Centos6

IPA 動態 DNS 僅更新 AAAA 記錄。我的 A 記錄在哪裡?

  • July 7, 2016

我正在設置一個 FreeIPA 域。在我的實驗室裡有三個虛擬機:域控制器ipadc1和兩個客戶端puppetwordpress(有創意,是的,我知道)。所有三個虛擬機都執行新安裝的 CentOS 6.4 (FreeIPA 3.0.0)。

我已經安裝了 IPA 伺服器,創建了一個我們將example.us在這裡呼叫的域,並啟用了 DNS 服務和自動 DNS 更新。

我已成功將兩個虛擬機加入域。但動態 DNS 更新只是將 AAAA 記錄放入 DNS。沒有插入任何 A 記錄。

DNS RR

我的動態更新和 BIND 更新策略的 DNS 區域設置似乎也是正確的。

DNS 區域設置

兩個客戶端虛擬機實際上都有IPv4 地址;puppet具有靜態 IPv4 地址並wordpress從 DHCP 獲取其 IPv4 地址。這似乎沒有什麼不同。

# ip a s dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 52:54:00:3c:d5:f5 brd ff:ff:ff:ff:ff:ff
   inet 172.25.50.227/24 brd 172.25.50.255 scope global eth0
   inet6 2001:db8:16:bf:5054:ff:fe3c:d5f5/64 scope global dynamic 
      valid_lft 86180sec preferred_lft 14180sec
   inet6 fe80::5054:ff:fe3c:d5f5/64 scope link 
      valid_lft forever preferred_lft forever

問題實際上似乎出在 sssd 上,我了解到它實際上負責推送動態 DNS 更新。我開始調試debug_level = 9並在日誌中發現了這一點。這似乎表明 sssd 甚至沒有嘗試發送 A 記錄,儘管它並沒有真正告訴我原因。

(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_update_send] (0x4000): Performing update
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Multicast IPv4 address 172.25.50.227
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Link local IPv6 address fe80::5054:ff:fe3c:d5f5
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_step] (0x1000): Checking if the update is needed
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_get_family_order] (0x1000): Lookup order: ipv6_first
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_is_address] (0x4000): [wordpress.example.us] does not look like an IP address
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_is_address] (0x4000): [wordpress.example.us] does not look like an IP address
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'wordpress.example.us' in DNS
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_check] (0x1000): Address on localhost only: 2001:db8:16:bf:5054:ff:fe3c:d5f5
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_gss_tsig_update_check] (0x0400): Detected IP addresses change, will perform an update
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0200): Creating update message for realm [EXAMPLE.US] and zone [example.us].
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0400):  -- Begin nsupdate message --
realm EXAMPLE.US
zone example.us.
update delete wordpress.example.us. in A
send
update delete wordpress.example.us. in AAAA
send
update add wordpress.example.us. 86400 in AAAA 2001:db8:16:bf:5054:ff:fe3c:d5f5
send
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [create_nsupdate_message] (0x0400):  -- End nsupdate message --
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2144]
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_handler_setup] (0x2000): Signal handler set up for pid [2144]
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [write_pipe_handler] (0x0400): All data has been sent!
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_stdin_done] (0x4000): Sending nsupdate data complete
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_sig_handler] (0x1000): Waiting for child [2144].
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [child_sig_handler] (0x0100): child [2144] finished successfully.
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Mon Jul 22 21:50:01 2013) [sssd[be[example.us]]] [ipa_dyndns_update_done] (0x0020): DNS update finished

sssd.conf的是:

[domain/example.us]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.us
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = wordpress.example.us
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipadc1.example.us
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.us
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

結果ipa dnszone-show example.us --all是:

 dn: idnsname=example.us,cn=dns,dc=example,dc=us
 Zone name: example.us
 Authoritative nameserver: ipadc1.example.us.
 Administrator e-mail address: hostmaster.example.us.
 SOA serial: 1374982142
 SOA refresh: 3600
 SOA retry: 900
 SOA expire: 1209600
 SOA minimum: 3600
 BIND update policy: grant EXAMPLE.US krb5-self * A; grant EXAMPLE.US krb5-self
                     * AAAA; grant EXAMPLE.US krb5-self * SSHFP;
 Active zone: TRUE
 Dynamic update: TRUE
 Allow query: any;
 Allow transfer: none;
 mxrecord: 0 mail.example.us
 nsrecord: ipadc1.example.us.
 objectclass: top, idnsrecord, idnszone
 txtrecord: v=spf1 a mx -all

雖然這對我來說確實是一個小問題,因為我可以在沒有 IPv4 DNS 更新的情況下上線(很高興成為 100% 雙棧),但不知道這裡發生了什麼仍然很煩人。也許有一些我錯過的日誌可以說明情況?

(哦,是的,我將其關閉並再次打開。)

添加後

ipa_dyndns_iface = eth0

在那個pastebin中,我看到sssd將您的IP辨識為多播:

"(Tue Jul 9 10:00:01 2013) [sssd[be[example.us]]] [ok_for_dns] (0x0200): Multicast IPv4 address 172.25.50.227"

在 Jacob 寫的一段程式碼中,他將測試回送地址、多播地址等而不向 dns 報告,你會發現你的錯誤:

if (IN_MULTICAST(ntohl(addr->s_addr))) {
       DEBUG(SSSDBG_FUNC_DATA, ("Multicast IPv4 address %s\n", straddr));
       return false;
   } else if (inet_netof(*addr) == IN_LOOPBACKNET) {
       DEBUG(SSSDBG_FUNC_DATA, ("Loopback IPv4 address %s\n", straddr));
       return false;
   } else if ((addr->s_addr & 0xffff0000) == 0xa9fe0000) {
       /* 169.254.0.0/16 */
       DEBUG(SSSDBG_FUNC_DATA, ("Link-local IPv4 address %s\n", straddr));
       return false;
   } else if (addr->s_addr == htonl(INADDR_BROADCAST)) {
       DEBUG(SSSDBG_FUNC_DATA, ("Broadcast IPv4 address %s\n", straddr));
       return false;
   }
} else {
   DEBUG(SSSDBG_CRIT_FAILURE, ("Unknown address family\n"));
   return false;
}

return true;

現在的問題是為什麼它被辨識為“多播地址”我不知道。正如in.h您可以看到的 IN_MULTICAST :

  "IN_MULTICAST(a)" - tests whether a is a multicast address. and it is in "inet.h/in.h":
  #define  IN_CLASSD(i)        (((long)(i) & 0xf0000000) == 0xe0000000)
  #define  IN_MULTICAST(i)     IN_CLASSD(i)

那麼該IP地址如何評估為多播,我將嘗試對其進行跟踪並查看。您也可以問 Jacob Hrozek,他編寫了那段 sssd 程式碼。他通常總是在 freenode 上的#sssd 上可用,如果你能分享你最終得到的結果會很棒。希望它有一點幫助。

編輯

是的,您的版本 1.9.2 中有一個錯誤。你有:

 if (IN_MULTICAST(addr->s_addr))) {

它應該是:

 if (IN_MULTICAST(ntohl(addr->s_addr))) {

引用自:https://serverfault.com/questions/521809

相關問答

Ubuntu

在 ipa ubuntu 客戶端上未更新 Kerberos 憑據

  • February 21, 2022
檢視問答
Sssd

如何重置 FreeIPA 伺服器和客戶端的 Keytab

  • October 7, 2021
檢視問答
Sssd

我可以在“領域加入”期間禁用動態 dns 更新嗎?

  • July 24, 2019
檢視問答
Apache-2.4

Apache、SSSD 和 FreeIPA 的 Kerberos 委託

  • March 15, 2019
檢視問答
Sssd

通過 DM 從系統註銷後,Freeipa krb 憑據未銷毀

  • December 19, 2017
檢視問答
Centos

如何以最安全和正確的方式在 Centos 6 上配置 LDAP 以進行使用者身份驗證?

  • December 2, 2017
檢視問答