Dynamic DNS Update Fails with Active Directory

benloud commented 5 days ago

Dynamic DNS Update doesnt seem to work with Active Directory. I believe this is because sssd is calling nsupdate with "-g" when it should use "-o" (or alternatively add oldgsstsig to the nsupdate message). This would tell nsupdate to use Microsoft's variant of GSS-TSIG. See nsupdate.c in bind-9.

Could the dyndns code detect that that the server is AD, or alternatively could we add a new dyndns_auth type, say "GSS-TSIG-ms".

I'm using sssd 2.9.5 and Windows Server 2019.

Log output:

(2024-06-30 12:38:52): [be[testdomain.com]] [unschedule_timeout_watcher] (0x4000): [RID#21] Unscheduling DNS timeout watcher
(2024-06-30 12:38:52): [be[testdomain.com]] [request_watch_destructor] (0x0400): [RID#21] Deleting request watch
(2024-06-30 12:38:52): [be[testdomain.com]] [resolv_gethostbyname_next] (0x0200): [RID#21] No more address families to retry
(2024-06-30 12:38:52): [be[testdomain.com]] [resolv_gethostbyname_next] (0x0100): [RID#21] No more hosts databases to retry
(2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_msg_create_common] (0x0200): [RID#21] Creating update message for auto-discovered realm.
(2024-06-30 12:38:52): [be[testdomain.com]] [be_nsupdate_create_fwd_msg] (0x0400): [RID#21] -- Begin nsupdate message --

update delete testnfsserver.testdomain.com. in A update add testnfsserver.testdomain.com. 3600 in A 192.168.1.121 send update delete testnfsserver.testdomain.com. in AAAA send -- End nsupdate message --

(2024-06-30 12:38:52): [be[testdomain.com]] [child_handler_setup] (0x2000): [RID#21] Setting up signal handler up for pid [3484]
(2024-06-30 12:38:52): [be[testdomain.com]] [child_handler_setup] (0x2000): [RID#21] Signal handler set up for pid [3484]
(2024-06-30 12:38:52): [be[testdomain.com]] [_write_pipe_handler] (0x0400): [RID#21] All data has been sent!
(2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_child_stdin_done] (0x1000): [RID#21] Sending nsupdate data complete
(2024-06-30 12:38:52): [be[testdomain.com]] [child_sig_handler] (0x1000): [RID#21] Waiting for child [3484].
(2024-06-30 12:38:52): [be[testdomain.com]] [child_sig_handler] (0x0020): [RID#21] child [3484] failed with status [2]. ** BACKTRACE DUMP ENDS HERE *****

(2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_child_handler] (0x0040): [RID#21] Dynamic DNS child failed with status [512] (2024-06-30 12:38:52): [be[testdomain.com]] [be_nsupdate_done] (0x0040): [RID#21] nsupdate child execution failed [1432158240]: Dynamic DNS update failed ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:

(2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_child_handler] (0x0040): [RID#21] Dynamic DNS child failed with status [512]
(2024-06-30 12:38:52): [be[testdomain.com]] [be_nsupdate_done] (0x0040): [RID#21] nsupdate child execution failed [1432158240]: Dynamic DNS update failed ** BACKTRACE DUMP ENDS HERE *****

(2024-06-30 12:38:52): [be[testdomain.com]] [child_sig_handler] (0x0020): [RID#21] child [3489] failed with status [2].

... skipping repetitive backtrace ... (2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_child_handler] (0x0040): [RID#21] Dynamic DNS child failed with status [512]
... skipping repetitive backtrace ... (2024-06-30 12:38:52): [be[testdomain.com]] [be_nsupdate_done] (0x0040): [RID#21] nsupdate child execution failed [1432158240]: Dynamic DNS update failed
... skipping repetitive backtrace ... (2024-06-30 12:38:52): [be[testdomain.com]] [child_sig_handler] (0x0020): [RID#21] child [3494] failed with status [2].
... skipping repetitive backtrace ... (2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_child_handler] (0x0040): [RID#21] Dynamic DNS child failed with status [512]
... skipping repetitive backtrace ... (2024-06-30 12:38:52): [be[testdomain.com]] [be_nsupdate_done] (0x0040): [RID#21] nsupdate child execution failed [1432158240]: Dynamic DNS update failed

sumit-bose commented 4 days ago

Hi,

thank you for the report. Dynamic DNS update, especially with AD, is often a bit fragile. Have you tried to call nsupdate manually with the settings SSSD is trying to do with the -o option? I'm asking because my current understanding is that the -o option is only needed if Windows 2000 is used and that all other more recent version of Windows and AD can handle standard GSS-TSIG well.

Additionally, if you add debug_level = 9 to the [domain/...] section of sssd.conf, there should be extra debug output of nsupdate in the SSSD logs which might help to understand why the dynamic DNS update is failing.

bye, Sumit

joakim-tjernlund commented 4 days ago

You may want to try this patch too:

cat ms-sstig-dns.patch 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 3048df8345..8566041ede 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2576,7 +2576,7 @@ update_completed(void *arg) {
    case DNS_R_TSIGVERIFYFAILURE:
    case DNS_R_UNEXPECTEDTSIG:
    case ISC_R_FAILURE:
-#if 0
+#if 1
        if (usegsstsig && answer->rcode == dns_rcode_noerror) {
            /*
             * For MS DNS that violates RFC 2845, section 4.2

SSSD / sssd

Dynamic DNS Update Fails with Active Directory #7468