Hi, I ran these commands in the IdM server
$ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. >From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek <pspa...@redhat.com> wrote: > On 29.6.2015 13:57, John Stein wrote: > > Hi, > > > > I have an AD and IdM server. > > AD domain - john.com > > IdM domain - linux.john.com > > > > each spans multiple netwrok segments, with some segments having both > linux > > and windows machines. > > > > the IdM is configured to forward DNS requests to AD (forward first), and > > the AD is configured to forward requests in the linux.john.com domain to > > the IdM. > > > > However, I'm having a problem regarding reverse lookup zones. Where > should > > they be so they can be accessed from both linux and windows machines? > > >From DNS's point of view it does not matter, pick one side (AD or IPA) to > host > the reverse zone and configure delegation or forwarding on the other side. > That is all you need if you are willing to update records manually. > > > If I put them in IdM, how will the AD know which requests to forward to > the > > IdM? > > Either properly configure delegation (if you have control over the parent > zone) or add forwarder (only if you do not have control over parent zone - > usual caveats for forwarding apply). > > > It seems to me that I need to somehow register them at the AD, so the A > > record is in the IdM server and the PTR is in the AD. Is it possible to > do > > it automatically, > > "host/" principals from IPA Kerberos realm are generally not allowed to get > tickets for AD realm so automatic update from IPA to AD is not possible. > > It might work the other way around (I did not test this): > - Configure reverse zone in IPA > - Configure delegation/forwarding in AD so all clients can properly resolve > the reverse zone > - Allow all clients to update their PTR records. Update policy like this > might > work: > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE > krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > I would like to hear from you if this works in your environment or not. > > Thank you! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project