<div dir="ltr"><div># python -c 'from dns import resolver; a = resolver.query("0.0.10.in-addr.arpa.", "SOA", "IN"); print <a href="http://a.rrset.name">a.rrset.name</a>'</div><div>0.0.10.in-addr.arpa.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 27, 2016 at 1:09 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<p><br>
</p>
<br>
<div class="m_9003651829905981507moz-cite-prefix">On 27.12.2016 13:04, Maciej Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>$ dig 0.0.10.in-addr.arpa</div>
<div><br>
</div>
<div>; <<>> DiG 9.10.3-P4-Ubuntu <<>>
0.0.10.in-addr.arpa</div>
<div>;; global options: +cmd</div>
<div>;; Got answer:</div>
<div>;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 14232</div>
<div>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
ADDITIONAL: 1</div>
<div><br>
</div>
<div>;; OPT PSEUDOSECTION:</div>
<div>; EDNS: version: 0, flags:; udp: 4096</div>
<div>;; QUESTION SECTION:</div>
<div>;0.0.10.in-addr.arpa.<span class="m_9003651829905981507gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_9003651829905981507gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>A</div>
<div><br>
</div>
<div>;; AUTHORITY SECTION:</div>
<div>0.0.10.in-addr.arpa.<span class="m_9003651829905981507gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>3600<span class="m_9003651829905981507gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_9003651829905981507gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>SOA<span class="m_9003651829905981507gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a href="http://freeipa1.cs.int" target="_blank">freeipa1.cs.int</a>.
<a href="http://hostmaster.cs.int" target="_blank">hostmaster.cs.int</a>.
1482653944 3600 900 1209600 3600</div>
<div><br>
</div>
<div>;; Query time: 197 msec</div>
<div>;; SERVER: 10.0.0.200#53(10.0.0.200)</div>
<div>;; WHEN: Tue Dec 27 13:02:24 CET 2016</div>
<div>;; MSG SIZE rcvd: 111</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
</div>
</blockquote></span>
Hmm, this query doesn't contain ANSWER section, that may be reason
why python-dns failed.<br>
<br>
could you check with:<br>
<br>
python -c 'from dns import resolver; a =
resolver.query("0.0.10.in-<wbr>addr.arpa.", "SOA", "IN"); print
<a href="http://a.rrset.name" target="_blank">a.rrset.name</a>'<div><div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">On Tue, Dec 27, 2016 at 12:24 PM,
Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<p><br>
</p>
<br>
<div class="m_9003651829905981507m_3619922476149010457moz-cite-prefix">On
27.12.2016 12:07, Maciej Drobniuch wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Martin!
<div><br>
</div>
<div>Thank you for your time!<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 22, 2016 at
1:41 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="m_9003651829905981507m_3619922476149010457gmail-">
<p><br>
</p>
<br>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745moz-cite-prefix">On
22.12.2016 10:57, Maciej Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Martin
<div><br>
</div>
<div>Appreciate your help!<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu,
Dec 22, 2016 at 10:48 AM,
Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-">
<p><br>
</p>
<br>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-m_2550165744306535538moz-cite-prefix">On
22.12.2016 09:37,
Maciej Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi
Martin
<div><br>
</div>
<div>Thank you for
reply. </div>
<div><br>
</div>
<div>1. The dig is
returning proper
PTR record. I've
added it manually
to the zone and
it's working.</div>
</div>
</blockquote>
<br>
</span> I was asking for
SOA and zone name, IMO
there is nothing secret
about reverse zone name
from private address space<br>
<br>
what returns this command
on server?<br>
python -c 'import netaddr;
from dns import resolver;
ip =
netaddr.IPAddress("10.0.0.165"<wbr>);
revn = ip.reverse_dns;
print revn; print
resolver.zone_for_name(revn)'<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-"><br>
<br>
<br>
</span></div>
</blockquote>
<div># python -c 'import
netaddr; from dns import
resolver; ip =
netaddr.IPAddress("10.0.0.165"<wbr>);
revn = ip.reverse_dns; print
revn; print
resolver.zone_for_name(revn)'</div>
<div>165.0.0.10.in-addr.arpa.</div>
<div>in-addr.arpa.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> It looks that python-dns failed to
find proper zone, what is supposed to be
authoritative zone for that record in your
system?<br>
How do your reverse zones look?<br>
</div>
</blockquote>
<div>I have the reverse zone added.</div>
<div>0.0.10.in-addr.arpa. </div>
<div><br>
</div>
<div>Do you know maybe how python/ipa is
determining what's the dns server for the
internal zone? </div>
<div>As far I understood this is not a "access
rights issue". It's a DNS PTR resolution
problem with python(ipa's using python) ?</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> It doesn't care about resolver, python-dns is
checking SOA records, it removes labels from left and
tries to find best match zone<br>
<br>
what returns dig 0.0.10.in-addr.arpa. SOA ?
<div>
<div class="m_9003651829905981507h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote"><span class="m_9003651829905981507m_3619922476149010457gmail-">
<div> </div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-">
<blockquote type="cite">
<div dir="ltr">
<div>2. The
problem exists
while adding
host entries or
A records with
"create reverse"
option.</div>
</div>
</blockquote>
</span> That's why I
asked to run dig, the
code uses DNS system to
determine zone.<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>3. If I'll
bind a host with
ipa-client-install the PTR record gets created in the reverse zone and
it works</div>
</div>
</blockquote>
</span> Ok</div>
</blockquote>
<div>Manually creating the
PTR record works fine as
well. </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>4. The
resolv.conf file
has only the IPA
server IP
addres/localhost
added.</div>
</div>
</blockquote>
<br>
</span> Have you changed
it recently?</div>
</blockquote>
<div>Yes, it pointed to
outside 8.8.8.8, so the OS
did not see the local
reverse zone.</div>
<div>Now it's pointing to
localhost. And I get dig
the PTRs. (I've manually
created the ptr)</div>
<div><br>
</div>
</span>
<div><span class="m_9003651829905981507m_3619922476149010457gmail-">
<div># dig -x 10.0.0.165</div>
<div><br>
</div>
<div>; <<>>
DiG
9.9.4-RedHat-9.9.4-38.el7_3
<<>> -x
10.0.0.165</div>
<div>;; global options:
+cmd</div>
<div>;; Got answer:</div>
<div>;;
->>HEADER<<-
opcode: QUERY, status:
NOERROR, id: 35592</div>
<div>;; flags: qr aa rd
ra; QUERY: 1, ANSWER: 1,
AUTHORITY: 1,
ADDITIONAL: 2</div>
<div><br>
</div>
<div>;; OPT PSEUDOSECTION:</div>
</span>
<div>; E: version: 0,
flags:; udp: 4096</div>
<span class="m_9003651829905981507m_3619922476149010457gmail-">
<div>;; QUESTION SECTION:</div>
<div>;165.0.0.10.in-addr.arpa.<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>PTR</div>
<div><br>
</div>
<div>;; ANSWER SECTION:</div>
<div>165.0.0.10.in-addr.arpa.
1200<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>PTR<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a href="http://prdfrmprb01.cs.int" target="_blank">prdfrmprb01.cs.int</a>.</div>
<div><br>
</div>
<div>;; AUTHORITY SECTION:</div>
<div>1.0.10.in-addr.arpa.<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>86400<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NS<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a href="http://freeipa1.cs.int" target="_blank">freeipa1.cs.int</a>.</div>
<div><br>
</div>
</span></div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
This authority section looks suspicious,
I would expect something like
0.0.10.in-addr.arpa.<br>
<br>
Back to question about your reverse
zones.</div>
</blockquote>
<div>I've intentionally hid our internal ip
space, sorry, good catch my finger has
slipped :). <br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
So is the 0.0.10.in-addr.arpa. an authoritative zone? Or
what dig returned in authority section.
<div>
<div class="m_9003651829905981507h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div class="m_9003651829905981507m_3619922476149010457gmail-h5"><br>
<br>
<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"></span>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div>;; ADDITIONAL
SECTION:</div>
<div><a href="http://freeipa1.cs.int" target="_blank">freeipa1.cs.int</a>.<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>1200<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>A<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>10.0.0.200</div>
<div><br>
</div>
<div>;; Query time: 3
msec</div>
<div>;; SERVER:
127.0.0.1#53(127.0.0.1)</div>
<div>;; WHEN: czw gru 22
04:51:23 EST 2016</div>
<div>;; MSG SIZE rcvd:
124</div>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-HOEnZb"><font color="#888888"><br>
<br>
Martin</font></span>
<div>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Cheers!</div>
<div>M.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Dec 21,
2016 at 5:43
PM, Martin
Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hello all
:)<br>
</p>
<span> <br>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012moz-cite-prefix">On
20.12.2016
01:33, Maciej
Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><span>Hi
All!</span></div>
<div><span><br>
</span></div>
<div><span>I
get the
following
message while
adding a new
hostname. </span></div>
<span>
<div><span><br>
</span></div>
"The host was
added but the
DNS update
failed with:
DNS reverse
zone
in-addr.arpa.
for IP address
10.0.0.165 is
not managed by
this server"</span><br clear="all">
</div>
</blockquote>
<br>
</span> IPA
failed to get
correct
reverse zone,
can you try
dig -x
10.0.0.165
what will be
in SOA answer?<br>
<br>
What is the
name of
reverse zone
you have on
IPA DNS
server?<span class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-m_2550165744306535538HOEnZb"><font color="#888888"><br>
<br>
<br>
Martin</font></span><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>The
reverse zone
is configured
and working. </div>
<div>When I am
manually
adding the PTR
record to the
reverse zone -
all OK</div>
<div><br>
</div>
<div>While
adding a new
host, the A
record is
being created
but the PTR
fails with the
message above.</div>
<div><br>
</div>
<div>Reinstalling
centos+IPA
worked once
but I had to
reinstall
again because
of problems
with
kerberos(probably
dependencies).</div>
<div><br>
</div>
<div>Not sure
what is the
root cause of
the issue.</div>
<div><br>
</div>
<div>VERSION:
4.4.0,
API_VERSION:
2.213<br>
</div>
<div><br>
</div>
<div>CENTOS7
Linux freeipa1
3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64
x86_64
GNU/Linux<br>
</div>
<div><br>
</div>
<div>Any help
appreciated!</div>
-- <br>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">Best
regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network
Security
Engineer</div>
<div>Collective-sense
LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail-m_2550165744306535538gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">Best
regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network
Security
Engineer</div>
<div>Collective-sense
LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_9003651829905981507m_3619922476149010457gmail-m_7579420892651053745gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Best
regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network
Security
Engineer</div>
<div>
<div style="font-size:12.8px">2410
Camino Ramon,
Suite 129</div>
<div style="font-size:12.8px">San
Ramon, CA
94583</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
Happy new year!<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_9003651829905981507m_3619922476149010457gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Best regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security Engineer</div>
<div>
<div style="font-size:small">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<div style="font-size:12.8px">Collective-Sense,LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_9003651829905981507gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Best regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security Engineer</div>
<div>
<div style="font-size:small">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<div style="font-size:12.8px">Collective-Sense,LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Best regards</div><div dir="ltr"><br><div><span style="font-size:12.8px">Maciej Drobniuch</span></div><div>Network Security Engineer</div><div><div style="font-size:small"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div style="font-size:12.8px">Collective-Sense,LLC</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>