[Pkg-sssd-devel] Bug#1018144: sssd-ad: Active Directory dynamic DNS updates broken without bind9-dnsutils installed

[Johannes Truschnigg]

Package: sssd-ad
Version: 2.4.1-2
Severity: normal

Dear Maintainer,

sssd-ad supports dynamically updating DNS recource records on Active
Directory-based authoritative DNS servers after the system has joined their AD
domain. To use this feature, a number of dyndns-specific sssd options have to
be configured in sssd.conf.

I spent close to a day of work finding out what made this mechanism work on
one of our hosts, but not another - the root cause was determined to be that
the host which had this feature working right away had the bind9-dnsutils
package installed, which happens to provide `/usr/bin/nsupdate`.

Even if this executable is not present, sssd will willingly let itself be
configured with AD-based dyndns updates, but cannot actually perform them.

The dyndns update mechanism repeatedly execv()s `nsupdate` if it was found
during initialization at src/providers/be_dyndns.c:1188 as per the source
package of sssd-ad 2.4.1 in bullseye.

I therefore think it's a sound idea to have bind9-dnsutils in either Suggests
or Recommends of the sssd-ad package, as an arguably significant portion of
its functionality depends on it having been installed.

Thanks for your consideration, and the great work on sssd in Debian!