[Freeipa-users] ipa-client-install not creating reverse DNS entries

Nathan Peters nathan at nathanpeters.com
Tue Sep 15 01:29:33 UTC 2015 

I think it was not having dynamic updates enabled for the reverse zone.  
I enabled those and PTR sync on both the forward and reverse and now it 
seems to be working for a new client that I joined.

What I'm not clear on at this point is why that is not a default 
setting.  I know at some point I deleted a /24 reverse zone and made a 
/16 instead because we have too many /24s to manage efficiently.

Also, due to the issues that can arise from not having valid PTR 
entries, you would think that this would be defaulted to on.

On 9/14/2015 12:03 AM, Martin Basti wrote:
> Hi,
> can you check the journalctl -u named(-pkcs11) on server, they might 
> be errors why PTR record has not been added.
>
> Do you have enabled dynamic updates for the reverse zone?
>
> Martin
>
> On 09/12/2015 10:42 PM, Youenn PIOLET wrote:
>>
>> Hi,
>>
>> I've seen the same issue recently on various clients using ipa 3.3 
>> and ipa 4.* during the first join on a clean OS. Can't confirm it was 
>> working before. Is it normal behavior?
>>
>> Allow PTR sync is enabled.
>>
>> Cheers,
>>
>> Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nathan at nathanpeters.com 
>> <mailto:nathan at nathanpeters.com>> a écrit :
>>
>>
>>     On 9/11/2015 10:32 AM, Simo Sorce wrote:
>>
>>         On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote:
>>
>>             I have been trying to figure this out for a while now but
>>             when I join
>>             machine to FreeIPA, the installer properly creates
>>             forward DNS
>>             entries,and DNSSSHFP entries, but does not create reverse
>>             entries.
>>             Without the PTR records, kerberos logins are always
>>             failing on these
>>             machines.
>>
>>         I am interested in understanding what fails exactly, stuff
>>         should not
>>         depend on reverse resolution can you give me an example of a
>>         failure ?
>>
>>         For the PTR creation anyway have you enabled the option to
>>         allow setting
>>         PTR records ?
>>         There is a global DNS option (As awell as per-zone setting)
>>         called
>>         "Allow PTR Sync" you may want to enable.
>>
>>
>>     When we attempt to login using kerberos on a machine that has no
>>     reverse DNS entry defined, we are instead prompted with a
>>     password prompt.  The password authentication still works but the
>>     ticket does not.
>>
>>     >From what I read, the Allow PTR Sync option is only used in
>>     conjunction with DNS IP address changes and does not apply to the
>>     initial join of the domain.
>>
>>     Is the joining process supposed to create reverse DNS entries for
>>     the clients or just forward entries and SSHFP entries?
>>
>>     -- 
>>     Manage your subscription for the Freeipa-users mailing list:
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>     Go to http://freeipa.org for more info on the project
>>
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/a5236c27/attachment.htm>

More information about the Freeipa-users mailing list