Can I disable dynamic dns update during "realm join"?

Question

When (re-)joining an EL7 system to the AD domain, something somewhere issues a dynamic dns update for $FQDN. How can I suppress that?

The sssd.conf itself is pre-populated with

[domain/ad.example.com]
dyndns_update = false
dnydns_iface = eno1, eth0, otherpossibleprimarynicnames

I do not suffer from wanton dynamic dns updates during regular operations. But when re-joining the AD domain, all the ethernet cards' IP addresses magically show up in dns, which then causes havoc.

On EL6, I use the net ads join which has a nice option: --no-dns-updates but I see no equivalent option for the realm command.

If no options come up, I might just fall back to net ads join on EL7 and discard the "new and improved" realmd.

score 0 · Answer 1 · answered Jan 31 '24 at 22:37

Years (and probably multiple versions) later, I've encountered the same issue. But using dyndns_update = false actually worked for me. That said, I may know what went wrong for the original poster. I've found that sssd is very picky about edits to sssd.conf, and when you join a realm, it often uses that realm's defaults instead of what you've indicated. So instead of editing sssd.conf, you need to create an override file in /etc/sssd/conf.d/01-mydomain.conf

The file must have the same ownership and permissions as sssd.conf (usually root:root 600) or it will be quietly ignored. The file in question would look something like the section you put above, but simply this:

[domain/ad.example.com]
dyndns_update = false

To do it cleanly, the best bet is to leave the realm (assuming you've joined it), remove /etc/sssd/sssd.conf completely (back it up, of course), create the override files in /etc/sssd/conf.d, ensure they have the correct ownership and permissions, and re-join the realm.

I have other overrides, some system-wide in 00-sssd.conf and some domain-specific in 01-mydomain.conf -- sssd reads and applies these in sort order.

Important to note that the newly-generated sssd.conf will NOT include these overrides. You have to know to look for them in conf.d; it's not the most user-friendly setup but it seems to work well once you get it sorted.

score 0 · Accepted Answer · answered Jul 24 '19 at 17:46

0

I was simply unable to suppress the dynamic dns update action of realm. I reverted to using net ads join

answered Jul 24 '19 at 17:46

bgStack15

1,221

Can I disable dynamic dns update during "realm join"?

2 Answers2

Linked