[Freeipa-users] ipa-client-install not creating reverse DNS entries

[Nathan Peters]

On 9/11/2015 10:32 AM, Simo Sorce wrote:
> On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote:
>> I have been trying to figure this out for a while now but when I join
>> machine to FreeIPA, the installer properly creates forward DNS
>> entries,and DNSSSHFP entries, but does not create reverse entries.
>> Without the PTR records, kerberos logins are always failing on these
>> machines.
> I am interested in understanding what fails exactly, stuff should not
> depend on reverse resolution can you give me an example of a failure ?
>
> For the PTR creation anyway have you enabled the option to allow setting
> PTR records ?
> There is a global DNS option (As awell as per-zone setting) called
> "Allow PTR Sync" you may want to enable.
>

When we attempt to login using kerberos on a machine that has no reverse 
DNS entry defined, we are instead prompted with a password prompt.  The 
password authentication still works but the ticket does not.

 From what I read, the Allow PTR Sync option is only used in conjunction 
with DNS IP address changes and does not apply to the initial join of 
the domain.

Is the joining process supposed to create reverse DNS entries for the 
clients or just forward entries and SSHFP entries?