Open benloud opened 5 days ago
Hi,
thank you for the report. Dynamic DNS update, especially with AD, is often a bit fragile. Have you tried to call nsupdate
manually with the settings SSSD is trying to do with the -o
option? I'm asking because my current understanding is that the -o
option is only needed if Windows 2000 is used and that all other more recent version of Windows and AD can handle standard GSS-TSIG well.
Additionally, if you add debug_level = 9
to the [domain/...] section of sssd.conf, there should be extra debug output of nsupdate
in the SSSD logs which might help to understand why the dynamic DNS update is failing.
bye, Sumit
You may want to try this patch too:
cat ms-sstig-dns.patch
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 3048df8345..8566041ede 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2576,7 +2576,7 @@ update_completed(void *arg) {
case DNS_R_TSIGVERIFYFAILURE:
case DNS_R_UNEXPECTEDTSIG:
case ISC_R_FAILURE:
-#if 0
+#if 1
if (usegsstsig && answer->rcode == dns_rcode_noerror) {
/*
* For MS DNS that violates RFC 2845, section 4.2
Dynamic DNS Update doesnt seem to work with Active Directory. I believe this is because sssd is calling nsupdate with "-g" when it should use "-o" (or alternatively add oldgsstsig to the nsupdate message). This would tell nsupdate to use Microsoft's variant of GSS-TSIG. See nsupdate.c in bind-9.
Could the dyndns code detect that that the server is AD, or alternatively could we add a new dyndns_auth type, say "GSS-TSIG-ms".
I'm using sssd 2.9.5 and Windows Server 2019.
Log output:
update delete testnfsserver.testdomain.com. in A update add testnfsserver.testdomain.com. 3600 in A 192.168.1.121 send update delete testnfsserver.testdomain.com. in AAAA send -- End nsupdate message --
(2024-06-30 12:38:52): [be[testdomain.com]] [nsupdate_child_handler] (0x0040): [RID#21] Dynamic DNS child failed with status [512] (2024-06-30 12:38:52): [be[testdomain.com]] [be_nsupdate_done] (0x0040): [RID#21] nsupdate child execution failed [1432158240]: Dynamic DNS update failed ** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
(2024-06-30 12:38:52): [be[testdomain.com]] [child_sig_handler] (0x0020): [RID#21] child [3489] failed with status [2].