Hi,

I've seen the same issue recently on various clients using ipa 3.3 and ipa
4.* during the first join on a clean OS. Can't confirm it was working
before. Is it normal behavior?

Allow PTR sync is enabled.

Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nat...@nathanpeters.com> a
écrit :

>
> On 9/11/2015 10:32 AM, Simo Sorce wrote:
>
>> On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
>>
>>> I have been trying to figure this out for a while now but when I join
>>> machine to FreeIPA, the installer properly creates forward DNS
>>> entries,and DNSSSHFP entries, but does not create reverse entries.
>>> Without the PTR records, kerberos logins are always failing on these
>>> machines.
>>>
>> I am interested in understanding what fails exactly, stuff should not
>> depend on reverse resolution can you give me an example of a failure ?
>>
>> For the PTR creation anyway have you enabled the option to allow setting
>> PTR records ?
>> There is a global DNS option (As awell as per-zone setting) called
>> "Allow PTR Sync" you may want to enable.
>>
>>
> When we attempt to login using kerberos on a machine that has no reverse
> DNS entry defined, we are instead prompted with a password prompt.  The
> password authentication still works but the ticket does not.
>
> From what I read, the Allow PTR Sync option is only used in conjunction
> with DNS IP address changes and does not apply to the initial join of the
> domain.
>
> Is the joining process supposed to create reverse DNS entries for the
> clients or just forward entries and SSHFP entries?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to