Page 1 of 1

SSSD no longer registering DNS entries

Posted: 2021/03/22 09:22:49
by Doc Dish
We are primarily a Windows shop that uses CentOS 8 as our go-to Linux distro. We deploy from a VMware template and run a commissioning script that adds the newly deployed VM to our Active Directory Domain. I recently updated the template and found that VMs deployed from it are no longer able to register their names in DNS. One of the updates was to SSSD from v2.2.3 to v.2.3.0.

Turning SSSD debug logging up to 9 gives the following errors:

Code: Select all

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.
(2021-03-16 14:10:01): [be[domain]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(2021-03-16 14:10:01): [be[domain]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-03-16 14:10:01): [be[domain]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
(2021-03-16 14:10:01): [be[domain]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2021-03-16 14:10:01): [be[domain]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed
There are no obvious errors in krb5_child.log and the newly deployed VM can authenticate against the Domain and a Computer object is created for it. The only thing that seems not to work is the dynamic DNS registration.

We are setting ad_hostname to the FQDN of the VM in sssd.conf and the VMs are configured with static IP addresses. VMs deployed from the previous version of the template (with SSSD v.2.2.3) can still register DNS entries, but as soon as they are updated to SSSD v.2.3.0 they start to fail.

Can anyone please suggest a workaround or resolution? I am assuming that this is related to the SSSD update, but cannot find any helpful information on the Web.

Many thanks, Doc.

Re: SSSD no longer registering DNS entries

Posted: 2021/03/25 19:32:13
by tomkep
I suspect this is caused by removal of RC4 encryption from default crypto policy in RHEL/CentOS 8.

Try to issue:

Code: Select all

update-crypto-policies --set DEFAULT:AD-SUPPORT
as root to enable RC4 ciphers, reboot and check if it helped.

Re: SSSD no longer registering DNS entries

Posted: 2021/03/29 07:42:25
by Doc Dish
That seems to do the trick, thank you!

Is this likely to cause us any issues long term, or can I just add that to our build and carry on as before?

Many, many thanks!