From Fedora Project Wiki
Description
This test case verifies an Active Directory client is able to update its DNS record.
Setup
- Verify that your Active Directory domain access works. If you don't have an Active Directory domain, you can set one up.
- Run through the test case to join the domain.
- Make sure that your Active Directory Server manages the DNS domain of your client
- In the DNS manager, make sure that the DNS zone of your client is present in the "Forward Lookup Zones" subtreee
- For example, if your client was configured with a host name
client.example.com
, then you'd be looking for a zone calledexample.com
in the DNS manager
- Make sure DNS updates are enabled on the zone
- Right-click the zone and select the "Properties->General" tab
- There is a combo-box labeled "Dynamic updates". Toggle it to "Secure only".
- Click "Apply"
How to test
- Configure the Active Directory provider of SSSD to perform dynamic DNS updates. Open the
/etc/sssd/sssd.conf
file and put the following into the[domain/$DOMNAME]
section:dyndns_update = True
- Save the
sssd.conf
and restart the SSSD:$ sudo service sssd restart
- Clear caches and retrieve user information to make sure the SSSD connects to the remote server.
$ sudo sss_cache --users
getent passwd 'DOMAIN\user'
Expected Results
- Look into the "DNS Manager" MMC concole on the AD server. The record of your client machine should have been "refreshed" and you should see a "timestamp" value with the date and time of when you connected to the AD
- Make sure to refresh the "DNS Manager" MMC
- Change the IP address of the client by assigning some unused address manually
- Restart the SSSD to make sure its online status is reset.
- Log in as an AD user to make sure the SSSD connects to the remote server.
- To work around the login bug, you can also request a user that does not exist on the AD
getent passwd ADSERVER\\nosuchser
- Look into the "DNS Manager" MMC concole on the AD server. The record of your client machine should have been updated with the address you changed the client's IP address to. The reverse zone (if present) should be updated, too.
- The timestamp of a dynamically added record will be updated, but rounded down to the nearest hour by AD automatically.
Cleanup after the test
- Don't forget to restore the IP address to the original value after completing the test
Troubleshooting
- Make sure the Active Directory server is reachable and the SSSD can connect to the AD
- A good way to make sure is to log in as a domain user while
cached_credentials
is set to False
- A good way to make sure is to log in as a domain user while
- Check if the client contains the IP address of the AD server in
/etc/resolv.conf
- Raise the SSSD debugging
- put
debug_level=8
into the[domain]
section of thesssd.conf
and restart the SSSD - inspect the SSSD logs, search for nsupdate. Make sure there is a nsupdate message that contains the name of your client machine and its current IP address
- put