Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, Does that mean deleting the NS record on AD and creating an A record instead? Thanks, John On Wed, Jul 15, 2015, 18:28 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 15:19, John Stein wrote: Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones John.com linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? This is enough. You have the same 'master' zone configured on IPA and AD, which does not make sense from DNS point of view. You need to move all records to one server and configure 'forward' zone on the other server. In AD terminology you need to create 'conditional forwarder'. Petr^2 Spacek Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 14.7.2015 15:19, John Stein wrote: Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones John.com linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? This is enough. You have the same 'master' zone configured on IPA and AD, which does not make sense from DNS point of view. You need to move all records to one server and configure 'forward' zone on the other server. In AD terminology you need to create 'conditional forwarder'. Petr^2 Spacek Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones John.com linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. A zone should be configured only on one server (or set of synchronized servers). Could you tell us what exactly (using what commands or GUI in IPA and AD) did you configure? It would be good if you did not obfuscate DNS names in the steps because the obfuscation often hides the real cause of problem :-) Have a nice day! Petr^2 Spacek Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek pspa...@redhat.com wrote: On 29.6.2015 13:57, John Stein wrote: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. If I put them in IdM, how will the AD know which requests to forward to the IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, host/ principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. A zone should be configured only on one server (or set of synchronized servers). Could you tell us what exactly (using what commands or GUI in IPA and AD) did you configure? It would be good if you did not obfuscate DNS names in the steps because the obfuscation often hides the real cause of problem :-) Have a nice day! Petr^2 Spacek Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek pspa...@redhat.com wrote: On 29.6.2015 13:57, John Stein wrote: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. If I put them in IdM, how will the AD know which requests to forward to the IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, host/ principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? Thank you very much, John On Mon, Jun 29, 2015 at 4:52 PM Petr Spacek pspa...@redhat.com wrote: On 29.6.2015 13:57, John Stein wrote: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. If I put them in IdM, how will the AD know which requests to forward to the IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, host/ principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. Thank you! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 29.6.2015 13:57, John Stein wrote: Hi, I have an AD and IdM server. AD domain - john.com IdM domain - linux.john.com each spans multiple netwrok segments, with some segments having both linux and windows machines. the IdM is configured to forward DNS requests to AD (forward first), and the AD is configured to forward requests in the linux.john.com domain to the IdM. However, I'm having a problem regarding reverse lookup zones. Where should they be so they can be accessed from both linux and windows machines? From DNS's point of view it does not matter, pick one side (AD or IPA) to host the reverse zone and configure delegation or forwarding on the other side. That is all you need if you are willing to update records manually. If I put them in IdM, how will the AD know which requests to forward to the IdM? Either properly configure delegation (if you have control over the parent zone) or add forwarder (only if you do not have control over parent zone - usual caveats for forwarding apply). It seems to me that I need to somehow register them at the AD, so the A record is in the IdM server and the PTR is in the AD. Is it possible to do it automatically, host/ principals from IPA Kerberos realm are generally not allowed to get tickets for AD realm so automatic update from IPA to AD is not possible. It might work the other way around (I did not test this): - Configure reverse zone in IPA - Configure delegation/forwarding in AD so all clients can properly resolve the reverse zone - Allow all clients to update their PTR records. Update policy like this might work: $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant AD.EXAMPLE krb5-self * PTR; grant IPA.EXAMPLE krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 I would like to hear from you if this works in your environment or not. Thank you! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project