On 22/05/14 12:37, steve wrote:
On 21/05/14 22:14, Jakub Hrozek wrote:
> On Wed, May 21, 2014 at 09:07:23PM +0200, steve wrote:
>>>>> So why does nsupdate work but sssd doesn't?
>>>>
>>>> Can you show me how do you invoke nsupdate manually ?
>>>> (sssd just invokes nsupate itself, so it must be some difference in
>>>> the
>>>> command file I guess).
>>>>
>>>> Simo.
>>>>
>>>
>>> Ah just saw this in your other reply:
>>>
>>> steve@lubuntu-laptop:/tmp$ nsupdate -g -d
>>> > server 192.168.1.16
>>> > realm HH3.SITE
>>> > update delete lubuntu-laptop.hh3.site 3600 A
>>> > update add lubuntu-laptop.hh3.site 3600 A 192.168.1.22
>>> > send
>>>
>>> So I guess the trick is finding out what sssd puts in the 'server'
>>> field, I suspect it puts the AD DC name, and then nsupdate somehow has
>>> issues resolving which DNS server that refers to ..
>>>
>>> If you raise the SSSD debug level to include SSSDBG_TRACE_FUNC messages
>>> you should see a dump of the generated nsupdate msg file. Then you can
>>> use it manually with nsupdate to find out what breaks in your setup.
>>>
>>> simo.
>>>
>> Hi
>> OK. How do I 'include SSSDBG_TRACE_FUNC messages'?
>>
>> The thing is that 1.11.5 works fine with our openSUSE clients but
>> not with the package which comes with Ubuntu 14.04. Anyway, we would
>> like to know why.
>> Thanks.
>> Steve
>
> Put debug_level=7 (or higher, up to 10) to the [domain] section of the
> sssd.conf and run the test case again.
>
> The logs should then include the full nsupdate message.
>
> Also, did you kinit as the same principal the SSSD uses? Typically we'd
> use shortname$@realm. That should be visible from the logs as well.
Hi
sssd sends:
update add lubuntu-laptop. 3600 in A 192.168.1.22
this fails with the short hostname, dot or no dot.
It works with nsupdate manually only with the fqdn:
update add lubuntu-laptop.hh3.site 3600 A 192.168.1.22
Can we get sssd to send the fqdn rather than the short hostname?
Cheers,
Steve
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[nsupdate_msg_create_common]
(0x0200): Creating update message for realm
[HH3.SITE].
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
realm HH3.SITE
update delete lubuntu-laptop. in A
send
update delete lubuntu-laptop. in AAAA
send
update add lubuntu-laptop. 3600 in A 192.168.1.22
send
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[be_nsupdate_create_fwd_msg] (0x0400): -- End nsupdate message --
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[sdap_get_generic_ext_done] (0x0400): (Thu May 22 12:18:20 2014)
[sssd[be[hh3.site]]] [be_nsupdate_args] (0x0200): Search result:
Success(0), no errmsg set
nsupdate auth type: GSS-TSIG
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[ad_subdomains_get_slave_domain_done] (0x1000): There are no changes
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Thu May 22 12:18:20 2014) [sssd[be[hh3.site]]]
[nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server not found in Kerberos
database.
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [child_sig_handler]
(0x1000): Waiting for child [3529].
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [child_sig_handler]
(0x0020): child [3529] failed with status [1].
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [nsupdate_child_handler]
(0x0040): Dynamic DNS child failed with status [256]
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]] [be_nsupdate_done]
(0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS
update failed
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]]
[sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying with
server name
(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]]
[nsupdate_msg_create_common] (0x0200): Creating update message for
server [hh16.hh3.site] and realm [HH3.SITE]
.(Thu May 22 12:18:21 2014) [sssd[be[hh3.site]]]
[be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
server hh16.hh3.site
realm HH3.SITE
update delete lubuntu-laptop. in A
send
update delete lubuntu-laptop. in AAAA
send
update add lubuntu-laptop. 3600 in A 192.168.1.22
send
here is the DC:
]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from ipv4:192.168.1.22:50954
for DNS/a.root-servers.net(a)HH3.SITE [canonicalize, renewable]
Kerberos: Searching referral for
a.root-servers.net
Kerberos: Returning a referral to realm
ROOT-SERVERS.NET for server
DNS/a.root-servers.net(a)HH3.SITE that was not found
Failed find a single entry for
(&(objectClass=trustedDomain)(|(flatname=ROOT-SERVERS.NET)(trustPartner=ROOT-SERVERS.NET))):
got 0
Kerberos: samba_kdc_fetch: could not find principal in DB
Kerberos: Server not found in database:
krbtgt/ROOT-SERVERS.NET(a)HH3.SITE: no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:50954
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ LUBUNTU-LAPTOP$(a)HH3.SITE from ipv4:192.168.1.22:50955
for DNS/a.root-servers.net(a)HH3.SITE [renewable]
Kerberos: Server not found in database: DNS/a.root-servers.net(a)HH3.SITE:
no such entry found in hdb
Kerberos: Failed building TGS-REP to ipv4:192.168.1.22:50955