Hi,

Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network interface.
I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address.

To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1

ip addr list:
em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000
link/ether xxxx
inet -IP1-/26 brd XXXX scope global em1
inet -IP2-/26 scope global secondary em1
valid_lft forever preferred_lft forever

DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2-

In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)?

dyndns_update (boolean)
Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client.
The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise
specified by using the “dyndns_iface” option.

Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine?
Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)?

My environment is:
Client: Centos 7.2
sssd-common-1.13.0-40.el7_2.12.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
sssd-1.13.0-40.el7_2.12.x86_64
sssd-client-1.13.0-40.el7_2.12.x86_64
FreeIPA server: Centos 6.7
ipa-server-3.0.0-47.el6.centos.2.x86_64
bind-9.8.2-0.30.rc1.el6_6.3.x86_64
bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64
bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64
rpcbind-0.2.0-11.el6_7.x86_64
bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64
rpcbind-0.2.0-11.el6.x86_64
bind-dyndb-ldap-2.3-8.el6.x86_64
bind-9.8.2-0.37.rc1.el6_7.7.x86_64


SSSD configuration on client:
[domain/<DOMAIN>]

debug_level=18
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = <DOMAIN>
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ds01.<SUBDOMAIN1>, ds01.<SUBDOMAIN2>
dns_discovery_domain = <DOMAIN>


Named FreeIPA logs:
-------------------
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#36331: updating zone '<DNS ZONE>/IN': deleting rrset at '<hostname><DNS ZONE>' A
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: update_record (psearch) failed, dn 'idnsName=2,idnsname=<DNSZONE>.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. Records can be outdated, run `rndc reload`: not found
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: zone <SUBDOMAIN3>/IN: sending notifies (serial 1490615011)
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#46187: updating zone '<SUBDOMAIN3>/IN': deleting rrset at '<machine>.<SUBDOMAIN3>' AAAA
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#54691: updating zone '<SUBDOMAIN3>/IN': adding an RR at '<machine>.<SUBDOMAIN3>' A
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: client -IP1-#54691: updating zone '<SUBDOMAIN3>/IN': adding an RR at '<machine>.<SUBDOMAIN3>' A
Mar 27 17:03:57 ds01.<SUBDOMAIN2> named[6607]: zone <DNSZONE>.in-addr.arpa/IN: sending notifies (serial 1490627037)
Mar 27 17:04:02 ds01.<SUBDOMAIN2> named[6607]: zone <SUBDOMAIN3>/IN: sending notifies (serial 1490627038)

SSSD trace log on client during sssd restart:
-----------------------
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [ipa_dyndns_update_send] (0x0400): Performing update
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_is_address] (0x4000): [<machine>.<SUBDOMAIN3>] does not look like an IP address
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of '<machine>.<SUBDOMAIN3>' in DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_is_address] (0x4000): [<machine>.<SUBDOMAIN3>] does not look like an IP address
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of '<machine>.<SUBDOMAIN3>' in DNS
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [request_watch_destructor] (0x0400): Deleting request watch
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_dyndns_addrs_diff] (0x1000): Address on localhost only: -IP2-
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [sdap_dyndns_dns_addrs_done] (0x0400): Detected IP addresses change, will perform an update
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm [<DOMAIN>].
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
realm <DOMAIN>
update delete <machine>.<SUBDOMAIN3>. in A
send
update delete <machine>.<SUBDOMAIN3>. in AAAA
send
update add <machine>.<SUBDOMAIN3>. 1200 in A -IP2-
update add <machine>.<SUBDOMAIN3>. 1200 in A -IP1-
send
-- End nsupdate message --
..
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [ds01.<SUBDOMAIN2>] and realm [<DOMAIN>].
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
server ds01.<SUBDOMAIN2>
realm <DOMAIN>
update delete <machine>.<SUBDOMAIN3>. in A
send
update delete <machine>.<SUBDOMAIN3>. in AAAA
send
update add <machine>.<SUBDOMAIN3>. 1200 in A -IP2-
update add <machine>.<SUBDOMAIN3>. 1200 in A -IP1-
send
-- End nsupdate message --
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [20631]
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [child_handler_setup] (0x2000): Signal handler set up for pid [20631]
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [write_pipe_handler] (0x0400): All data has been sent!
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
(Mon Mar 27 17:03:56 2017) [sssd[be[<DOMAIN>]]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
setup_system()

Thank you for your help!
--
David GOUDET

LYRA NETWORK
IT Operations service
Tel : +33 (0)5 32 09 09 74 | Poste : 574