<div dir="ltr">Hi Martin!<div><br></div><div>Thank you for your time!<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 22, 2016 at 1:41 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-">
<p><br>
</p>
<br>
<div class="gmail-m_7579420892651053745moz-cite-prefix">On 22.12.2016 10:57, Maciej Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Martin
<div><br>
</div>
<div>Appreciate your help!<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 22, 2016 at 10:48 AM,
Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-m_7579420892651053745gmail-">
<p><br>
</p>
<br>
<div class="gmail-m_7579420892651053745gmail-m_2550165744306535538moz-cite-prefix">On
22.12.2016 09:37, Maciej Drobniuch wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Martin
<div><br>
</div>
<div>Thank you for reply. </div>
<div><br>
</div>
<div>1. The dig is returning proper PTR record.
I've added it manually to the zone and it's
working.</div>
</div>
</blockquote>
<br>
</span> I was asking for SOA and zone name, IMO there
is nothing secret about reverse zone name from private
address space<br>
<br>
what returns this command on server?<br>
python -c 'import netaddr; from dns import resolver;
ip = netaddr.IPAddress("10.0.0.165"<wbr>); revn =
ip.reverse_dns; print revn; print
resolver.zone_for_name(revn)'<span class="gmail-m_7579420892651053745gmail-"><br>
<br>
<br>
</span></div>
</blockquote>
<div># python -c 'import netaddr; from dns import
resolver; ip = netaddr.IPAddress("10.0.0.165"<wbr>); revn =
ip.reverse_dns; print revn; print
resolver.zone_for_name(revn)'</div>
<div>165.0.0.10.in-addr.arpa.</div>
<div>in-addr.arpa.</div>
</div>
</div>
</div>
</div>
</blockquote>
<br></span>
It looks that python-dns failed to find proper zone, what is
supposed to be authoritative zone for that record in your system?<br>
How do your reverse zones look?<br></div></blockquote><div>I have the reverse zone added.</div><div>0.0.10.in-addr.arpa. </div><div><br></div><div>Do you know maybe how python/ipa is determining what's the dns server for the internal zone? </div><div>As far I understood this is not a "access rights issue". It's a DNS PTR resolution problem with python(ipa's using python) ?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote"><span class="gmail-">
<div> </div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-m_7579420892651053745gmail-">
<blockquote type="cite">
<div dir="ltr">
<div>2. The problem exists while adding host
entries or A records with "create reverse"
option.</div>
</div>
</blockquote>
</span> That's why I asked to run dig, the code uses
DNS system to determine zone.<span class="gmail-m_7579420892651053745gmail-"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>3. If I'll bind a host with
ipa-client-install the PTR record gets created
in the reverse zone and it works</div>
</div>
</blockquote>
</span> Ok</div>
</blockquote>
<div>Manually creating the PTR record works fine as well. </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-m_7579420892651053745gmail-"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>4. The resolv.conf file has only the IPA
server IP addres/localhost added.</div>
</div>
</blockquote>
<br>
</span> Have you changed it recently?</div>
</blockquote>
<div>Yes, it pointed to outside 8.8.8.8, so the OS did not
see the local reverse zone.</div>
<div>Now it's pointing to localhost. And I get dig the
PTRs. (I've manually created the ptr)</div>
<div><br>
</div>
</span><div><span class="gmail-">
<div># dig -x 10.0.0.165</div>
<div><br>
</div>
<div>; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3
<<>> -x 10.0.0.165</div>
<div>;; global options: +cmd</div>
<div>;; Got answer:</div>
<div>;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 35592</div>
<div>;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1,
AUTHORITY: 1, ADDITIONAL: 2</div>
<div><br>
</div>
<div>;; OPT PSEUDOSECTION:</div>
</span><div>; E: version: 0, flags:; udp: 4096</div><span class="gmail-">
<div>;; QUESTION SECTION:</div>
<div>;165.0.0.10.in-addr.arpa.<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>PTR</div>
<div><br>
</div>
<div>;; ANSWER SECTION:</div>
<div>165.0.0.10.in-addr.arpa. 1200<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>PTR<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a href="http://prdfrmprb01.cs.int" target="_blank">prdfrmprb01.cs.int</a>.</div>
<div><br>
</div>
<div>;; AUTHORITY SECTION:</div>
<div>1.0.10.in-addr.arpa.<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>86400<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>NS<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><a href="http://freeipa1.cs.int" target="_blank">freeipa1.cs.int</a>.</div>
<div><br>
</div>
</span></div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
This authority section looks suspicious, I would expect something
like 0.0.10.in-addr.arpa.<br>
<br>
Back to question about your reverse zones.</div></blockquote><div>I've intentionally hid our internal ip space, sorry, good catch my finger has slipped :). </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><div><div class="gmail-h5"><br>
<br>
<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"></span>
<blockquote type="cite">
<div dir="ltr">
<div>
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div>;; ADDITIONAL SECTION:</div>
<div><a href="http://freeipa1.cs.int" target="_blank">freeipa1.cs.int</a>.<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>1200<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>IN<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>A<span class="gmail-m_7579420892651053745gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>10.0.0.200</div>
<div><br>
</div>
<div>;; Query time: 3 msec</div>
<div>;; SERVER: 127.0.0.1#53(127.0.0.1)</div>
<div>;; WHEN: czw gru 22 04:51:23 EST 2016</div>
<div>;; MSG SIZE rcvd: 124</div>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><span class="gmail-m_7579420892651053745gmail-HOEnZb"><font color="#888888"><br>
<br>
Martin</font></span>
<div>
<div class="gmail-m_7579420892651053745gmail-h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Cheers!</div>
<div>M.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 21, 2016
at 5:43 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hello all :)<br>
</p>
<span> <br>
<div class="gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012moz-cite-prefix">On
20.12.2016 01:33, Maciej Drobniuch
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><span>Hi All!</span></div>
<div><span><br>
</span></div>
<div><span>I get the following
message while adding a new
hostname. </span></div>
<span>
<div><span><br>
</span></div>
"The host was added but the DNS
update failed with: DNS reverse
zone in-addr.arpa. for IP
address 10.0.0.165 is not
managed by this server"</span><br clear="all">
</div>
</blockquote>
<br>
</span> IPA failed to get correct
reverse zone, can you try dig -x
10.0.0.165 what will be in SOA answer?<br>
<br>
What is the name of reverse zone you
have on IPA DNS server?<span class="gmail-m_7579420892651053745gmail-m_2550165744306535538HOEnZb"><font color="#888888"><br>
<br>
<br>
Martin</font></span><span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>The reverse zone is
configured and working. </div>
<div>When I am manually adding the
PTR record to the reverse zone -
all OK</div>
<div><br>
</div>
<div>While adding a new host, the
A record is being created but
the PTR fails with the message
above.</div>
<div><br>
</div>
<div>Reinstalling centos+IPA
worked once but I had to
reinstall again because of
problems with kerberos(probably
dependencies).</div>
<div><br>
</div>
<div>Not sure what is the root
cause of the issue.</div>
<div><br>
</div>
<div>VERSION: 4.4.0, API_VERSION:
2.213<br>
</div>
<div><br>
</div>
<div>CENTOS7 Linux freeipa1
3.10.0-229.el7.x86_64 #1 SMP Fri
Mar 6 11:36:42 UTC 2015 x86_64
x86_64 x86_64 GNU/Linux<br>
</div>
<div><br>
</div>
<div>Any help appreciated!</div>
-- <br>
<div class="gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">Best
regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security
Engineer</div>
<div>Collective-sense
LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="gmail-m_7579420892651053745gmail-m_2550165744306535538m_-8076435932888776012mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail-m_7579420892651053745gmail-m_2550165744306535538gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">Best regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security Engineer</div>
<div>Collective-sense LLC</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail-m_7579420892651053745gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Best regards</div>
<div dir="ltr"><br>
<div><span style="font-size:12.8px">Maciej
Drobniuch</span></div>
<div>Network Security Engineer</div>
<div>
<div style="font-size:12.8px">2410 Camino
Ramon, Suite 129</div>
<div style="font-size:12.8px">San Ramon, CA
94583</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br>Happy new year!<br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Best regards</div><div dir="ltr"><br><div><span style="font-size:12.8px">Maciej Drobniuch</span></div><div>Network Security Engineer</div><div><div style="font-size:small"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div style="font-size:12.8px">Collective-Sense,LLC</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div></div>