Автор Тема: Не работает функция динамического обновления DNS  (Прочитано 712 раз)

Оффлайн SVV

  • Начинающий
  • *
  • Сообщений: 9
Добрый день!

Имеется проблема на клиентских ПК с ОС Альт РС, введеных в домен MS AD с помощью модуля SSSD, а именно не работает обновление записей на DNS сервере.
На других ОС Win7,10 AstraSE 1.7 данный функционал "работает из коробки".
Пробовал настраивать SSSD по рекомендациям, указанным на сайтах:
https://www.altlinux.org/SSSD/AD#Настройка_SSSD
https://blog.it-kb.ru/2017/11/18/recommendations-for-configuring-sssd-in-debian-gnu-linux-about-dns-kerberos-and-active-directory-dc-search/
https://sssd.io/troubleshooting/errors.html
https://sssd.io/troubleshooting/basics.html
https://sssd.io/design-pages/ddns_messages_update.html

Также, пробовал явным образом указать DNS сервер для динамического обновления, добавив в секцию [domain/my_domain.local] файла /etc/sssd/sssd.conf параметр:
dyndns_server = <ip-адрес DNS сервера>

Ничего из вышеперечисленного не помогло, соотвественно прошу помощи, может есть какие мысли "куда копать" в данной ситуации?

ОС: ALT Workstation 10.1.990
Ядро: 6.1.77-un-def-alt1
Версия SSSD: 2.9.3-alt1.x86_64

sssd.conf
Спойлер
[sssd]
config_file_version = 2
services = nss, pam

# Managed by system facility command:
## control sssd-drop-privileges unprivileged|privileged|default
user = _sssd

# SSSD will not start if you do not configure any domains.

domains = DOMAIN_NAME
[nss]

[pam]

[domain/DOMAIN_NAME]
dyndns_update_ptr = true
dyndns_update = true
dyndns_ttl = 3600
dyndns_refresh_interval = 60
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 9
; cache_credentials = false
ad_gpo_ignore_unreadable = true
ad_gpo_access_control = permissive
ad_update_samba_machine_account_password = true

krb5.conf
Спойлер
includedir /etc/krb5.conf.d/

[logging]
# default = FILE:/var/log/krb5libs.log
# kdc = FILE:/var/log/krb5kdc.log
# admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMAIN_NAME
 dns_lookup_kdc = true
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
# EXAMPLE.COM = {
#  default_domain = example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

sssd_DOMAIN.NAME.log
Спойлер
((2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_msg_create_common] (0x0200): [RID#1318] Creating update message for auto-discovered realm.
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_nsupdate_create_fwd_msg] (0x0400): [RID#1318]  -- Begin nsupdate message --

update delete pc_name.DOMAIN_NAME. in A
update add pc_name.DOMAIN_NAME. 3600 in A 192.168.1.100
send
update delete pc_name.DOMAIN_NAME. in AAAA
send
 -- End nsupdate message --
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_handler_setup] (0x2000): [RID#1318] Setting up signal handler up for pid [4580]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_handler_setup] (0x2000): [RID#1318] Signal handler set up for pid [4580]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [_write_pipe_handler] (0x0400): [RID#1318] All data has been sent!
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_child_stdin_done] (0x1000): [RID#1318] Sending nsupdate data complete
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_sig_handler] (0x1000): [RID#1318] Waiting for child [4580].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_sig_handler] (0x0020): [RID#1318] child [4580] failed with status [2].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_child_handler] (0x0040): [RID#1318] Dynamic DNS child failed with status [512]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_nsupdate_done] (0x0040): [RID#1318] nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [sdap_dyndns_update_done] (0x0080): [RID#1318] nsupdate failed, retrying.
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_msg_create_common] (0x0200): [RID#1318] Creating update message for realm [DOMAIN_NAME].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_nsupdate_create_fwd_msg] (0x0400): [RID#1318]  -- Begin nsupdate message --
realm DOMAIN_NAME
update delete pc_name.DOMAIN_NAME. in A
update add pc_name.DOMAIN_NAME. 3600 in A 192.168.1.100
send
update delete pc_name.DOMAIN_NAME. in AAAA
send
 -- End nsupdate message --
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_handler_setup] (0x2000): [RID#1318] Setting up signal handler up for pid [4585]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_handler_setup] (0x2000): [RID#1318] Signal handler set up for pid [4585]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [_write_pipe_handler] (0x0400): [RID#1318] All data has been sent!
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_child_stdin_done] (0x1000): [RID#1318] Sending nsupdate data complete
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_sig_handler] (0x1000): [RID#1318] Waiting for child [4585].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_sig_handler] (0x0020): [RID#1318] child [4585] failed with status [2].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_child_handler] (0x0040): [RID#1318] Dynamic DNS child failed with status [512]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_nsupdate_done] (0x0040): [RID#1318] nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_msg_create_common] (0x0200): [RID#1318] Creating update message for realm [DOMAIN_NAME].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_nsupdate_create_ptr_msg] (0x0400): [RID#1318]  -- Begin nsupdate message --
realm DOMAIN_NAME
update delete 100.1.168.192.in-addr.arpa. in PTR
update add 100.1.168.192.in-addr.arpa. 3600 in PTR pc_name.DOMAIN_NAME.
send
 -- End nsupdate message --
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_handler_setup] (0x2000): [RID#1318] Setting up signal handler up for pid [4590]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_handler_setup] (0x2000): [RID#1318] Signal handler set up for pid [4590]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [_write_pipe_handler] (0x0400): [RID#1318] All data has been sent!
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_child_stdin_done] (0x1000): [RID#1318] Sending nsupdate data complete
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_sig_handler] (0x1000): [RID#1318] Waiting for child [4590].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [child_sig_handler] (0x0020): [RID#1318] child [4590] failed with status [2].
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [nsupdate_child_handler] (0x0040): [RID#1318] Dynamic DNS child failed with status [512]
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_nsupdate_done] (0x0040): [RID#1318] nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [ad_dyndns_sdap_update_done] (0x0040): [RID#1318] Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [sdap_id_op_destroy] (0x4000): [RID#1318] releasing operation connection
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [sdap_id_conn_data_idle] (0x4000): [RID#1318] Marking connection as idle
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_ptask_done] (0x0040): [RID#1318] Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed
(2024-03-27  8:16:13): [be[DOMAIN_NAME]] [be_ptask_schedule] (0x0400): [RID#1318] Task [Dyndns update]: scheduling task 63 seconds from now [1711516636]

KRB5_TRACE
Спойлер
[domain_user@pc_name ~]$ KRB5_TRACE=/dev/stderr nsupdate -g
> update delete pc_name.domain_name. in A
> update add pc_name.domain_name. 3600 in A 192.168.1.100
> send
[6192] 1711516863.609580: ccselect module realm chose cache FILE:/tmp/krb5cc_1928010000 with client principal domain_user@domain_name for server principal DNS/dc5.domain_name@domain_name
[6192] 1711516863.609581: Getting credentials domain_user@domain_name -> DNS/dc5.domain_name@domain_name using ccache FILE:/tmp/krb5cc_1928010000
[6192] 1711516863.609582: Retrieving domain_user@domain_name -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from FILE:/tmp/krb5cc_1928010000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1928010000)
[6192] 1711516863.609583: Retrieving domain_user@domain_name -> DNS/dc5.domain_name@domain_name from FILE:/tmp/krb5cc_1928010000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1928010000)
[6192] 1711516863.609584: Retrieving domain_user@domain_name -> krbtgt/domain_name@domain_name from FILE:/tmp/krb5cc_1928010000 with result: 0/Success
[6192] 1711516863.609585: Starting with TGT for client realm: domain_user@domain_name -> krbtgt/domain_name@domain_name
[6192] 1711516863.609586: Requesting tickets for DNS/dc5.domain_name@domain_name, referrals on
[6192] 1711516863.609587: Generated subkey for TGS request: aes256-cts/5FEA
[6192] 1711516863.609588: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[6192] 1711516863.609590: Encoding request body and padata into FAST request
[6192] 1711516863.609591: Sending request (1937 bytes) to domain_name
[6192] 1711516863.609592: Initiating TCP connection to stream 192.168.1.50:88
[6192] 1711516863.609593: Sending TCP request to stream 192.168.1.50:88
[6192] 1711516863.609594: Received answer (2325 bytes) from stream 192.168.1.50:88
[6192] 1711516863.609595: Terminating TCP connection to stream 192.168.1.50:88
[6192] 1711516863.609596: Response was from primary KDC
[6192] 1711516863.609597: Decoding FAST response
[6192] 1711516863.609598: FAST reply key: aes256-cts/CCEB
[6192] 1711516863.609599: TGS reply is for domain_user@domain_name -> DNS/dc5.domain_name@domain_name with session key aes256-cts/6C7D
[6192] 1711516863.609600: TGS request result: 0/Success
[6192] 1711516863.609601: Received creds for desired service DNS/dc5.domain_name@domain_name
[6192] 1711516863.609602: Storing domain_user@domain_name -> DNS/dc5.domain_name@domain_name in FILE:/tmp/krb5cc_1928010000
[6192] 1711516863.609604: Creating authenticator for domain_user@domain_name -> DNS/dc5.domain_name@domain_name, seqnum 205245195, subkey aes256-cts/BA6E, session key aes256-cts/6C7D
[6192] 1711516863.609609: Read AP-REP, time 1711516863.609605, subkey aes256-cts/3CCD, seqnum 647105478
; TSIG error with server: tsig verify failure
update failed: REFUSED

Оффлайн Skull

  • Глобальный модератор
  • *****
  • Сообщений: 19 961
    • Домашняя страница
    • Email
Мыслей нет, это просто не работает. Ждите, пока апстрим поправит.
Андрей Черепанов (cas@)