On 14.10.2015 20:11, Craig White wrote:
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Tuesday, October 13, 2015 11:57 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] shared ip space for iDM and AD
> 
> On 14.10.2015 00:41, Craig White wrote:
>> Our environment is mostly Linux servers but we do have some Windows servers 
>> running MSSQL. A co-worker spun up Active Directory Domain Controllers 
>> without conferring with me and the Windows boxes are all on one of the VLAN 
>> private LAN networks used by FreeIPA. Thus we not only have reverse DNS 
>> servers in FreeIPA but also in Active Directory. Is it possible to have 
>> Active Directory use the reverse DNS servers on iDM/FreeIPA?
> 
> If you decide to manually configure/add records to reverse zones then yes, it 
> will work :-)
> 
> If you want to use dynamic updates from IPA and Windows clients, then you 
> need to establish trust between AD and IPA domains and modify DNS update 
> policy on IPA server to accept updates from Windows clients.
> 
> Please note that I did not test this, but it should work.
> 
> 
> # this allows updates to A/AAAA/SSHFP records $ ipa dnszone-mod 
> your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod 
> your.domain.example. --update-policy='
> grant IPA.REALM.EXAMPLE krb5-self * A;
> grant IPA.REALM.EXAMPLE krb5-self * AAAA; grant IPA.REALM.EXAMPLE krb5-self * 
> SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * 
> AAAA; grant AD.REALM.EXAMPLE ms-self * SSHFP; '
> 
> # this instructs IPA server to update PTR records when updating A/AAAA 
> records $ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa 
> dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE
> 
> 
> Alternatively, you can allow unauthenticated updates to reverse zones, so 
> SyncPTR feature is not needed for Windows clients (because the clients would 
> do updates themselves):
> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa 
> dnszone-mod 2.0.192.in-addr.arpa. --update-policy='
> grant * tcp-self * PTR;'
> 
> 
> Please let me know if it works for you.
> ----
> Nitpicking...
> 
> $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE
> s/b
> $ ipa dnszone-mod your.domain.example. --dynamic-update=TRUE   #update not 
> updates
> 
> 
> ipa dnszone-mod your.domain.example. --sync-ptr=TRUE
> s/b
> ipa dnszone-mod your.domain.example. --allow-sync-ptr=TRUE #allow is required
> 
> 
> Still waiting for AD to be joined to IPA for the first set of mods. 

BTW please be sure to follow
http://www.freeipa.org/page/Deployment_Recommendations

DNS configuration is especially important when it comes to AD trusts.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to