On 14.10.2015 20:11, Craig White wrote: > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Petr Spacek > Sent: Tuesday, October 13, 2015 11:57 PM > To: [email protected] > Subject: Re: [Freeipa-users] shared ip space for iDM and AD > > On 14.10.2015 00:41, Craig White wrote: >> Our environment is mostly Linux servers but we do have some Windows servers >> running MSSQL. A co-worker spun up Active Directory Domain Controllers >> without conferring with me and the Windows boxes are all on one of the VLAN >> private LAN networks used by FreeIPA. Thus we not only have reverse DNS >> servers in FreeIPA but also in Active Directory. Is it possible to have >> Active Directory use the reverse DNS servers on iDM/FreeIPA? > > If you decide to manually configure/add records to reverse zones then yes, it > will work :-) > > If you want to use dynamic updates from IPA and Windows clients, then you > need to establish trust between AD and IPA domains and modify DNS update > policy on IPA server to accept updates from Windows clients. > > Please note that I did not test this, but it should work. > > > # this allows updates to A/AAAA/SSHFP records $ ipa dnszone-mod > your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod > your.domain.example. --update-policy=' > grant IPA.REALM.EXAMPLE krb5-self * A; > grant IPA.REALM.EXAMPLE krb5-self * AAAA; grant IPA.REALM.EXAMPLE krb5-self * > SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * > AAAA; grant AD.REALM.EXAMPLE ms-self * SSHFP; ' > > # this instructs IPA server to update PTR records when updating A/AAAA > records $ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa > dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE > > > Alternatively, you can allow unauthenticated updates to reverse zones, so > SyncPTR feature is not needed for Windows clients (because the clients would > do updates themselves): > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa > dnszone-mod 2.0.192.in-addr.arpa. --update-policy=' > grant * tcp-self * PTR;' > > > Please let me know if it works for you. > ---- > Nitpicking... > > $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE > s/b > $ ipa dnszone-mod your.domain.example. --dynamic-update=TRUE #update not > updates > > > ipa dnszone-mod your.domain.example. --sync-ptr=TRUE > s/b > ipa dnszone-mod your.domain.example. --allow-sync-ptr=TRUE #allow is required > > > Still waiting for AD to be joined to IPA for the first set of mods.
BTW please be sure to follow http://www.freeipa.org/page/Deployment_Recommendations DNS configuration is especially important when it comes to AD trusts. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
