[Freeipa-users] ipa-client-install not creating reverse DNS entries

Tue Sep 15 07:49:33 UTC 2015

On 15.9.2015 03:29, Nathan Peters wrote:
> I think it was not having dynamic updates enabled for the reverse zone.  I

Yes, that is it. See
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR
for more details.

> enabled those and PTR sync on both the forward and reverse and now it seems to
> be working for a new client that I joined.
> 
> What I'm not clear on at this point is why that is not a default setting.  I
> know at some point I deleted a /24 reverse zone and made a /16 instead because
> we have too many /24s to manage efficiently.
> 
> Also, due to the issues that can arise from not having valid PTR entries, you
> would think that this would be defaulted to on.

Well, it is not enabled by default because values of A/AAAA records (and thus
PTR records created by SyncPTR feature) are not validated in any way. It is up
to admin to decide if it is acceptable risk or not.

Petr^2 Spacek

> 
> On 9/14/2015 12:03 AM, Martin Basti wrote:
>> Hi,
>> can you check the journalctl -u named(-pkcs11) on server, they might be
>> errors why PTR record has not been added.
>>
>> Do you have enabled dynamic updates for the reverse zone?
>>
>> Martin
>>
>> On 09/12/2015 10:42 PM, Youenn PIOLET wrote:
>>>
>>> Hi,
>>>
>>> I've seen the same issue recently on various clients using ipa 3.3 and ipa
>>> 4.* during the first join on a clean OS. Can't confirm it was working
>>> before. Is it normal behavior?
>>>
>>> Allow PTR sync is enabled.
>>>
>>> Cheers,
>>>
>>> Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nathan at nathanpeters.com
>>> <mailto:nathan at nathanpeters.com>> a écrit :
>>>
>>>
>>>     On 9/11/2015 10:32 AM, Simo Sorce wrote:
>>>
>>>         On Fri, 2015-09-11 at 10:25 -0700, nathan at nathanpeters.com wrote:
>>>
>>>             I have been trying to figure this out for a while now but
>>>             when I join
>>>             machine to FreeIPA, the installer properly creates
>>>             forward DNS
>>>             entries,and DNSSSHFP entries, but does not create reverse
>>>             entries.
>>>             Without the PTR records, kerberos logins are always
>>>             failing on these
>>>             machines.
>>>
>>>         I am interested in understanding what fails exactly, stuff
>>>         should not
>>>         depend on reverse resolution can you give me an example of a
>>>         failure ?
>>>
>>>         For the PTR creation anyway have you enabled the option to
>>>         allow setting
>>>         PTR records ?
>>>         There is a global DNS option (As awell as per-zone setting)
>>>         called
>>>         "Allow PTR Sync" you may want to enable.
>>>
>>>
>>>     When we attempt to login using kerberos on a machine that has no
>>>     reverse DNS entry defined, we are instead prompted with a
>>>     password prompt.  The password authentication still works but the
>>>     ticket does not.
>>>
>>>     >From what I read, the Allow PTR Sync option is only used in
>>>     conjunction with DNS IP address changes and does not apply to the
>>>     initial join of the domain.
>>>
>>>     Is the joining process supposed to create reverse DNS entries for
>>>     the clients or just forward entries and SSHFP entries?