Bug 1077464 - SSSD during host ip update for freeipa is removing AAAA records.
Summary: SSSD during host ip update for freeipa is removing AAAA records.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 22
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Pavel Reichl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-18 04:14 UTC by William Brown
Modified: 2016-01-15 18:16 UTC (History)
11 users (show)

Fixed In Version: sssd-1.13.1-2.fc23 sssd-1.13.1-2.fc22
Clone Of:
Environment:
Last Closed: 2015-10-11 16:04:14 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Log from sssd. Sanitised domain name. (219.71 KB, text/plain)
2014-04-14 22:56 UTC, William Brown
no flags Details
Log of SSSD (193.50 KB, text/plain)
2014-12-21 04:48 UTC, William Brown
no flags Details

Description William Brown 2014-03-18 04:14:48 UTC
Description of problem:
SSSD is responsible for updating the host ip address records in freeipa. Not only does it not update AAAA records, it appears to be removing working AAAA records from hosts. 

For ipv6 accessible only hosts this is a critical issue as SSSD is removing their dns records. 

Version-Release number of selected component (if applicable):
sssd-1.11.4-1.fc19.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Setup a host with dual stack v4/v6 to freeipa 
2. Add the AAAA record for the host (As sssd won't add it ...)
3. Wait

Actual results:
The AAAA record goes missing.

Expected results:
The AAAA should be updated and created in the first place, and should not be removed at minimum. 

Additional info:

Comment 1 Jakub Hrozek 2014-03-18 08:32:20 UTC
I think you need to use the dyndns_iface option, by default only the address of the connection towards the IPA server is copied to IPA:

    dyndns_iface (string)
           Optional. Applicable only when dyndns_update is true. Choose the
           interface whose IP address should be used for dynamic DNS updates.

           NOTE: While it is still possible to use the old ipa_dyndns_iface
           option, users should migrate to using dyndns_iface in their config
           file.

           Default: Use the IP address of the IPA LDAP connection

Comment 2 Petr Spacek 2014-03-18 13:04:31 UTC
Please verify your SSSD configuration and let us know if it works for you or not. Thanks!

Comment 3 William Brown 2014-03-18 23:08:37 UTC
[domain/ipa.example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = lyra.ipa.example.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, petunia.ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = true
dyndns_iface = eth0
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = ipa.example.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]



This configuration does not update the AAAA record as expected either (I have allowed it about ~3 hours to see if this would happen).

Comment 4 Jakub Hrozek 2014-03-19 08:59:25 UTC
(In reply to William Brown from comment #3)
> This configuration does not update the AAAA record as expected either (I
> have allowed it about ~3 hours to see if this would happen).

That does sound like a bug, we will try to reproduce it locally. In the meantime, can you also put debug_level=10 into the [domain] section, restart the SSSD and attach /var/log/sssd/sssd_ipa.example.com.log ?

Comment 5 Jakub Hrozek 2014-03-19 09:43:22 UTC
I couldn't reproduce the issue locally, sorry, I will need the logs. Feel free to attach them or send them to me locally.

In my case the related part looks somewhat like this:
(Wed Mar 19 10:41:18 2014) [sssd[be[ipatest.example.com]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [master.ipatest.example.com] and realm [IPATEST.EXAMPLE.COM]
.(Wed Mar 19 10:41:18 2014) [sssd[be[ipatest.example.com]]] [be_nsupdate_create_fwd_msg] (0x0200): Setting the zone explicitly to [ipatest.example.com].
(Wed Mar 19 10:41:18 2014) [sssd[be[ipatest.example.com]]] [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message -- 
server master.ipatest.example.com
realm IPATEST.EXAMPLE.COM
zone ipatest.example.com.
update delete client.example.com. in A
send
update delete client.example.com. in AAAA
send
update add client.example.com. 1200 in AAAA 2620:52:0:2204:3e97:eff:fe19:2ec0
update add client.example.com. 1200 in A 192.168.122.86
send

Comment 6 William Brown 2014-03-20 00:35:32 UTC
I will reply with the info you have requested in a few days, as at the moment I am investigating another issue which may infact be falsely causing this problem.

Comment 7 Jakub Hrozek 2014-03-20 10:32:41 UTC
Thank you. I'll be away next week, but I'm sure the other developers would chime in.

Comment 8 Martin Kosek 2014-04-07 15:07:15 UTC
Hello Jakub and William, any update on this one? I am mostly asking so that I know what should FreeIPA team do with the related ticket that William filed:

https://fedorahosted.org/freeipa/ticket/4249

Comment 9 Jakub Hrozek 2014-04-07 15:23:49 UTC
I'm still waiting for the logs, in my dual-stack environment, all works fine.

Comment 10 William Brown 2014-04-08 04:14:15 UTC
I'm aware: I've been quite busy lately. I will endeavour to provide these asap.

Comment 11 William Brown 2014-04-14 22:56:03 UTC
Created attachment 886300 [details]
Log from sssd. Sanitised domain name.

I can't reproduce the AAAA problem (For now). But I have noticed that SSSD doesn't always update missing records either. 

Same config as before, but:

ipa_dyndns_update = False
dyndns_update = true
dyndns_iface = eth0


Iface eth0 has 

172.24.4.1
2001:4::1 (Trimmed)

Delete the SSHFP records in DNS, and the A record (To see if it updates).

IE starting record is:

  Record name: lyra
  AAAA record: 2001:4::1

Comment 12 Petr Spacek 2014-04-15 07:38:43 UTC
(In reply to William Brown from comment #11)
> I can't reproduce the AAAA problem (For now). But I have noticed that SSSD
> doesn't always update missing records either. 

I'm not sure what do you mean. AFAIK SSSD never updates SSHFP records. It updates only address records.

Comment 13 William Brown 2014-06-12 02:27:49 UTC
I think that freeipa in general handles SSHFP records badly. SSSD doesn't update them, so if you reset a host SSH key they don't update. Delete and rebuild a host, and the SSHFP records are still around from the old host. Finally, sss caches the host record, and you can't delete the host key from the known hosts cache (I implemented a fix for this on the sssd mailing list however, it's just not been looked at or merged)

When a host is added, it should take over that name and replace the sshfp records, and really, sssd should be updating those records. sssd is the gateway to ipa and the act of updating / changing a host ssh key is not unreasonable.

Comment 14 Simo Sorce 2014-06-12 02:43:46 UTC
(In reply to William Brown from comment #13)
> I think that freeipa in general handles SSHFP records badly. SSSD doesn't
> update them, so if you reset a host SSH key they don't update. Delete and
> rebuild a host, and the SSHFP records are still around from the old host.
> Finally, sss caches the host record, and you can't delete the host key from
> the known hosts cache (I implemented a fix for this on the sssd mailing list
> however, it's just not been looked at or merged)
> 
> When a host is added, it should take over that name and replace the sshfp
> records, and really, sssd should be updating those records. sssd is the
> gateway to ipa and the act of updating / changing a host ssh key is not
> unreasonable.

Can you open a separate bug for this issue, it is important to track, but we shouldn't mix discussions.

Thanks.

Comment 15 William Brown 2014-06-18 03:19:43 UTC
Will do, thanks for your time.

Comment 16 William Brown 2014-12-21 04:47:14 UTC
I have been able to reproduce this issue now.

SSSD A and AAAA record updates when using:

ipa_dyndns_update = False
dyndns_update = true
dyndns_iface = enp2s0f0
dyndns_update_ptr = true

Seem to be flakey at best, and normally don't seem to work at all.

According to the log I have, no attempt was even made to attempt an dyndns update. 

I am running a second test and leaving the client for a few hours. I have removed A and AAAA in IPA and will wait and see if sssd can update these at all.

Comment 17 William Brown 2014-12-21 04:48:05 UTC
Created attachment 971605 [details]
Log of SSSD

Comment 18 Lukas Slebodnik 2015-01-19 14:53:35 UTC
(In reply to William Brown from comment #17)
> Created attachment 971605 [details]
> Log of SSSD

I cannot see anything about dynamic DNS updates in log file.
You should be able to find message "Begin nsupdate message" in log file.

(In reply to William Brown from comment #16)
> I have been able to reproduce this issue now.
> 
> SSSD A and AAAA record updates when using:
> 
> ipa_dyndns_update = False
> dyndns_iface = enp2s0f0
 Deprecation warning: The option ipa_dyndns_update is deprecated and should not be used in favor of dyndns_update

Please do not use both of them with different value. The best would be to remove deprecated option ipa_dyndns_update.

Could you provide new log files? They should contain message "Begin nsupdate message""

Comment 19 Lukas Slebodnik 2015-07-16 14:30:13 UTC
William,
Pavel Reichl has some patches which might fix your problem. I hope he can provide you some test packages in few days.

Comment 20 Pavel Reichl 2015-07-20 15:35:24 UTC
William,

I have prepared copr repo containing SSSD with patches that should solve your problem. Could you try them?

Packages are for fedora 21 (as this bug is failed against fedora 21), please let me know if you prefer other version or if you have any trouble with copr or provided packages.

Thanks!

https://copr.fedoraproject.org/coprs/preichl/sssd-dyndns/

Comment 21 William Brown 2015-07-25 01:54:17 UTC
Hi,

I actually don't have any fedora 21 machines any more. How hard would it be to build this sssd version for f22?

Thanks,

Comment 22 Lukas Slebodnik 2015-07-25 10:18:15 UTC
In this case, I will move this BZ to fedora 22

Comment 23 Lukas Slebodnik 2015-07-25 10:21:16 UTC
It isn't a problem to prepare packages for fedora 22.
Packages from preichl copr repo are basen on sssd-1.12.5 but fedora 22 has already newer version sssd-1.13. But dyndns part is almost the same.

Pavel,
Could you prepare package for test packages fedora 22?

Comment 24 Pavel Reichl 2015-07-29 10:59:52 UTC
Hello, I have prepared new packages for fedora 22. Per Lukas' suggestion I have added also patches related to ddns that are currently under review (support for option dyndns_server option and fixed formatting of message for nsupdate). I hope this is not a problem for you William. Thanks!

https://copr.fedoraproject.org/coprs/preichl/sssd-dyndns/

Comment 25 Fedora Update System 2015-10-07 16:14:53 UTC
sssd-1.13.1-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-202c127199

Comment 26 Fedora Update System 2015-10-07 16:18:33 UTC
sssd-1.13.1-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-7b47df69d3

Comment 27 Fedora Update System 2015-10-08 10:30:56 UTC
sssd-1.13.1-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update sssd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-202c127199

Comment 28 Fedora Update System 2015-10-08 19:21:41 UTC
sssd-1.13.1-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update sssd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-7b47df69d3

Comment 29 Fedora Update System 2015-10-11 16:03:58 UTC
sssd-1.13.1-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2015-10-20 01:54:49 UTC
sssd-1.13.1-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.