0

I am trying to figure out how to get SSSD to dynamically update DNS for different domains on a per NIC basis.

For instance if I have a server named host.corp.example.com that has 2 NIC's.

I would like the first NIC to use DDNS to update NIC1's DNS entries to reflect host.corp.example.com. However for NIC 2 I want to try and get it to register in DNS as host.management.example.com.

Both management.example.com and corp.example.com are served by the same kerberos domain (Either AD or IPA)

The conundrum I face is that the hostname is determined by system hostname or the ipa_hostname value in sssd.conf. Because those values are required to be fully qualified I can't simply append the DNS domain suffix to the host portion to dynamically generate the FQDN.

I've seen people write nsupdate scripts, which I'd like to avoid having to implement in an environment of almost 1,000 servers.

My question is simply: Is there an easy way native to sssd to accomplish the above?

Michael Moser
  • 219
  • 2
  • 4
  • 16

2 Answers2

1

Suggest to keep sssd out of the equation for one interface and configure that with isc dhcpd ddns updates and a host entry.

host nfs {
     hardware ethernet 52:54:00:66:f8:32;
     ddns-hostname "nfs";
     ddns-domainname "corp.example.com";
}

The isc dhcp server is the standard server in FreeIPA, and should already be configured to be able to update the bind zones.

hargut
  • 3,848
  • 6
  • 10
  • We don't leverage DHCP where I work, as we work exclusively with servers and not workstations. There is actually a zero tolerance for the protocol as misconfigurations have caused widespread outages. I'm attempting to find a way in a multi-tenant environment to segment DNS domains based on network as to ensure not only name resolution, but access to the networks affiliated to a givent subnet. – Michael Moser Jul 01 '19 at 21:47
  • Interesting scenario, but I'm not really sure what the purpose of this updates should be, when the addresses are static. It would be simpler to provision the dns entries at the time configuring the static network setup, and removing them when deprovisioning the server. This can be automated as well. As you described the situation cyclic updates should not be needed. – hargut Jul 02 '19 at 20:51
0

If dhcpd & bind cannot be used, and this dynamic updates are required, then multiple [domain] sections with according configuration could do the job.

https://jhrozek.fedorapeople.org/sssd/1.10.0/sssd-ad.5.html

dyndns_iface (string)

    Optional. Applicable only when dyndns_update is true. Choose the interface whose IP address should be used for dynamic DNS updates.

    Default: Use the IP address of the AD LDAP connection
hargut
  • 3,848
  • 6
  • 10
  • I'll have to lab this out. If I'm using the same Kerberos Realm (Often termed "domain") and 2 different DNS domains, I suppose that may work. I'll have to read more into the [example/host.example.com] to see if I can leverage a slimmed down second definition for the secondary DNS domain that only contains DDNS configurations. – Michael Moser Jul 03 '19 at 00:26