[Freeipa-users] shared ip space for iDM and AD

[Petr Spacek]

On 14.10.2015 00:41, Craig White wrote:
> Our environment is mostly Linux servers but we do have some Windows servers running MSSQL. A co-worker spun up Active Directory Domain Controllers without conferring with me and the Windows boxes are all on one of the VLAN private LAN networks used by FreeIPA. Thus we not only have reverse DNS servers in FreeIPA but also in Active Directory. Is it possible to have Active Directory use the reverse DNS servers on iDM/FreeIPA?

If you decide to manually configure/add records to reverse zones then yes, it
will work :-)

If you want to use dynamic updates from IPA and Windows clients, then you need
to establish trust between AD and IPA domains and modify DNS update policy on
IPA server to accept updates from Windows clients.

Please note that I did not test this, but it should work.


# this allows updates to A/AAAA/SSHFP records
$ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE
$ ipa dnszone-mod your.domain.example. --update-policy='
grant IPA.REALM.EXAMPLE krb5-self * A;
grant IPA.REALM.EXAMPLE krb5-self * AAAA;
grant IPA.REALM.EXAMPLE krb5-self * SSHFP;
grant AD.REALM.EXAMPLE ms-self * A;
grant AD.REALM.EXAMPLE ms-self * AAAA;
grant AD.REALM.EXAMPLE ms-self * SSHFP;
'

# this instructs IPA server to update PTR records when updating A/AAAA records
$ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE


Alternatively, you can allow unauthenticated updates to reverse zones, so
SyncPTR feature is not needed for Windows clients (because the clients would
do updates themselves):
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='
grant * tcp-self * PTR;'


Please let me know if it works for you.

-- 
Petr^2 Spacek