06 Nov: Active Directory, Dynamic DNS and Linux Clients
In mixed environments, it's common for Linux clients to use Active Directory for authentication and user lookup. There's a number of ways to do this, but these days sssd with it's
AD provider is usually the easiest option. This post however isn't specifically about joining a Linux client to your AD domain, but about how DNS is often handled. Many Windows environments use
dynamic DNS (
RFC 2136) to allow clients to register their own DNS forward and reverse lookups (A and PTR records). In a Windows DNS server, the
options for this are:
- Do not allow dynamic updates (disables this feature entirely)
- Allow both nonsecure and secure dynamic updates (enabled for there's no authentication that the client is trusted)
- Allow only secure dynamic updates (enabled and require clients to authenticate themselves using TSIG)
Both Windows and sssd-ad Linux clients are automatically configured to participate in dynamic DNS transparently, and both can operate with any of the above options. For Linux clients,the method for joining (Samba for older distros,
adcli for newer) does the initial registration. When joining you'll see an error printed if dynamic DNS updates aren't enabled on the server side. You can just ignore this if you know this is expected, or you can disable updates, for example in Samba:
allow dns updates = disabled
You might also want to ensure that when registering address, only the main interface for the server is added to DNS:
interfaces = eth0
bind interfaces only = yes
In this situation, Samba is only being used to join the domain. Once joined sssd is responsible for maintaining the dynamic DNS entry, for example if the IP or hostname changes. sssd also refreshes the record to update it's "record time stamp" every 24 hours by default in case
"scavenging" is enabled on the DNS server, meaning that records that haven't been updated within a defined time get removed. Of course if you don't want sssd to do dynmaic DNS updates, you can disable it with:
dyndns_update = True
Everything should work without any special configuration, but some other options are available (see
sssd-ad (5) ):
- dndns_ttl: TTL for records that get added (3600 secs by default)
- dyndns_iface: Only add addresses on these interface(s) (defaults to the interface behind the IP used to connect to AD LDAP)
- dyndns_refresh_interval: Time between refreshes (86400 secs by default, should be less than scavenging interval)