Thoughts

06 Nov: Active Directory, Dynamic DNS and Linux Clients

In mixed environments, it's common for Linux clients to use Active Directory for authentication and user lookup. There's a number of ways to do this, but these days sssd with it's AD provider is usually the easiest option. This post however isn't specifically about joining a Linux client to your AD domain, but about how DNS is often handled. Many Windows environments use dynamic DNS (RFC 2136) to allow clients to register their own DNS forward and reverse lookups (A and PTR records). In a Windows DNS server, the options for this are: Both Windows and sssd-ad Linux clients are automatically configured to participate in dynamic DNS transparently, and both can operate with any of the above options. For Linux clients,the method for joining (Samba for older distros, adcli for newer) does the initial registration. When joining you'll see an error printed if dynamic DNS updates aren't enabled on the server side. You can just ignore this if you know this is expected, or you can disable updates, for example in Samba: 
allow dns updates = disabled
You might also want to ensure that when registering address, only the main interface for the server is added to DNS: 
interfaces = eth0
bind interfaces only = yes
In this situation, Samba is only being used to join the domain. Once joined sssd is responsible for maintaining the dynamic DNS entry, for example if the IP or hostname changes. sssd also refreshes the record to update it's "record time stamp" every 24 hours by default in case "scavenging" is enabled on the DNS server, meaning that records that haven't been updated within a defined time get removed. Of course if you don't want sssd to do dynmaic DNS updates, you can disable it with: 
dyndns_update = True
Everything should work without any special configuration, but some other options are available (see sssd-ad (5) ):
© 2017