[Freeipa-users] ipa-client-install not creating reverse DNS entries

Martin Basti mbasti at redhat.com
Mon Sep 14 07:03:02 UTC 2015 

Hi,
can you check the journalctl -u named(-pkcs11) on server, they might be 
errors why PTR record has not been added.

Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:
>
> Hi,
>
> I've seen the same issue recently on various clients using ipa 3.3 and 
> ipa 4.* during the first join on a clean OS. Can't confirm it was 
> working before. Is it normal behavior?
>
> Allow PTR sync is enabled.
>
> Cheers,
>
> Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nathan at nathanpeters.com 
> <mailto:nathan at nathanpeters.com>> a écrit :
>
>
>     On 9/11/2015 10:32 AM, Simo Sorce wrote:
>
>         On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com
>         <mailto:nathan at nathanpeters.com> wrote:
>
>             I have been trying to figure this out for a while now but
>             when I join
>             machine to FreeIPA, the installer properly creates forward DNS
>             entries,and DNSSSHFP entries, but does not create reverse
>             entries.
>             Without the PTR records, kerberos logins are always
>             failing on these
>             machines.
>
>         I am interested in understanding what fails exactly, stuff
>         should not
>         depend on reverse resolution can you give me an example of a
>         failure ?
>
>         For the PTR creation anyway have you enabled the option to
>         allow setting
>         PTR records ?
>         There is a global DNS option (As awell as per-zone setting) called
>         "Allow PTR Sync" you may want to enable.
>
>
>     When we attempt to login using kerberos on a machine that has no
>     reverse DNS entry defined, we are instead prompted with a password
>     prompt.  The password authentication still works but the ticket
>     does not.
>
>     >From what I read, the Allow PTR Sync option is only used in
>     conjunction with DNS IP address changes and does not apply to the
>     initial join of the domain.
>
>     Is the joining process supposed to create reverse DNS entries for
>     the clients or just forward entries and SSHFP entries?
>
>     -- 
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/f88475f5/attachment.htm>

More information about the Freeipa-users mailing list