[Freeipa-users] reverse lookup dns records in trust setup

Wed Jul 8 09:50:27 UTC 2015

On 5.7.2015 08:38, John Stein wrote:
> Hi,
> 
> I ran these commands in the IdM server
> 
> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM
> krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;'
> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1
> 
> At the Active Directory I have A and PTR records for the IdM server and it
> is configured as a global forwarder.
> At the IdM server there are A and PTR records for both the IdM server and
> another client.
> However this setup does not work.
> From the IdM and linux client every record is resolvable, however from the
> AD only the IdM is resolvable and the client is not.
> 
> Maybe there's another thing I need to configure in the AD in order to
> enable forwarding that I'm missing?

I'm not sure I understand you.

A zone should be configured only on one server (or set of synchronized servers).

Could you tell us what exactly (using what commands or GUI in IPA and AD) did
you configure?

It would be good if you did not obfuscate DNS names in the steps because the
obfuscation often hides the real cause of problem :-)

Have a nice day!

Petr^2 Spacek

> Thank you very much,
> John
> 
> On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek <pspacek at redhat.com> wrote:
> 
>> On 29.6.2015 13:57, John Stein wrote:
>>> Hi,
>>>
>>> I have an AD and IdM server.
>>> AD domain - john.com
>>> IdM domain - linux.john.com
>>>
>>> each spans multiple netwrok segments, with some segments having both
>> linux
>>> and windows machines.
>>>
>>> the IdM is configured to forward DNS requests to AD (forward first), and
>>> the AD is configured to forward requests in the linux.john.com domain to
>>> the IdM.
>>>
>>> However, I'm having a problem regarding reverse lookup zones. Where
>> should
>>> they be so they can be accessed from both linux and windows machines?
>>
>> >From DNS's point of view it does not matter, pick one side (AD or IPA) to
>> host
>> the reverse zone and configure delegation or forwarding on the other side.
>> That is all you need if you are willing to update records manually.
>>
>>> If I put them in IdM, how will the AD know which requests to forward to
>> the
>>> IdM?
>>
>> Either properly configure delegation (if you have control over the parent
>> zone) or add forwarder (only if you do not have control over parent zone -
>> usual caveats for forwarding apply).
>>
>>> It seems to me that I need to somehow register them at the AD, so the A
>>> record is in the IdM server and the PTR is in the AD. Is it possible to
>> do
>>> it automatically,
>>
>> "host/" principals from IPA Kerberos realm are generally not allowed to get
>> tickets for AD realm so automatic update from IPA to AD is not possible.
>>
>> It might work the other way around (I did not test this):
>> - Configure reverse zone in IPA
>> - Configure delegation/forwarding in AD so all clients can properly resolve
>> the reverse zone
>> - Allow all clients to update their PTR records. Update policy like this
>> might
>> work:
>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE
>> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;'
>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1
>>
>> I would like to hear from you if this works in your environment or not.