Bug 1261155 - nsupdate exits on first GSSAPI error instead of processing other commands
nsupdate exits on first GSSAPI error instead of processing other commands
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.2
Unspecified Unspecified
medium Severity unspecified
: rc
: 7.2
Assigned To: Pavel Reichl
Dan Lavu
: Reopened, TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-08 13:52 EDT by Dan Lavu
Modified: 2015-11-19 06:40 EST (History)
15 users (show)

See Also:
Fixed In Version: sssd-1.13.0-33.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1262430 (view as bug list)
Environment:
Last Closed: 2015-11-19 06:40:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sssd_no_ptr.log (105.41 KB, text/plain)
2015-09-08 13:52 EDT, Dan Lavu
no flags Details
sssd_logs_with_dyndns_update_true (152.80 KB, text/plain)
2015-09-10 04:16 EDT, Dan Lavu
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 05:27:42 EST

  None (edit)
Description Dan Lavu 2015-09-08 13:52:57 EDT
Created attachment 1071439 [details]
sssd_no_ptr.log

Description of problem:
This looks like a regression, tests are failing to update the ptr record using the ad provider. 

Version-Release number of selected component (if applicable):
sssd-client-1.13.0-26.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. realm join sssd2012r2.com 
2. check AD for the PTR record
3.

Actual results:
A record exists, PTR does not

Expected results:
A record and PTR record exits


Additional info:
Comment 2 Dan Lavu 2015-09-08 13:58:59 EDT
Forgot to mention, logs show that dyndns is set to false and update_ptr is true, sssd.conf and is not adhering to the defaults values. Configuration is posted below.

[sssd]
domains = sssdad2012r2.com
config_file_version = 2
services = nss, pam

[domain/sssdad2012r2.com]
ad_domain = sssdad2012r2.com
krb5_realm = SSSDAD2012R2.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

[sssd]
debug_level = 0xFFFF
[domain/sssdad2012r2.com]
debug_level = 0xFFFF
Comment 3 Lukas Slebodnik 2015-09-09 04:13:48 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2783
Comment 4 Pavel Reichl 2015-09-09 07:48:18 EDT
Dan, do I understand it correctly that it seems that we have changed default value of dyndns_update option for AD from true to false?
Comment 6 Lukas Slebodnik 2015-09-09 10:28:43 EDT
(In reply to Pavel Reichl from comment #4)
> Dan, do I understand it correctly that it seems that we have changed default
> value of dyndns_update option for AD from true to false?
I checked the source code of sssd-1.13.0-26.el7.x86_64 and the default value for dyndns_update_ptr is TRUE; it was not changed.

My understanding is that ptr record is not updated even though it should be.
Comment 7 Pavel Reichl 2015-09-09 10:34:38 EDT
In the attached log you can see: "Option dyndns_update is FALSE"
Comment 8 Michal Zidek 2015-09-09 10:54:21 EDT
Does setting dyndns_update explicitly to true help? That would confirm that we have wrong defaults.
Comment 9 Pavel Reichl 2015-09-09 10:57:16 EDT
Yes Michal I agree that would help, but I'm not able to replicate the issue so far only Dan and Lukas seem to be able to replicate.
Comment 10 Lukas Slebodnik 2015-09-09 11:18:50 EDT
Dan,
could you upload log files for sssd.conf from comment#2 ?
Comment 14 Dan Lavu 2015-09-10 04:16:58 EDT
Created attachment 1072059 [details]
sssd_logs_with_dyndns_update_true
Comment 15 Petr Spacek 2015-09-10 05:25:34 EDT
Hello. According the last log you do not have configured IPv6 reverse zone in AD. Quick look to AD DNS configuration confirms that - I can see only IPv4 zone in there.
Comment 16 Lukas Slebodnik 2015-09-10 06:02:41 EDT
(In reply to Petr Spacek from comment #15)
> Hello. According the last log you do not have configured IPv6 reverse zone
> in AD. Quick look to AD DNS configuration confirms that - I can see only
> IPv4 zone in there.

That's wrong approach. Many users could have configured just a IPv4 reverse zone.
Because they do not care about IPv6 on server side. But clients can have IPv6 addresses which new sssd will try to use in nsupdate.

It worked before an update and does not work aftert an upgrade. That's really bad user experience and moreover customers can notice it after a long time. The right approach will be to update just parts which can be updated (IPv4 in this case)
Comment 19 Petr Spacek 2015-09-10 08:10:31 EDT
Okay then, in that case we have to fix a bug in nsupdate.

nsupdate apparently exists on GSSAPI failure when called with option -g and does not process other command blocks (separated by 'send' command).

This is different than behavior for other errors where nsupdate just skips the block which failed and continues with the next block of commands.
Comment 20 Petr Spacek 2015-09-10 08:14:09 EDT
Dan, the bug is in nsupdate. Please be so kind and respect that.
Comment 22 Dan Lavu 2015-09-10 08:18:42 EDT
Petr, 

Yes, sorry people wanted me to add the keywords.
Comment 26 Petr Spacek 2015-09-10 08:58:10 EDT
Reproducer:

Store this in a file called "upd":

update add nsupdate.test.redhat.com 666 IN A 192.0.2.1
send
update add nsupdate.test.redhat.com 666 IN TXT "HELLo!"
send

And compare output from following commands:
$ nsupdate /tmp/upd 
update failed: REFUSED
update failed: REFUSED

$ nsupdate -g /tmp/upd 
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server DNS/xxx@REDHAT.COM not found in Kerberos database.

You can see that first run without GSSAPI tried both command blocks but the second run with GSSAPI failed on first command block and did not continue.
Comment 39 Jakub Hrozek 2015-09-22 08:56:30 EDT
* master: eeac17ebbe38f16deaa8599231cccfc97aaac85c
Comment 41 Dan Lavu 2015-09-22 21:55:12 EDT
Verified, on sssd-client-1.13.0-33.el7.x86_64 , against automated test suite.
Comment 43 Jakub Hrozek 2015-09-24 09:42:17 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2783
Comment 44 errata-xmlrpc 2015-11-19 06:40:34 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.