[Freeipa-users] reverse lookup dns records in trust setup

Sun Jul 5 06:38:26 UTC 2015

Hi,

I ran these commands in the IdM server

$ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM
krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;'
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1

At the Active Directory I have A and PTR records for the IdM server and it
is configured as a global forwarder.
At the IdM server there are A and PTR records for both the IdM server and
another client.
However this setup does not work.
>From the IdM and linux client every record is resolvable, however from the
AD only the IdM is resolvable and the client is not.

Maybe there's another thing I need to configure in the AD in order to
enable forwarding that I'm missing?

Thank you very much,
John

On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek <pspacek at redhat.com> wrote:

> On 29.6.2015 13:57, John Stein wrote:
> > Hi,
> >
> > I have an AD and IdM server.
> > AD domain - john.com
> > IdM domain - linux.john.com
> >
> > each spans multiple netwrok segments, with some segments having both
> linux
> > and windows machines.
> >
> > the IdM is configured to forward DNS requests to AD (forward first), and
> > the AD is configured to forward requests in the linux.john.com domain to
> > the IdM.
> >
> > However, I'm having a problem regarding reverse lookup zones. Where
> should
> > they be so they can be accessed from both linux and windows machines?
>
> >From DNS's point of view it does not matter, pick one side (AD or IPA) to
> host
> the reverse zone and configure delegation or forwarding on the other side.
> That is all you need if you are willing to update records manually.
>
> > If I put them in IdM, how will the AD know which requests to forward to
> the
> > IdM?
>
> Either properly configure delegation (if you have control over the parent
> zone) or add forwarder (only if you do not have control over parent zone -
> usual caveats for forwarding apply).
>
> > It seems to me that I need to somehow register them at the AD, so the A
> > record is in the IdM server and the PTR is in the AD. Is it possible to
> do
> > it automatically,
>
> "host/" principals from IPA Kerberos realm are generally not allowed to get
> tickets for AD realm so automatic update from IPA to AD is not possible.
>
> It might work the other way around (I did not test this):
> - Configure reverse zone in IPA
> - Configure delegation/forwarding in AD so all clients can properly resolve
> the reverse zone
> - Allow all clients to update their PTR records. Update policy like this
> might
> work:
> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE
> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;'
> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1
>
> I would like to hear from you if this works in your environment or not.
>
> Thank you!
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150705/a2925a96/attachment.htm>