2017-07-25 08:21:45 |
Keith Ward |
bug |
|
|
added bug |
2017-07-25 08:21:45 |
Keith Ward |
attachment added |
|
Patch from Upstream https://bugs.launchpad.net/bugs/1706284/+attachment/4920917/+files/sssd_update-ptr.patch |
|
2017-07-25 08:21:57 |
Keith Ward |
sssd (Ubuntu): status |
New |
In Progress |
|
2017-07-25 08:22:03 |
Keith Ward |
sssd (Ubuntu): assignee |
|
Keith Ward (keithward) |
|
2017-07-25 12:10:48 |
Keith Ward |
attachment added |
|
Debdiff for Xenial https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1706284/+attachment/4920977/+files/sssd_1.13.4-1ubuntu1.7.debdiff |
|
2017-07-25 16:25:15 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2017-07-27 08:54:14 |
Keith Ward |
description |
sssd in both xenial and yakkety fails to update the PTR record of the current host on an active directory controller if any update for an A/AAA record returns a non-fatal error, this results in missing (and/or) mismatched Reverse DNS.
This has already been fixed in 1.5.1 (which is present in Zesty and above), as failure to update any of the A/AAA should not affect updating the PTR as well, as not all servers in a given AD cluster may accept an A/AAA record update, especially if it would result in no update being made (NOERROR).
See the attached conversation about this issue here: https://pagure.io/SSSD/sssd/issue/3227 for further information.
I'll attach a debdiff against the relevant releases shortly, however for now I've attached the original patch which was used to fix the bug in 1.15.1
### SRU Justification ###
[Impact]
Currently users find that sssd will not update the reverse (PTR) records of a given host if an AD server returns non-fatal error for an A/AAA update.
This causes strange issues to occur where we can end up with hosts with proper functioning forward records but no reverse. I propose we backport the fix from 1.15.1 to both Xenial and Yakkety to resolve the issue so PTR updates get processed (or at least attempted).
The patch attached removes the error check that occurs should the return code of the A/AAA nsupdates be non zero, and instead allows the PTR update to occur before checking for errors.
This is the same patch taken from the fix for 1.15.1
[Test Case]
As per the original bug:
Steps to Reproduce:
1. Setup 'nonsecure and secure' zones
2. Start sssd
Actual results:
A records will get updated but PTR records will fail as sssd does not try to
update them.
Expected results:
Both A and PTR records get updated.
[Regression Potential]
As this patch is already present in a future release it has been fairly well tested already however back-porting the fix will result in sssd attempting PTR updates whether the A/AAA updates succeeds or not.
As per the original bug report where a quick note was made about failed updates; If forward updates fail the result will be inconsistent DNS should the reverse succeed (reverse but no forward), however in that case the admin needs to look into with why the update failed, the code should at least try to record all updates (both A, AAA and PTR) and not just ignore the PTR because the forward update (may or may not have) failed.
There is also the possibility that the patch may not resolve the problem completely however as this patch just moves the error handling before the PTR attempt I can see no reason not to backport the patch to the older version for Xenial/Yakkety. |
sssd in both xenial and yakkety fails to update the PTR record of the current host on an active directory controller if any update for an A/AAA record returns a non-fatal error, this results in missing (and/or) mismatched Reverse DNS.
This has already been fixed in 1.5.1 (which is present in Zesty and above), as failure to update any of the A/AAA should not affect updating the PTR as well, as not all servers in a given AD cluster may accept an A/AAA record update, especially if it would result in no update being made (NOERROR).
See the attached conversation about this issue here: https://pagure.io/SSSD/sssd/issue/3227 for further information.
I'll attach a debdiff against the relevant releases shortly, however for now I've attached the original patch which was used to fix the bug in 1.15.1
### SRU Justification ###
[Impact]
Currently users find that sssd will not update the reverse (PTR) records of a given host if an AD server returns non-fatal error for an A/AAA update.
This causes strange issues to occur where we can end up with hosts with proper functioning forward records but no reverse. I propose we backport the fix from 1.15.1 to both Xenial and Yakkety to resolve the issue so PTR updates get processed (or at least attempted).
The patch attached removes the error check that occurs should the return code of the A/AAA nsupdates be non zero, and instead allows the PTR update to occur before checking for errors.
This is the same patch taken from the fix for 1.15.1
[Test Case]
For the configuration of sssd, a basic configuration of the following should suffice:
[sssd]
services = nss, pam
config_file_version = 2
domains = YOURDOMAIN.TLD
[domain/YOURDOMAIN.TLD]
id_provider=ad
auth_provider=ad
access_provider=ad
chpass_provider=ad
override_homedir=/home/%d/%u
cache_credentials = true
ad_gpo_access_control=permissive
default_shell=/bin/bash
ad_hostname = sssd-hostname.YOURDOMAIN.TLD
In AD change the properties of the Forward zone Dynamic Updates to "Nonsecure and Secure"
Ensure a Reverse Zone is present in the AD DNS MMC.
Remove any existing A/AAAA and PTR records from Active Directory DNS for the SSSD system
Restart SSSD to trigger the nsupdate call
Check the reverse zone in AD for PTR records, they do not get created but the A/AAAA records do.
Expected results:
Both A and PTR records get updated.
[Regression Potential]
As this patch is already present in a future release it has been fairly well tested already however back-porting the fix will result in sssd attempting PTR updates whether the A/AAA updates succeeds or not.
As per the original bug report where a quick note was made about failed updates; If forward updates fail the result will be inconsistent DNS should the reverse succeed (reverse but no forward), however in that case the admin needs to look into with why the update failed, the code should at least try to record all updates (both A, AAA and PTR) and not just ignore the PTR because the forward update (may or may not have) failed.
There is also the possibility that the patch may not resolve the problem completely however as this patch just moves the error handling before the PTR attempt I can see no reason not to backport the patch to the older version for Xenial/Yakkety. |
|
2017-08-01 13:30:01 |
Keith Ward |
sssd (Ubuntu): assignee |
Keith Ward (kward) |
|
|
2017-08-05 11:31:11 |
Keith Ward |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2017-08-30 09:05:34 |
Łukasz Zemczak |
nominated for series |
|
Ubuntu Xenial |
|
2017-08-30 09:05:34 |
Łukasz Zemczak |
bug task added |
|
sssd (Ubuntu Xenial) |
|
2017-08-30 09:23:55 |
Łukasz Zemczak |
sssd (Ubuntu Xenial): status |
New |
Incomplete |
|
2017-08-30 09:23:59 |
Łukasz Zemczak |
sssd (Ubuntu Xenial): status |
Incomplete |
In Progress |
|
2017-08-30 09:24:04 |
Łukasz Zemczak |
sssd (Ubuntu): status |
In Progress |
Fix Released |
|
2017-08-30 09:26:46 |
Łukasz Zemczak |
tags |
patch xenial yakkety |
patch xenial |
|
2017-08-30 09:29:32 |
Łukasz Zemczak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2017-08-31 19:50:05 |
Brian Murray |
sssd (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2017-08-31 19:50:07 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-08-31 19:50:10 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2017-08-31 19:50:13 |
Brian Murray |
tags |
patch xenial |
patch verification-needed verification-needed-xenial xenial |
|
2017-09-27 14:09:35 |
Keith Ward |
tags |
patch verification-needed verification-needed-xenial xenial |
patch verification-done-xenial verification-needed xenial |
|
2017-09-27 14:11:34 |
Keith Ward |
tags |
patch verification-done-xenial verification-needed xenial |
patch verification verification-done-xenial |
|
2017-09-27 14:13:14 |
Keith Ward |
tags |
patch verification verification-done-xenial |
patch verification-done-xenial verification-needed xenial |
|
2017-09-28 16:46:15 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-09-28 16:56:18 |
Launchpad Janitor |
sssd (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|