[Freeipa-users] ipa-client-install not creating reverse DNS entries
Nathan Peters
nathan at nathanpeters.com
Tue Sep 15 01:29:33 UTC 2015
I think it was not having dynamic updates enabled for the reverse zone.
I enabled those and PTR sync on both the forward and reverse and now it
seems to be working for a new client that I joined.
What I'm not clear on at this point is why that is not a default
setting. I know at some point I deleted a /24 reverse zone and made a
/16 instead because we have too many /24s to manage efficiently.
Also, due to the issues that can arise from not having valid PTR
entries, you would think that this would be defaulted to on.
On 9/14/2015 12:03 AM, Martin Basti wrote:
> Hi,
> can you check the journalctl -u named(-pkcs11) on server, they might
> be errors why PTR record has not been added.
>
> Do you have enabled dynamic updates for the reverse zone?
>
> Martin
>
> On 09/12/2015 10:42 PM, Youenn PIOLET wrote:
>>
>> Hi,
>>
>> I've seen the same issue recently on various clients using ipa 3.3
>> and ipa 4.* during the first join on a clean OS. Can't confirm it was
>> working before. Is it normal behavior?
>>
>> Allow PTR sync is enabled.
>>
>> Cheers,
>>
>> Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nathan at nathanpeters.com
>> <mailto:nathan at nathanpeters.com>> a écrit :
>>
>>
>> On 9/11/2015 10:32 AM, Simo Sorce wrote:
>>
>> On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote:
>>
>> I have been trying to figure this out for a while now but
>> when I join
>> machine to FreeIPA, the installer properly creates
>> forward DNS
>> entries,and DNSSSHFP entries, but does not create reverse
>> entries.
>> Without the PTR records, kerberos logins are always
>> failing on these
>> machines.
>>
>> I am interested in understanding what fails exactly, stuff
>> should not
>> depend on reverse resolution can you give me an example of a
>> failure ?
>>
>> For the PTR creation anyway have you enabled the option to
>> allow setting
>> PTR records ?
>> There is a global DNS option (As awell as per-zone setting)
>> called
>> "Allow PTR Sync" you may want to enable.
>>
>>
>> When we attempt to login using kerberos on a machine that has no
>> reverse DNS entry defined, we are instead prompted with a
>> password prompt. The password authentication still works but the
>> ticket does not.
>>
>> >From what I read, the Allow PTR Sync option is only used in
>> conjunction with DNS IP address changes and does not apply to the
>> initial join of the domain.
>>
>> Is the joining process supposed to create reverse DNS entries for
>> the clients or just forward entries and SSHFP entries?
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/a5236c27/attachment.htm>
More information about the Freeipa-users
mailing list