I think it was not having dynamic updates enabled for the reverse zone.
I enabled those and PTR sync on both the forward and reverse and now it
seems to be working for a new client that I joined.
What I'm not clear on at this point is why that is not a default
setting. I know at some point I deleted a /24 reverse zone and made a
/16 instead because we have too many /24s to manage efficiently.
Also, due to the issues that can arise from not having valid PTR
entries, you would think that this would be defaulted to on.
On 9/14/2015 12:03 AM, Martin Basti wrote:
Hi,
can you check the journalctl -u named(-pkcs11) on server, they might
be errors why PTR record has not been added.
Do you have enabled dynamic updates for the reverse zone?
Martin
On 09/12/2015 10:42 PM, Youenn PIOLET wrote:
Hi,
I've seen the same issue recently on various clients using ipa 3.3
and ipa 4.* during the first join on a clean OS. Can't confirm it was
working before. Is it normal behavior?
Allow PTR sync is enabled.
Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters" <[email protected]
<mailto:[email protected]>> a écrit :
On 9/11/2015 10:32 AM, Simo Sorce wrote:
On Fri, 2015-09-11 at 10:25 -0700, [email protected] wrote:
I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates
forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.
I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?
For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting)
called
"Allow PTR Sync" you may want to enable.
When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a
password prompt. The password authentication still works but the
ticket does not.
>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.
Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
