[Freeipa-users] reverse lookup dns records in trust setup

Tue Jul 14 12:49:22 UTC 2015

I ran the above commands exactly as I told you on the IPA server. I also
set the IPA server as a global forwarder in the AD.

On Wed, Jul 8, 2015, 12:50 Petr Spacek <pspacek at redhat.com> wrote:

> On 5.7.2015 08:38, John Stein wrote:
> > Hi,
> >
> > I ran these commands in the IdM server
> >
> > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM
> > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;'
> > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1
> >
> > At the Active Directory I have A and PTR records for the IdM server and
> it
> > is configured as a global forwarder.
> > At the IdM server there are A and PTR records for both the IdM server and
> > another client.
> > However this setup does not work.
> > From the IdM and linux client every record is resolvable, however from
> the
> > AD only the IdM is resolvable and the client is not.
> >
> > Maybe there's another thing I need to configure in the AD in order to
> > enable forwarding that I'm missing?
>
> I'm not sure I understand you.
>
> A zone should be configured only on one server (or set of synchronized
> servers).
>
> Could you tell us what exactly (using what commands or GUI in IPA and AD)
> did
> you configure?
>
> It would be good if you did not obfuscate DNS names in the steps because
> the
> obfuscation often hides the real cause of problem :-)
>
> Have a nice day!
>
> Petr^2 Spacek
>
>
> > Thank you very much,
> > John
> >
> > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek <pspacek at redhat.com> wrote:
> >
> >> On 29.6.2015 13:57, John Stein wrote:
> >>> Hi,
> >>>
> >>> I have an AD and IdM server.
> >>> AD domain - john.com
> >>> IdM domain - linux.john.com
> >>>
> >>> each spans multiple netwrok segments, with some segments having both
> >> linux
> >>> and windows machines.
> >>>
> >>> the IdM is configured to forward DNS requests to AD (forward first),
> and
> >>> the AD is configured to forward requests in the linux.john.com domain
> to
> >>> the IdM.
> >>>
> >>> However, I'm having a problem regarding reverse lookup zones. Where
> >> should
> >>> they be so they can be accessed from both linux and windows machines?
> >>
> >> >From DNS's point of view it does not matter, pick one side (AD or IPA)
> to
> >> host
> >> the reverse zone and configure delegation or forwarding on the other
> side.
> >> That is all you need if you are willing to update records manually.
> >>
> >>> If I put them in IdM, how will the AD know which requests to forward to
> >> the
> >>> IdM?
> >>
> >> Either properly configure delegation (if you have control over the
> parent
> >> zone) or add forwarder (only if you do not have control over parent
> zone -
> >> usual caveats for forwarding apply).
> >>
> >>> It seems to me that I need to somehow register them at the AD, so the A
> >>> record is in the IdM server and the PTR is in the AD. Is it possible to
> >> do
> >>> it automatically,
> >>
> >> "host/" principals from IPA Kerberos realm are generally not allowed to
> get
> >> tickets for AD realm so automatic update from IPA to AD is not possible.
> >>
> >> It might work the other way around (I did not test this):
> >> - Configure reverse zone in IPA
> >> - Configure delegation/forwarding in AD so all clients can properly
> resolve
> >> the reverse zone
> >> - Allow all clients to update their PTR records. Update policy like this
> >> might
> >> work:
> >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant
> AD.EXAMPLE
> >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;'
> >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1
> >>
> >> I would like to hear from you if this works in your environment or not.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150714/18ea240d/attachment.htm>