Hi, I've seen the same issue recently on various clients using ipa 3.3 and ipa 4.* during the first join on a clean OS. Can't confirm it was working before. Is it normal behavior?
Allow PTR sync is enabled. Cheers, Le 12 sept. 2015 7:44 AM, "Nathan Peters" <[email protected]> a écrit : > > On 9/11/2015 10:32 AM, Simo Sorce wrote: > >> On Fri, 2015-09-11 at 10:25 -0700, [email protected] wrote: >> >>> I have been trying to figure this out for a while now but when I join >>> machine to FreeIPA, the installer properly creates forward DNS >>> entries,and DNSSSHFP entries, but does not create reverse entries. >>> Without the PTR records, kerberos logins are always failing on these >>> machines. >>> >> I am interested in understanding what fails exactly, stuff should not >> depend on reverse resolution can you give me an example of a failure ? >> >> For the PTR creation anyway have you enabled the option to allow setting >> PTR records ? >> There is a global DNS option (As awell as per-zone setting) called >> "Allow PTR Sync" you may want to enable. >> >> > When we attempt to login using kerberos on a machine that has no reverse > DNS entry defined, we are instead prompted with a password prompt. The > password authentication still works but the ticket does not. > > From what I read, the Allow PTR Sync option is only used in conjunction > with DNS IP address changes and does not apply to the initial join of the > domain. > > Is the joining process supposed to create reverse DNS entries for the > clients or just forward entries and SSHFP entries? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
