Description of problem: SSSD is responsible for updating the host ip address records in freeipa. Not only does it not update AAAA records, it appears to be removing working AAAA records from hosts. For ipv6 accessible only hosts this is a critical issue as SSSD is removing their dns records. Version-Release number of selected component (if applicable): sssd-1.11.4-1.fc19.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup a host with dual stack v4/v6 to freeipa 2. Add the AAAA record for the host (As sssd won't add it ...) 3. Wait Actual results: The AAAA record goes missing. Expected results: The AAAA should be updated and created in the first place, and should not be removed at minimum. Additional info:
I think you need to use the dyndns_iface option, by default only the address of the connection towards the IPA server is copied to IPA: dyndns_iface (string) Optional. Applicable only when dyndns_update is true. Choose the interface whose IP address should be used for dynamic DNS updates. NOTE: While it is still possible to use the old ipa_dyndns_iface option, users should migrate to using dyndns_iface in their config file. Default: Use the IP address of the IPA LDAP connection
Please verify your SSSD configuration and let us know if it works for you or not. Thanks!
[domain/ipa.example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = lyra.ipa.example.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, petunia.ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt dyndns_update = true dyndns_iface = eth0 [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = ipa.example.com [nss] [pam] [sudo] [autofs] [ssh] [pac] This configuration does not update the AAAA record as expected either (I have allowed it about ~3 hours to see if this would happen).
(In reply to William Brown from comment #3) > This configuration does not update the AAAA record as expected either (I > have allowed it about ~3 hours to see if this would happen). That does sound like a bug, we will try to reproduce it locally. In the meantime, can you also put debug_level=10 into the [domain] section, restart the SSSD and attach /var/log/sssd/sssd_ipa.example.com.log ?
I couldn't reproduce the issue locally, sorry, I will need the logs. Feel free to attach them or send them to me locally. In my case the related part looks somewhat like this: (Wed Mar 19 10:41:18 2014) [sssd[be[ipatest.example.com]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [master.ipatest.example.com] and realm [IPATEST.EXAMPLE.COM] .(Wed Mar 19 10:41:18 2014) [sssd[be[ipatest.example.com]]] [be_nsupdate_create_fwd_msg] (0x0200): Setting the zone explicitly to [ipatest.example.com]. (Wed Mar 19 10:41:18 2014) [sssd[be[ipatest.example.com]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server master.ipatest.example.com realm IPATEST.EXAMPLE.COM zone ipatest.example.com. update delete client.example.com. in A send update delete client.example.com. in AAAA send update add client.example.com. 1200 in AAAA 2620:52:0:2204:3e97:eff:fe19:2ec0 update add client.example.com. 1200 in A 192.168.122.86 send
I will reply with the info you have requested in a few days, as at the moment I am investigating another issue which may infact be falsely causing this problem.
Thank you. I'll be away next week, but I'm sure the other developers would chime in.
Hello Jakub and William, any update on this one? I am mostly asking so that I know what should FreeIPA team do with the related ticket that William filed: https://fedorahosted.org/freeipa/ticket/4249
I'm still waiting for the logs, in my dual-stack environment, all works fine.
I'm aware: I've been quite busy lately. I will endeavour to provide these asap.
Created attachment 886300 [details] Log from sssd. Sanitised domain name. I can't reproduce the AAAA problem (For now). But I have noticed that SSSD doesn't always update missing records either. Same config as before, but: ipa_dyndns_update = False dyndns_update = true dyndns_iface = eth0 Iface eth0 has 172.24.4.1 2001:4::1 (Trimmed) Delete the SSHFP records in DNS, and the A record (To see if it updates). IE starting record is: Record name: lyra AAAA record: 2001:4::1
(In reply to William Brown from comment #11) > I can't reproduce the AAAA problem (For now). But I have noticed that SSSD > doesn't always update missing records either. I'm not sure what do you mean. AFAIK SSSD never updates SSHFP records. It updates only address records.
I think that freeipa in general handles SSHFP records badly. SSSD doesn't update them, so if you reset a host SSH key they don't update. Delete and rebuild a host, and the SSHFP records are still around from the old host. Finally, sss caches the host record, and you can't delete the host key from the known hosts cache (I implemented a fix for this on the sssd mailing list however, it's just not been looked at or merged) When a host is added, it should take over that name and replace the sshfp records, and really, sssd should be updating those records. sssd is the gateway to ipa and the act of updating / changing a host ssh key is not unreasonable.
(In reply to William Brown from comment #13) > I think that freeipa in general handles SSHFP records badly. SSSD doesn't > update them, so if you reset a host SSH key they don't update. Delete and > rebuild a host, and the SSHFP records are still around from the old host. > Finally, sss caches the host record, and you can't delete the host key from > the known hosts cache (I implemented a fix for this on the sssd mailing list > however, it's just not been looked at or merged) > > When a host is added, it should take over that name and replace the sshfp > records, and really, sssd should be updating those records. sssd is the > gateway to ipa and the act of updating / changing a host ssh key is not > unreasonable. Can you open a separate bug for this issue, it is important to track, but we shouldn't mix discussions. Thanks.
Will do, thanks for your time.
I have been able to reproduce this issue now. SSSD A and AAAA record updates when using: ipa_dyndns_update = False dyndns_update = true dyndns_iface = enp2s0f0 dyndns_update_ptr = true Seem to be flakey at best, and normally don't seem to work at all. According to the log I have, no attempt was even made to attempt an dyndns update. I am running a second test and leaving the client for a few hours. I have removed A and AAAA in IPA and will wait and see if sssd can update these at all.
Created attachment 971605 [details] Log of SSSD
(In reply to William Brown from comment #17) > Created attachment 971605 [details] > Log of SSSD I cannot see anything about dynamic DNS updates in log file. You should be able to find message "Begin nsupdate message" in log file. (In reply to William Brown from comment #16) > I have been able to reproduce this issue now. > > SSSD A and AAAA record updates when using: > > ipa_dyndns_update = False > dyndns_iface = enp2s0f0 Deprecation warning: The option ipa_dyndns_update is deprecated and should not be used in favor of dyndns_update Please do not use both of them with different value. The best would be to remove deprecated option ipa_dyndns_update. Could you provide new log files? They should contain message "Begin nsupdate message""
William, Pavel Reichl has some patches which might fix your problem. I hope he can provide you some test packages in few days.
William, I have prepared copr repo containing SSSD with patches that should solve your problem. Could you try them? Packages are for fedora 21 (as this bug is failed against fedora 21), please let me know if you prefer other version or if you have any trouble with copr or provided packages. Thanks! https://copr.fedoraproject.org/coprs/preichl/sssd-dyndns/
Hi, I actually don't have any fedora 21 machines any more. How hard would it be to build this sssd version for f22? Thanks,
In this case, I will move this BZ to fedora 22
It isn't a problem to prepare packages for fedora 22. Packages from preichl copr repo are basen on sssd-1.12.5 but fedora 22 has already newer version sssd-1.13. But dyndns part is almost the same. Pavel, Could you prepare package for test packages fedora 22?
Hello, I have prepared new packages for fedora 22. Per Lukas' suggestion I have added also patches related to ddns that are currently under review (support for option dyndns_server option and fixed formatting of message for nsupdate). I hope this is not a problem for you William. Thanks! https://copr.fedoraproject.org/coprs/preichl/sssd-dyndns/
sssd-1.13.1-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-202c127199
sssd-1.13.1-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7b47df69d3
sssd-1.13.1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update sssd' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-202c127199
sssd-1.13.1-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update sssd' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7b47df69d3
sssd-1.13.1-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.13.1-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.