<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 27.12.2016 12:07, Maciej Drobniuch
wrote:<br>
</div>
<blockquote
cite="mid:CAL0Muf+=6G0X8TMemboJ6ZR7CTigFRxu9WLgo8WWHiVk2YGYRg@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Martin!
<div><br>
</div>
<div>Thank you for your time!<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 22, 2016 at 1:41 PM,
Martin Basti <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-">
<p><br>
</p>
<br>
<div
class="gmail-m_7579420892651053745moz-cite-prefix">On
22.12.2016 10:57, Maciej Drobniuch wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Martin
<div><br>
</div>
<div>Appreciate your help!<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 22,
2016 at 10:48 AM, Martin Basti <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span
class="gmail-m_7579420892651053745gmail-">
<p><br>
</p>
<br>
<div
class="gmail-m_7579420892651053745gmail-m_2550165744306535538moz-cite-prefix">On
22.12.2016 09:37, Maciej Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Martin
<div><br>
</div>
<div>Thank you for reply. </div>
<div><br>
</div>
<div>1. The dig is returning
proper PTR record. I've added
it manually to the zone and
it's working.</div>
</div>
</blockquote>
<br>
</span> I was asking for SOA and zone
name, IMO there is nothing secret
about reverse zone name from private
address space<br>
<br>
what returns this command on server?<br>
python -c 'import netaddr; from dns
import resolver; ip =
netaddr.IPAddress("10.0.0.165"<wbr>);
revn = ip.reverse_dns; print revn;
print resolver.zone_for_name(revn)'<span
class="gmail-m_7579420892651053745gmail-"><br>
<br>
<br>
</span></div>
</blockquote>
<div># python -c 'import netaddr; from dns
import resolver; ip =
netaddr.IPAddress("10.0.0.165"<wbr>);
revn = ip.reverse_dns; print revn; print
resolver.zone_for_name(revn)'</div>
<div>165.0.0.10.in-addr.arpa.</div>
<div>in-addr.arpa.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> It looks that python-dns failed to find proper
zone, what is supposed to be authoritative zone for
that record in your system?<br>
How do your reverse zones look?<br>
</div>
</blockquote>
<div>I have the reverse zone added.</div>
<div>0.0.10.in-addr.arpa. </div>
<div><br>
</div>
<div>Do you know maybe how python/ipa is determining
what's the dns server for the internal zone? </div>
<div>As far I understood this is not a "access rights
issue". It's a DNS PTR resolution problem with
python(ipa's using python) ?</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
It doesn't care about resolver, python-dns is checking SOA records,
it removes labels from left and tries to find best match zone<br>
<br>
what returns dig 0.0.10.in-addr.arpa. SOA ?<br>
<br>
<blockquote
cite="mid:CAL0Muf+=6G0X8TMemboJ6ZR7CTigFRxu9WLgo8WWHiVk2YGYRg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"> <br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote"><span class="gmail-">
<div> </div>
<div><br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span
class="gmail-m_7579420892651053745gmail-">
<blockquote type="cite">
<div dir="ltr">
<div>2. The problem exists while
adding host entries or A
records with "create reverse"
option.</div>
</div>
</blockquote>
</span> That's why I asked to run dig,
the code uses DNS system to determine
zone.<span
class="gmail-m_7579420892651053745gmail-"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>3. If I'll bind a host with
ipa-client-install the PTR
record gets created in the
reverse zone and it works</div>
</div>
</blockquote>
</span> Ok</div>
</blockquote>
<div>Manually creating the PTR record
works fine as well. </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span
class="gmail-m_7579420892651053745gmail-"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>4. The resolv.conf file has
only the IPA server IP
addres/localhost added.</div>
</div>
</blockquote>
<br>
</span> Have you changed it recently?</div>
</blockquote>
<div>Yes, it pointed to outside 8.8.8.8,
so the OS did not see the local reverse
zone.</div>
<div>Now it's pointing to localhost. And I
get dig the PTRs. (I've manually created
the ptr)</div>
<div><br>
</div>
</span>
<div><span class="gmail-">
<div># dig -x 10.0.0.165</div>
<div><br>
</div>
<div>; <<>> DiG
9.9.4-RedHat-9.9.4-38.el7_3
<<>> -x 10.0.0.165</div>
<div>;; global options: +cmd</div>
<div>;; Got answer:</div>
<div>;; ->>HEADER<<- opcode:
QUERY, status: NOERROR, id: 35592</div>
<div>;; flags: qr aa rd ra; QUERY: 1,
ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2</div>
<div><br>
</div>
<div>;; OPT PSEUDOSECTION:</div>
</span>
<div>; E: version: 0, flags:; udp: 4096</div>
<span class="gmail-">
<div>;; QUESTION SECTION:</div>
<div>;165.0.0.10.in-addr.arpa.<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>PTR</div>
<div><br>
</div>
<div>;; ANSWER SECTION:</div>
<div>165.0.0.10.in-addr.arpa. 1200<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>PTR<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a
moz-do-not-send="true"
href="http://prdfrmprb01.cs.int"
target="_blank">prdfrmprb01.cs.int</a>.</div>
<div><br>
</div>
<div>;; AUTHORITY SECTION:</div>
<div>1.0.10.in-addr.arpa.<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>86400<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NS<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a
moz-do-not-send="true"
href="http://freeipa1.cs.int"
target="_blank">freeipa1.cs.int</a>.</div>
<div><br>
</div>
</span></div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
This authority section looks suspicious, I would
expect something like 0.0.10.in-addr.arpa.<br>
<br>
Back to question about your reverse zones.</div>
</blockquote>
<div>I've intentionally hid our internal ip space, sorry,
good catch my finger has slipped :). <br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
So is the 0.0.10.in-addr.arpa. an authoritative zone? Or what dig
returned in authority section.<br>
<br>
<blockquote
cite="mid:CAL0Muf+=6G0X8TMemboJ6ZR7CTigFRxu9WLgo8WWHiVk2YGYRg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<div>
<div class="gmail-h5"><br>
<br>
<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"></span>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div>;; ADDITIONAL SECTION:</div>
<div><a moz-do-not-send="true"
href="http://freeipa1.cs.int"
target="_blank">freeipa1.cs.int</a>.<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>1200<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>A<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>10.0.0.200</div>
<div><br>
</div>
<div>;; Query time: 3 msec</div>
<div>;; SERVER:
127.0.0.1#53(127.0.0.1)</div>
<div>;; WHEN: czw gru 22 04:51:23 EST
2016</div>
<div>;; MSG SIZE rcvd: 124</div>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span
class="gmail-m_7579420892651053745gmail-HOEnZb"><font
color="#888888"><br>
<br>
Martin</font></span>
<div>
<div
class="gmail-m_7579420892651053745gmail-h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Cheers!</div>
<div>M.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Dec 21, 2016 at 5:43
PM, Martin Basti <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hello all :)<br>
</p>
<span> <br>
<div
class="gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012moz-cite-prefix">On
20.12.2016 01:33,
Maciej Drobniuch
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div><span>Hi
All!</span></div>
<div><span><br>
</span></div>
<div><span>I get
the following
message while
adding a new
hostname. </span></div>
<span>
<div><span><br>
</span></div>
"The host was
added but the
DNS update
failed with:
DNS reverse
zone
in-addr.arpa.
for IP address
10.0.0.165 is
not managed by
this server"</span><br
clear="all">
</div>
</blockquote>
<br>
</span> IPA failed to
get correct reverse
zone, can you try dig
-x 10.0.0.165 what
will be in SOA answer?<br>
<br>
What is the name of
reverse zone you have
on IPA DNS server?<span
class="gmail-m_7579420892651053745gmail-m_2550165744306535538HOEnZb"><font
color="#888888"><br>
<br>
<br>
Martin</font></span><span><br>
<br>
<blockquote
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>The reverse
zone is
configured and
working. </div>
<div>When I am
manually
adding the PTR
record to the
reverse zone -
all OK</div>
<div><br>
</div>
<div>While
adding a new
host, the A
record is
being created
but the PTR
fails with the
message above.</div>
<div><br>
</div>
<div>Reinstalling
centos+IPA
worked once
but I had to
reinstall
again because
of problems
with
kerberos(probably
dependencies).</div>
<div><br>
</div>
<div>Not sure
what is the
root cause of
the issue.</div>
<div><br>
</div>
<div>VERSION:
4.4.0,
API_VERSION:
2.213<br>
</div>
<div><br>
</div>
<div>CENTOS7
Linux freeipa1
3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64
x86_64
GNU/Linux<br>
</div>
<div><br>
</div>
<div>Any help
appreciated!</div>
-- <br>
<div
class="gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">Best
regards</div>
<div dir="ltr"><br>
<div><span
style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network
Security
Engineer</div>
<div>Collective-sense
LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div
class="gmail-m_7579420892651053745gmail-m_2550165744306535538gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">Best
regards</div>
<div dir="ltr"><br>
<div><span
style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network
Security
Engineer</div>
<div>Collective-sense
LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div
class="gmail-m_7579420892651053745gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Best regards</div>
<div dir="ltr"><br>
<div><span
style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security Engineer</div>
<div>
<div
style="font-size:12.8px">2410
Camino Ramon, Suite 129</div>
<div
style="font-size:12.8px">San
Ramon, CA 94583</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
Happy new year!<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Best regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security Engineer</div>
<div>
<div style="font-size:small">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<div style="font-size:12.8px">Collective-Sense,LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>