sssd fails to Update PTR if any A record update fails.

Bug #1706284 reported by Keith Ward on 2017-07-25
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

sssd in both xenial and yakkety fails to update the PTR record of the current host on an active directory controller if any update for an A/AAA record returns a non-fatal error, this results in missing (and/or) mismatched Reverse DNS.

This has already been fixed in 1.5.1 (which is present in Zesty and above), as failure to update any of the A/AAA should not affect updating the PTR as well, as not all servers in a given AD cluster may accept an A/AAA record update, especially if it would result in no update being made (NOERROR).

See the attached conversation about this issue here: https://pagure.io/SSSD/sssd/issue/3227 for further information.

I'll attach a debdiff against the relevant releases shortly, however for now I've attached the original patch which was used to fix the bug in 1.15.1

### SRU Justification ###

[Impact]

Currently users find that sssd will not update the reverse (PTR) records of a given host if an AD server returns non-fatal error for an A/AAA update.

This causes strange issues to occur where we can end up with hosts with proper functioning forward records but no reverse. I propose we backport the fix from 1.15.1 to both Xenial and Yakkety to resolve the issue so PTR updates get processed (or at least attempted).

The patch attached removes the error check that occurs should the return code of the A/AAA nsupdates be non zero, and instead allows the PTR update to occur before checking for errors.

This is the same patch taken from the fix for 1.15.1

[Test Case]

For the configuration of sssd, a basic configuration of the following should suffice:

[sssd]
services = nss, pam
config_file_version = 2
domains = YOURDOMAIN.TLD

[domain/YOURDOMAIN.TLD]
id_provider=ad
auth_provider=ad
access_provider=ad
chpass_provider=ad
override_homedir=/home/%d/%u
cache_credentials = true
ad_gpo_access_control=permissive
default_shell=/bin/bash
ad_hostname = sssd-hostname.YOURDOMAIN.TLD

In AD change the properties of the Forward zone Dynamic Updates to "Nonsecure and Secure"
Ensure a Reverse Zone is present in the AD DNS MMC.
Remove any existing A/AAAA and PTR records from Active Directory DNS for the SSSD system
Restart SSSD to trigger the nsupdate call
Check the reverse zone in AD for PTR records, they do not get created but the A/AAAA records do.

Expected results:
Both A and PTR records get updated.

[Regression Potential]

As this patch is already present in a future release it has been fairly well tested already however back-porting the fix will result in sssd attempting PTR updates whether the A/AAA updates succeeds or not.

As per the original bug report where a quick note was made about failed updates; If forward updates fail the result will be inconsistent DNS should the reverse succeed (reverse but no forward), however in that case the admin needs to look into with why the update failed, the code should at least try to record all updates (both A, AAA and PTR) and not just ignore the PTR because the forward update (may or may not have) failed.

There is also the possibility that the patch may not resolve the problem completely however as this patch just moves the error handling before the PTR attempt I can see no reason not to backport the patch to the older version for Xenial/Yakkety.

Keith Ward (kward) wrote :
Changed in sssd (Ubuntu):
status: New → In Progress
assignee: nobody → Keith Ward (keithward)
Keith Ward (kward) wrote :

Attaching debdiff against Xenial (Old version: 1.13.4-1ubuntu1.6 new: 1.13.4-1ubuntu1.7)

Andreas Hasenack (ahasenack) wrote :

Thanks for filing this bug and providing a patch.

Do you think you can detail the test case a bit more? For starters, provide a minimum sssd.conf configuration file, since the package is distributed with none.

The attachment "Patch from Upstream" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Keith Ward (kward) wrote :

I've updated the test case on this, which from what people are saying, should make it easier to reproduce.

I've yet to sort out the debdiff on this for yakkety, I'll be sorting that out later today.

description: updated
Download full text (4.4 KiB)

Thanks. Don't worry about yakkety, it's EOL.

On Jul 27, 2017 06:11, "Keith Ward" <email address hidden> wrote:

> I've updated the test case on this, which from what people are saying,
> should make it easier to reproduce.
>
> I've yet to sort out the debdiff on this for yakkety, I'll be sorting
> that out later today.
>
> ** Description changed:
>
> sssd in both xenial and yakkety fails to update the PTR record of the
> current host on an active directory controller if any update for an
> A/AAA record returns a non-fatal error, this results in missing (and/or)
> mismatched Reverse DNS.
>
> This has already been fixed in 1.5.1 (which is present in Zesty and
> above), as failure to update any of the A/AAA should not affect updating
> the PTR as well, as not all servers in a given AD cluster may accept an
> A/AAA record update, especially if it would result in no update being
> made (NOERROR).
>
> See the attached conversation about this issue here:
> https://pagure.io/SSSD/sssd/issue/3227 for further information.
>
> I'll attach a debdiff against the relevant releases shortly, however for
> now I've attached the original patch which was used to fix the bug in
> 1.15.1
>
> ### SRU Justification ###
>
> [Impact]
>
> Currently users find that sssd will not update the reverse (PTR) records
> of a given host if an AD server returns non-fatal error for an A/AAA
> update.
>
> This causes strange issues to occur where we can end up with hosts with
> proper functioning forward records but no reverse. I propose we backport
> the fix from 1.15.1 to both Xenial and Yakkety to resolve the issue so
> PTR updates get processed (or at least attempted).
>
> The patch attached removes the error check that occurs should the return
> code of the A/AAA nsupdates be non zero, and instead allows the PTR
> update to occur before checking for errors.
>
> This is the same patch taken from the fix for 1.15.1
>
> [Test Case]
>
> - As per the original bug:
> + For the configuration of sssd, a basic configuration of the following
> + should suffice:
>
> - Steps to Reproduce:
> - 1. Setup 'nonsecure and secure' zones
> - 2. Start sssd
> + [sssd]
> + services = nss, pam
> + config_file_version = 2
> + domains = YOURDOMAIN.TLD
>
> - Actual results:
> - A records will get updated but PTR records will fail as sssd does not
> try to
> - update them.
> + [domain/YOURDOMAIN.TLD]
> + id_provider=ad
> + auth_provider=ad
> + access_provider=ad
> + chpass_provider=ad
> + override_homedir=/home/%d/%u
> + cache_credentials = true
> + ad_gpo_access_control=permissive
> + default_shell=/bin/bash
> + ad_hostname = sssd-hostname.YOURDOMAIN.TLD
> +
> + In AD change the properties of the Forward zone Dynamic Updates to
> "Nonsecure and Secure"
> + Ensure a Reverse Zone is present in the AD DNS MMC.
> + Remove any existing A/AAAA and PTR records from Active Directory DNS for
> the SSSD system
> + Restart SSSD to trigger the nsupdate call
> + Check the reverse zone in AD for PTR records, they do not get created
> but the A/AAAA records do.
>
> Expected results:
> Both A and PTR records get updated.
>
> [Regression Potential]
>...

Read more...

Keith Ward (kward) wrote :

--Verification from myself--
UnPatched Version 1.6: [FAIL] - Showing from debug_level 7

(Thu Jul 27 13:19:15 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_create_fwd_msg] (0x0400): --
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 36140
;; UPDATE SECTION:
KWARVM002.TESTDOMAIN.TLD. 3600 IN A 192.168.93.130

(Thu Jul 27 13:19:15 2017) [sssd[be[TESTDOMAIN.TLD]]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(Thu Jul 27 13:19:15 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158232]: Dynamic DNS update failed

Reason for Fail: No PTR update performed - nsupdate returned non-zero even though Update actually was NOERROR.

==

My Patched Version 1.7: [PASS] - Showing from debug_level 7

(Thu Jul 27 13:06:58 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_create_fwd_msg] (0x0400): --
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49642
;; UPDATE SECTION:
KWARVM002.TESTDOMAIN.TLD. 3600 IN A 192.168.93.130

(Thu Jul 27 13:06:58 2017) [sssd[be[TESTDOMAIN.TLD]]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]

(Thu Jul 27 13:06:58 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_create_ptr_msg] (0x0400): --
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13681
;; UPDATE SECTION:
130.93.168.192.in-addr.arpa. 3600 IN PTR KWARVM002.TESTDOMAIN.TLD.

(Thu Jul 27 13:06:58 2017) [sssd[be[TESTDOMAIN.TLD]]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(Thu Jul 27 13:06:58 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158232]: Dynamic DNS update failed

Reason for Pass: PTR performed even though previous update was marked as failed (NOERROR).

Keith Ward (kward) on 2017-08-01
Changed in sssd (Ubuntu):
assignee: Keith Ward (kward) → nobody
Changed in sssd (Ubuntu Xenial):
status: New → Incomplete
status: Incomplete → In Progress
Changed in sssd (Ubuntu):
status: In Progress → Fix Released
tags: removed: yakkety
Łukasz Zemczak (sil2100) wrote :

Uploaded to the xenial UNAPPROVED queue. This will appear in -proposed as soon as it gets reviewed by an SRU member. Thanks!

Hello Keith, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Keith Ward (kward) wrote :

Tested sssd-1.13.4-1ubuntu1.8
Result: PASS - PTR update is attempted after response from previous A record update returned non-zero and PTR is created in AD.
---
(Wed Sep 27 07:03:21 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 22909
(Wed Sep 27 07:03:21 2017) [sssd[be[TESTDOMAIN.TLD]]] [child_sig_handler] (0x0020): child [8280] failed with status [2].
--
(Wed Sep 27 07:03:21 2017) [sssd[be[TESTDOMAIN.TLD]]] [be_nsupdate_create_ptr_msg] (0x0400): -- Begin nsupdate message --
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 27361
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1

tags: added: verification-done-xenial
removed: verification-needed-xenial
tags: added: verification
removed: verification-needed xenial
tags: added: verification-needed xenial
removed: verification

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.8

---------------
sssd (1.13.4-1ubuntu1.8) xenial; urgency=medium

  * d/p/attempt_ptr_update_on_nonzero_return.diff: Continue to send the PTR
    record update in situations where the nsupdate child forward zone updates
    are successful but nsupdate returns non-zero. (LP: #1706284)

 -- Keith Ward <email address hidden> Tue, 25 Jul 2017 11:16:18 +0100

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers