I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD.
On Wed, Jul 8, 2015, 12:50 Petr Spacek <[email protected]> wrote: > On 5.7.2015 08:38, John Stein wrote: > > Hi, > > > > I ran these commands in the IdM server > > > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > > > At the Active Directory I have A and PTR records for the IdM server and > it > > is configured as a global forwarder. > > At the IdM server there are A and PTR records for both the IdM server and > > another client. > > However this setup does not work. > > From the IdM and linux client every record is resolvable, however from > the > > AD only the IdM is resolvable and the client is not. > > > > Maybe there's another thing I need to configure in the AD in order to > > enable forwarding that I'm missing? > > I'm not sure I understand you. > > A zone should be configured only on one server (or set of synchronized > servers). > > Could you tell us what exactly (using what commands or GUI in IPA and AD) > did > you configure? > > It would be good if you did not obfuscate DNS names in the steps because > the > obfuscation often hides the real cause of problem :-) > > Have a nice day! > > Petr^2 Spacek > > > > Thank you very much, > > John > > > > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek <[email protected]> wrote: > > > >> On 29.6.2015 13:57, John Stein wrote: > >>> Hi, > >>> > >>> I have an AD and IdM server. > >>> AD domain - john.com > >>> IdM domain - linux.john.com > >>> > >>> each spans multiple netwrok segments, with some segments having both > >> linux > >>> and windows machines. > >>> > >>> the IdM is configured to forward DNS requests to AD (forward first), > and > >>> the AD is configured to forward requests in the linux.john.com domain > to > >>> the IdM. > >>> > >>> However, I'm having a problem regarding reverse lookup zones. Where > >> should > >>> they be so they can be accessed from both linux and windows machines? > >> > >> >From DNS's point of view it does not matter, pick one side (AD or IPA) > to > >> host > >> the reverse zone and configure delegation or forwarding on the other > side. > >> That is all you need if you are willing to update records manually. > >> > >>> If I put them in IdM, how will the AD know which requests to forward to > >> the > >>> IdM? > >> > >> Either properly configure delegation (if you have control over the > parent > >> zone) or add forwarder (only if you do not have control over parent > zone - > >> usual caveats for forwarding apply). > >> > >>> It seems to me that I need to somehow register them at the AD, so the A > >>> record is in the IdM server and the PTR is in the AD. Is it possible to > >> do > >>> it automatically, > >> > >> "host/" principals from IPA Kerberos realm are generally not allowed to > get > >> tickets for AD realm so automatic update from IPA to AD is not possible. > >> > >> It might work the other way around (I did not test this): > >> - Configure reverse zone in IPA > >> - Configure delegation/forwarding in AD so all clients can properly > resolve > >> the reverse zone > >> - Allow all clients to update their PTR records. Update policy like this > >> might > >> work: > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > AD.EXAMPLE > >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >> > >> I would like to hear from you if this works in your environment or not. >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
