<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I think it was not having dynamic updates enabled for the reverse
zone. I enabled those and PTR sync on both the forward and reverse
and now it seems to be working for a new client that I joined.<br>
<br>
What I'm not clear on at this point is why that is not a default
setting. I know at some point I deleted a /24 reverse zone and made
a /16 instead because we have too many /24s to manage efficiently.<br>
<br>
Also, due to the issues that can arise from not having valid PTR
entries, you would think that this would be defaulted to on.<br>
<br>
<div class="moz-cite-prefix">On 9/14/2015 12:03 AM, Martin Basti
wrote:<br>
</div>
<blockquote cite="mid:55F67126.7030802@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Hi,<br>
can you check the journalctl -u named(-pkcs11) on server, they
might be errors why PTR record has not been added.<br>
<br>
Do you have enabled dynamic updates for the reverse zone?<br>
<br>
Martin<br>
<br>
<div class="moz-cite-prefix">On 09/12/2015 10:42 PM, Youenn PIOLET
wrote:<br>
</div>
<blockquote
cite="mid:CAF7cxud7tEGnYRR-v714D=fDd7DhFi=6d1X-0W5gM_y2NgkR3Q@mail.gmail.com"
type="cite">
<p dir="ltr">Hi, </p>
<p dir="ltr">I've seen the same issue recently on various
clients using ipa 3.3 and ipa 4.* during the first join on a
clean OS. Can't confirm it was working before. Is it normal
behavior? </p>
<p dir="ltr">Allow PTR sync is enabled. </p>
<p dir="ltr">Cheers, </p>
<div class="gmail_quote">Le 12 sept. 2015 7:44 AM, "Nathan
Peters" <<a moz-do-not-send="true"
href="mailto:nathan@nathanpeters.com">nathan@nathanpeters.com</a>>
a écrit :<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
On 9/11/2015 10:32 AM, Simo Sorce wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"> On Fri,
2015-09-11 at 10:25 -0700, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:nathan@nathanpeters.com">nathan@nathanpeters.com</a>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"> I
have been trying to figure this out for a while now but
when I join<br>
machine to FreeIPA, the installer properly creates
forward DNS<br>
entries,and DNSSSHFP entries, but does not create
reverse entries.<br>
Without the PTR records, kerberos logins are always
failing on these<br>
machines.<br>
</blockquote>
I am interested in understanding what fails exactly, stuff
should not<br>
depend on reverse resolution can you give me an example of
a failure ?<br>
<br>
For the PTR creation anyway have you enabled the option to
allow setting<br>
PTR records ?<br>
There is a global DNS option (As awell as per-zone
setting) called<br>
"Allow PTR Sync" you may want to enable.<br>
<br>
</blockquote>
<br>
When we attempt to login using kerberos on a machine that
has no reverse DNS entry defined, we are instead prompted
with a password prompt. The password authentication still
works but the ticket does not.<br>
<br>
>From what I read, the Allow PTR Sync option is only used
in conjunction with DNS IP address changes and does not
apply to the initial join of the domain.<br>
<br>
Is the joining process supposed to create reverse DNS
entries for the clients or just forward entries and SSHFP
entries?<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
rel="noreferrer" target="_blank">http://freeipa.org</a>
for more info on the project<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>