Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, Does that mean deleting the NS record on AD and creating an A record instead? Thanks, John On Wed, Jul 15, 2015, 18:28 Petr Spacek wrote: > On 14.7.2015 15:19, John Stein wrote: > > Hi, > > > > What I meant was that the IPA server is managing two zones: > > > > Linux.john.com > > Which has these records > > Ipa1 A 192.168.0.140 > > client1 A 192.168.0.11 > > > > 0.168.192.in-addr.arpa. > > Which has these records > > 11 PTR client1.linux.john.com > > @ NS ipa1.linux.john.com > > > > In the AD > > forward lookup zones > >> John.com > >>> linux > > (Same as parent folder) NS ipa1.linux.john.com > > > > Anything more that's unclear? > > This is enough. > > You have the same 'master' zone configured on IPA and AD, which does not > make > sense from DNS point of view. > > You need to move all records to one server and configure 'forward' zone on > the > other server. In AD terminology you need to create 'conditional forwarder'. > > Petr^2 Spacek > > > > > Thank you very much! > > John > > > > On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > > > >> On 14.7.2015 14:49, John Stein wrote: > >>> I ran the above commands exactly as I told you on the IPA server. I > also > >>> set the IPA server as a global forwarder in the AD. > >>> > >>> On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > >>> > > On 5.7.2015 08:38, John Stein wrote: > >>> Hi, > >>> > >>> I ran these commands in the IdM server > >>> > >>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > >> JOHN.COM > >>> krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > >>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >>> > >>> At the Active Directory I have A and PTR records for the IdM > >> server and > > it > >>> is configured as a global forwarder. > >>> At the IdM server there are A and PTR records for both the IdM > >> server and > >>> another client. > >> > >> Can you explain what you did, exactly? I do not know what 'I have A and > PTR > >> records for the IdM server' exactly means. We need to know exactly what > you > >> typed in and where you clicked in AD. > >> > >> The original information is not sufficient, that is why I asking for > more > >> details. > >> > >> Petr^2 Spacek > >> > >>> However this setup does not work. > >>> From the IdM and linux client every record is resolvable, however > >> from > > the > >>> AD only the IdM is resolvable and the client is not. > >>> > >>> Maybe there's another thing I need to configure in the AD in order > >> to > >>> enable forwarding that I'm missing? > > > > I'm not sure I understand you. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 14.7.2015 15:19, John Stein wrote: > Hi, > > What I meant was that the IPA server is managing two zones: > > Linux.john.com > Which has these records > Ipa1 A 192.168.0.140 > client1 A 192.168.0.11 > > 0.168.192.in-addr.arpa. > Which has these records > 11 PTR client1.linux.john.com > @ NS ipa1.linux.john.com > > In the AD > forward lookup zones >> John.com >>> linux > (Same as parent folder) NS ipa1.linux.john.com > > Anything more that's unclear? This is enough. You have the same 'master' zone configured on IPA and AD, which does not make sense from DNS point of view. You need to move all records to one server and configure 'forward' zone on the other server. In AD terminology you need to create 'conditional forwarder'. Petr^2 Spacek > > Thank you very much! > John > > On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > >> On 14.7.2015 14:49, John Stein wrote: >>> I ran the above commands exactly as I told you on the IPA server. I also >>> set the IPA server as a global forwarder in the AD. >>> >>> On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: >>> > On 5.7.2015 08:38, John Stein wrote: >>> Hi, >>> >>> I ran these commands in the IdM server >>> >>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant >> JOHN.COM >>> krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' >>> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >>> >>> At the Active Directory I have A and PTR records for the IdM >> server and > it >>> is configured as a global forwarder. >>> At the IdM server there are A and PTR records for both the IdM >> server and >>> another client. >> >> Can you explain what you did, exactly? I do not know what 'I have A and PTR >> records for the IdM server' exactly means. We need to know exactly what you >> typed in and where you clicked in AD. >> >> The original information is not sufficient, that is why I asking for more >> details. >> >> Petr^2 Spacek >> >>> However this setup does not work. >>> From the IdM and linux client every record is resolvable, however >> from > the >>> AD only the IdM is resolvable and the client is not. >>> >>> Maybe there's another thing I need to configure in the AD in order >> to >>> enable forwarding that I'm missing? > > I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones >John.com >>linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek wrote: > On 14.7.2015 14:49, John Stein wrote: > > I ran the above commands exactly as I told you on the IPA server. I also > > set the IPA server as a global forwarder in the AD. > > > > On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > > > >> > On 5.7.2015 08:38, John Stein wrote: > >>> > > Hi, > >>> > > > >>> > > I ran these commands in the IdM server > >>> > > > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > JOHN.COM > >>> > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >>> > > > >>> > > At the Active Directory I have A and PTR records for the IdM > server and > >> > it > >>> > > is configured as a global forwarder. > >>> > > At the IdM server there are A and PTR records for both the IdM > server and > >>> > > another client. > > Can you explain what you did, exactly? I do not know what 'I have A and PTR > records for the IdM server' exactly means. We need to know exactly what you > typed in and where you clicked in AD. > > The original information is not sufficient, that is why I asking for more > details. > > Petr^2 Spacek > > >>> > > However this setup does not work. > >>> > > From the IdM and linux client every record is resolvable, however > from > >> > the > >>> > > AD only the IdM is resolvable and the client is not. > >>> > > > >>> > > Maybe there's another thing I need to configure in the AD in order > to > >>> > > enable forwarding that I'm missing? > >> > > >> > I'm not sure I understand you. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 14.7.2015 14:49, John Stein wrote: > I ran the above commands exactly as I told you on the IPA server. I also > set the IPA server as a global forwarder in the AD. > > On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > >> > On 5.7.2015 08:38, John Stein wrote: >>> > > Hi, >>> > > >>> > > I ran these commands in the IdM server >>> > > >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM >>> > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' >>> > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >>> > > >>> > > At the Active Directory I have A and PTR records for the IdM server and >> > it >>> > > is configured as a global forwarder. >>> > > At the IdM server there are A and PTR records for both the IdM server >>> > > and >>> > > another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek >>> > > However this setup does not work. >>> > > From the IdM and linux client every record is resolvable, however from >> > the >>> > > AD only the IdM is resolvable and the client is not. >>> > > >>> > > Maybe there's another thing I need to configure in the AD in order to >>> > > enable forwarding that I'm missing? >> > >> > I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek wrote: > On 5.7.2015 08:38, John Stein wrote: > > Hi, > > > > I ran these commands in the IdM server > > > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM > > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > > > At the Active Directory I have A and PTR records for the IdM server and > it > > is configured as a global forwarder. > > At the IdM server there are A and PTR records for both the IdM server and > > another client. > > However this setup does not work. > > From the IdM and linux client every record is resolvable, however from > the > > AD only the IdM is resolvable and the client is not. > > > > Maybe there's another thing I need to configure in the AD in order to > > enable forwarding that I'm missing? > > I'm not sure I understand you. > > A zone should be configured only on one server (or set of synchronized > servers). > > Could you tell us what exactly (using what commands or GUI in IPA and AD) > did > you configure? > > It would be good if you did not obfuscate DNS names in the steps because > the > obfuscation often hides the real cause of problem :-) > > Have a nice day! > > Petr^2 Spacek > > > > Thank you very much, > > John > > > > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > > > >> On 29.6.2015 13:57, John Stein wrote: > >>> Hi, > >>> > >>> I have an AD and IdM server. > >>> AD domain - john.com > >>> IdM domain - linux.john.com > >>> > >>> each spans multiple netwrok segments, with some segments having both > >> linux > >>> and windows machines. > >>> > >>> the IdM is configured to forward DNS requests to AD (forward first), > and > >>> the AD is configured to forward requests in the linux.john.com domain > to > >>> the IdM. > >>> > >>> However, I'm having a problem regarding reverse lookup zones. Where > >> should > >>> they be so they can be accessed from both linux and windows machines? > >> > >> >From DNS's point of view it does not matter, pick one side (AD or IPA) > to > >> host > >> the reverse zone and configure delegation or forwarding on the other > side. > >> That is all you need if you are willing to update records manually. > >> > >>> If I put them in IdM, how will the AD know which requests to forward to > >> the > >>> IdM? > >> > >> Either properly configure delegation (if you have control over the > parent > >> zone) or add forwarder (only if you do not have control over parent > zone - > >> usual caveats for forwarding apply). > >> > >>> It seems to me that I need to somehow register them at the AD, so the A > >>> record is in the IdM server and the PTR is in the AD. Is it possible to > >> do > >>> it automatically, > >> > >> "host/" principals from IPA Kerberos realm are generally not allowed to > get > >> tickets for AD realm so automatic update from IPA to AD is not possible. > >> > >> It might work the other way around (I did not test this): > >> - Configure reverse zone in IPA > >> - Configure delegation/forwarding in AD so all clients can properly > resolve > >> the reverse zone > >> - Allow all clients to update their PTR records. Update policy like this > >> might > >> work: > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant > AD.EXAMPLE > >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > >> > >> I would like to hear from you if this works in your environment or not. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 5.7.2015 08:38, John Stein wrote: > Hi, > > I ran these commands in the IdM server > > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM > krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > At the Active Directory I have A and PTR records for the IdM server and it > is configured as a global forwarder. > At the IdM server there are A and PTR records for both the IdM server and > another client. > However this setup does not work. > From the IdM and linux client every record is resolvable, however from the > AD only the IdM is resolvable and the client is not. > > Maybe there's another thing I need to configure in the AD in order to > enable forwarding that I'm missing? I'm not sure I understand you. A zone should be configured only on one server (or set of synchronized servers). Could you tell us what exactly (using what commands or GUI in IPA and AD) did you configure? It would be good if you did not obfuscate DNS names in the steps because the obfuscation often hides the real cause of problem :-) Have a nice day! Petr^2 Spacek > Thank you very much, > John > > On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > >> On 29.6.2015 13:57, John Stein wrote: >>> Hi, >>> >>> I have an AD and IdM server. >>> AD domain - john.com >>> IdM domain - linux.john.com >>> >>> each spans multiple netwrok segments, with some segments having both >> linux >>> and windows machines. >>> >>> the IdM is configured to forward DNS requests to AD (forward first), and >>> the AD is configured to forward requests in the linux.john.com domain to >>> the IdM. >>> >>> However, I'm having a problem regarding reverse lookup zones. Where >> should >>> they be so they can be accessed from both linux and windows machines? >> >> >From DNS's point of view it does not matter, pick one side (AD or IPA) to >> host >> the reverse zone and configure delegation or forwarding on the other side. >> That is all you need if you are willing to update records manually. >> >>> If I put them in IdM, how will the AD know which requests to forward to >> the >>> IdM? >> >> Either properly configure delegation (if you have control over the parent >> zone) or add forwarder (only if you do not have control over parent zone - >> usual caveats for forwarding apply). >> >>> It seems to me that I need to somehow register them at the AD, so the A >>> record is in the IdM server and the PTR is in the AD. Is it possible to >> do >>> it automatically, >> >> "host/" principals from IPA Kerberos realm are generally not allowed to get >> tickets for AD realm so automatic update from IPA to AD is not possible. >> >> It might work the other way around (I did not test this): >> - Configure reverse zone in IPA >> - Configure delegation/forwarding in AD so all clients can properly resolve >> the reverse zone >> - Allow all clients to update their PTR records. Update policy like this >> might >> work: >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE >> krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' >> $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 >> >> I would like to hear from you if this works in your environment or not. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. >From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek wrote: > On 29.6.2015 13:57, John Stein wrote: > > Hi, > > > > I have an AD and IdM server. > > AD domain - john.com > > IdM domain - linux.john.com > > > > each spans multiple netwrok segments, with some segments having both > linux > > and windows machines. > > > > the IdM is configured to forward DNS requests to AD (forward first), and > > the AD is configured to forward requests in the linux.john.com domain to > > the IdM. > > > > However, I'm having a problem regarding reverse lookup zones. Where > should > > they be so they can be accessed from both linux and windows machines? > > >From DNS's point of view it does not matter, pick one side (AD or IPA) to > host > the reverse zone and configure delegation or forwarding on the other side. > That is all you need if you are willing to update records manually. > > > If I put them in IdM, how will the AD know which requests to forward to > the > > IdM? > > Either properly configure delegation (if you have control over the parent > zone) or add forwarder (only if you do not have control over parent zone - > usual caveats for forwarding apply). > > > It seems to me that I need to somehow register them at the AD, so the A > > record is in the IdM server and the PTR is in the AD. Is it possible to > do > > it automatically, > > "host/" principals from IPA Kerberos realm are generally not allowed to get > tickets for AD realm so automatic update from IPA to AD is not possible. > > It might work the other way around (I did not test this): > - Configure reverse zone in IPA > - Configure delegation/forwarding in AD so all clients can properly resolve > the reverse zone > - Allow all clients to update their PTR records. Update policy like this > might > work: > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE > krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 > > I would like to hear from you if this works in your environment or not. > > Thank you! > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 29.6.2015 13:57, John Stein wrote: > Hi, > > I have an AD and IdM server. > AD domain - john.com > IdM domain - linux.john.com > > each spans multiple netwrok segments, with some segments having both linux > and windows machines. > > the IdM is configured to forward DNS requests to AD (forward first), and > the AD is configured to forward requests in the linux.john.com domain to > the IdM. > > However, I'm having a problem regarding reverse lookup zones. Where should > they be so they can be accessed from both linux and windows machines? >From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. > If I put them in IdM, how will the AD know which requests to forward to the > IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). > It seems to me that I need to somehow register them at the AD, so the A > record is in the IdM server and the PTR is in the AD. Is it possible to do > it automatically, "host/" principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. Thank you! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] reverse lookup dns records in trust setup
Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? If I put them in IdM, how will the AD know which requests to forward to the IdM? It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, or am I supposed to configure the IdM server to create the A record upon client registration and the manually create the PTR record in AD? Is there another solution that eludes me? Thank you very much, John -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project