I've seen the same issue recently on various clients using ipa 3.3 and ipa
4.* during the first join on a clean OS. Can't confirm it was working
before. Is it normal behavior?
Allow PTR sync is enabled.
Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nat...@nathanpeters.com> a
> On 9/11/2015 10:32 AM, Simo Sorce wrote:
>> On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
>>> I have been trying to figure this out for a while now but when I join
>>> machine to FreeIPA, the installer properly creates forward DNS
>>> entries,and DNSSSHFP entries, but does not create reverse entries.
>>> Without the PTR records, kerberos logins are always failing on these
>> I am interested in understanding what fails exactly, stuff should not
>> depend on reverse resolution can you give me an example of a failure ?
>> For the PTR creation anyway have you enabled the option to allow setting
>> PTR records ?
>> There is a global DNS option (As awell as per-zone setting) called
>> "Allow PTR Sync" you may want to enable.
> When we attempt to login using kerberos on a machine that has no reverse
> DNS entry defined, we are instead prompted with a password prompt. The
> password authentication still works but the ticket does not.
> From what I read, the Allow PTR Sync option is only used in conjunction
> with DNS IP address changes and does not apply to the initial join of the
> Is the joining process supposed to create reverse DNS entries for the
> clients or just forward entries and SSHFP entries?
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project