<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
can you check the journalctl -u named(-pkcs11) on server, they might
be errors why PTR record has not been added.<br>
<br>
Do you have enabled dynamic updates for the reverse zone?<br>
<br>
Martin<br>
<br>
<div class="moz-cite-prefix">On 09/12/2015 10:42 PM, Youenn PIOLET
wrote:<br>
</div>
<blockquote
cite="mid:CAF7cxud7tEGnYRR-v714D=fDd7DhFi=6d1X-0W5gM_y2NgkR3Q@mail.gmail.com"
type="cite">
<p dir="ltr">Hi, </p>
<p dir="ltr">I've seen the same issue recently on various clients
using ipa 3.3 and ipa 4.* during the first join on a clean OS.
Can't confirm it was working before. Is it normal behavior? </p>
<p dir="ltr">Allow PTR sync is enabled. </p>
<p dir="ltr">Cheers, </p>
<div class="gmail_quote">Le 12 sept. 2015 7:44 AM, "Nathan Peters"
<<a moz-do-not-send="true"
href="mailto:nathan@nathanpeters.com">nathan@nathanpeters.com</a>>
a écrit :<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
On 9/11/2015 10:32 AM, Simo Sorce wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On Fri, 2015-09-11 at 10:25 -0700, <a
moz-do-not-send="true"
href="mailto:nathan@nathanpeters.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nathan@nathanpeters.com">nathan@nathanpeters.com</a></a>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I have been trying to figure this out for a while now but
when I join<br>
machine to FreeIPA, the installer properly creates forward
DNS<br>
entries,and DNSSSHFP entries, but does not create reverse
entries.<br>
Without the PTR records, kerberos logins are always
failing on these<br>
machines.<br>
</blockquote>
I am interested in understanding what fails exactly, stuff
should not<br>
depend on reverse resolution can you give me an example of a
failure ?<br>
<br>
For the PTR creation anyway have you enabled the option to
allow setting<br>
PTR records ?<br>
There is a global DNS option (As awell as per-zone setting)
called<br>
"Allow PTR Sync" you may want to enable.<br>
<br>
</blockquote>
<br>
When we attempt to login using kerberos on a machine that has
no reverse DNS entry defined, we are instead prompted with a
password prompt. The password authentication still works but
the ticket does not.<br>
<br>
>From what I read, the Allow PTR Sync option is only used
in conjunction with DNS IP address changes and does not apply
to the initial join of the domain.<br>
<br>
Is the joining process supposed to create reverse DNS entries
for the clients or just forward entries and SSHFP entries?<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
rel="noreferrer" target="_blank">http://freeipa.org</a> for
more info on the project<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>