and use Kerberos. If you really want to set the name in /etc/hosts you *really* want to put the FQDN as the first option and the short name second.
Simo.
On Mon, Oct 14, 2013 at 1:58 PM, Simo Sorce simo@redhat.com wrote:
If you really want to set the name in /etc/hosts you *really* want to put the FQDN as the first option and the short name second.
This is normally my standard practice; I just typed it incorrectly in my previous reply. I appreciate you pointing this out, though.
Probably would be a good RFE to make sure it updates DNS with any and
all IP addresses assigned to that interface though, rather than simply the one that's actually connected to LDAP.
I agree, so long as this extends to multiple protocols (v4 and v6) and not just multiple addresses. One possible hiccup is IPv6 and privacy extensions which can create several addresses per interface. I would like to see an enhancement like this in the future, though.
-Chris
On 10/14/2013 03:33 PM, Chris Hartman wrote:
On Mon, Oct 14, 2013 at 1:58 PM, Simo Sorce <simo@redhat.com mailto:simo@redhat.com> wrote:
If you really want to set the name in /etc/hosts you *really* want to put the FQDN as the first option and the short name second.This is normally my standard practice; I just typed it incorrectly in my previous reply. I appreciate you pointing this out, though.
Probably would be a good RFE to make sure it updates DNS with any and all IP addresses assigned to that interface though, rather than simply the one that's actually connected to LDAP.I agree, so long as this extends to multiple protocols (v4 and v6) and not just multiple addresses. One possible hiccup is IPv6 and privacy extensions which can create several addresses per interface. I would like to see an enhancement like this in the future, though.
Please file one.
-Chris
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Bug report opened for tracking: https://fedorahosted.org/sssd/ticket/2120
Thanks for all your help, gentlemen!
-Chris
On Mon, Oct 14, 2013 at 6:22 PM, Dmitri Pal dpal@redhat.com wrote:
On 10/14/2013 03:33 PM, Chris Hartman wrote:
On Mon, Oct 14, 2013 at 1:58 PM, Simo Sorce simo@redhat.com wrote:
If you really want to set the name in /etc/hosts you *really* want to put the FQDN as the first option and the short name second.
This is normally my standard practice; I just typed it incorrectly in my previous reply. I appreciate you pointing this out, though.
Probably would be a good RFE to make sure it updates DNS with any and
all IP addresses assigned to that interface though, rather than simply the one that's actually connected to LDAP.
I agree, so long as this extends to multiple protocols (v4 and v6) and not just multiple addresses. One possible hiccup is IPv6 and privacy extensions which can create several addresses per interface. I would like to see an enhancement like this in the future, though.
Please file one.
-Chris
sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs?www.redhat.com/carveoutcosts/
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Chris Hartman -
Dmitri Pal -
Simo Sorce -
Stephen Gallagher -
Sumit Bose