Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Nathan Peters 
I think it was not having dynamic updates enabled for the reverse zone.  
I enabled those and PTR sync on both the forward and reverse and now it 
seems to be working for a new client that I joined.


What I'm not clear on at this point is why that is not a default 
setting.  I know at some point I deleted a /24 reverse zone and made a 
/16 instead because we have too many /24s to manage efficiently.


Also, due to the issues that can arise from not having valid PTR 
entries, you would think that this would be defaulted to on.


On 9/14/2015 12:03 AM, Martin Basti wrote:

Hi,
can you check the journalctl -u named(-pkcs11) on server, they might 
be errors why PTR record has not been added.


Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:


Hi,

I've seen the same issue recently on various clients using ipa 3.3 
and ipa 4.* during the first join on a clean OS. Can't confirm it was 
working before. Is it normal behavior?


Allow PTR sync is enabled.

Cheers,

Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a écrit :



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:

I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates
forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.

I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?

For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting)
called
"Allow PTR Sync" you may want to enable.


When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a
password prompt.  The password authentication still works but the
ticket does not.

>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.

Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Martin Basti 

Hi,
can you check the journalctl -u named(-pkcs11) on server, they might be 
errors why PTR record has not been added.


Do you have enabled dynamic updates for the reverse zone?

Martin

On 09/12/2015 10:42 PM, Youenn PIOLET wrote:


Hi,

I've seen the same issue recently on various clients using ipa 3.3 and 
ipa 4.* during the first join on a clean OS. Can't confirm it was 
working before. Is it normal behavior?


Allow PTR sync is enabled.

Cheers,

Le 12 sept. 2015 7:44 AM, "Nathan Peters" > a écrit :



On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com
 wrote:

I have been trying to figure this out for a while now but
when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create reverse
entries.
Without the PTR records, kerberos logins are always
failing on these
machines.

I am interested in understanding what fails exactly, stuff
should not
depend on reverse resolution can you give me an example of a
failure ?

For the PTR creation anyway have you enabled the option to
allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.


When we attempt to login using kerberos on a machine that has no
reverse DNS entry defined, we are instead prompted with a password
prompt.  The password authentication still works but the ticket
does not.

>From what I read, the Allow PTR Sync option is only used in
conjunction with DNS IP address changes and does not apply to the
initial join of the domain.

Is the joining process supposed to create reverse DNS entries for
the clients or just forward entries and SSHFP entries?

-- 
Manage your subscription for the Freeipa-users mailing list:

https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-13 Thread Youenn PIOLET 
Hi,

I've seen the same issue recently on various clients using ipa 3.3 and ipa
4.* during the first join on a clean OS. Can't confirm it was working
before. Is it normal behavior?

Allow PTR sync is enabled.

Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters"  a
écrit :

>
> On 9/11/2015 10:32 AM, Simo Sorce wrote:
>
>> On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
>>
>>> I have been trying to figure this out for a while now but when I join
>>> machine to FreeIPA, the installer properly creates forward DNS
>>> entries,and DNSSSHFP entries, but does not create reverse entries.
>>> Without the PTR records, kerberos logins are always failing on these
>>> machines.
>>>
>> I am interested in understanding what fails exactly, stuff should not
>> depend on reverse resolution can you give me an example of a failure ?
>>
>> For the PTR creation anyway have you enabled the option to allow setting
>> PTR records ?
>> There is a global DNS option (As awell as per-zone setting) called
>> "Allow PTR Sync" you may want to enable.
>>
>>
> When we attempt to login using kerberos on a machine that has no reverse
> DNS entry defined, we are instead prompted with a password prompt.  The
> password authentication still works but the ticket does not.
>
> From what I read, the Allow PTR Sync option is only used in conjunction
> with DNS IP address changes and does not apply to the initial join of the
> domain.
>
> Is the joining process supposed to create reverse DNS entries for the
> clients or just forward entries and SSHFP entries?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread Simo Sorce 
On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
> I have been trying to figure this out for a while now but when I join 
> machine to FreeIPA, the installer properly creates forward DNS
> entries,and DNSSSHFP entries, but does not create reverse entries.
> Without the PTR records, kerberos logins are always failing on these
> machines.

I am interested in understanding what fails exactly, stuff should not
depend on reverse resolution can you give me an example of a failure ?

For the PTR creation anyway have you enabled the option to allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread nathan 
I have been trying to figure this out for a while now but when I join a
machine to FreeIPA, the installer properly creates forward DNS entries,
and DNSSSHFP entries, but does not create reverse entries.  Without the
PTR records, kerberos logins are always failing on these machines.

The reverse zones exist, all DNS is managed by FreeIPA, and I am able to
manually add the entries just fine.

Environment :
Servers : CentOS7, FreeIPA 4.1.4
Clients : CentOS 6.5, FreeIPA client 3.0.0-42

I have tried this both with the Internal FreeIPA 'admin' user as the join
user and as another user called 'joinscript' which has the host enrollment
and DNS administrator privileges.

Here is the ipa-client install log:

2015-09-11T16:24:05Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': None, 'force': False, 'krb5_offline_passwords': True,
'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd':
True, 'conf_ntp': True, 'on_master': False, 'ntp_server': None, 'server':
None, 'no_nisdomain': False, 'principal': 'joinscript', 'hostname':
'ipaclient.ipadomain.net', 'no_ac': False, 'unattended': True, 'sssd':
True, 'trust_sshfp': False, 'realm_name': None, 'dns_updates': True,
'conf_sudo': True, 'conf_ssh': True, 'force_join': True, 'ca_cert_file':
None, 'nisdomain': None, 'prompt_password': False, 'permit': False,
'debug': False, 'preserve_sssd': False, 'uninstall': False}
2015-09-11T16:24:05Z DEBUG missing options might be asked for
interactively later
2015-09-11T16:24:05Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-09-11T16:24:05Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2015-09-11T16:24:05Z DEBUG [IPA Discovery]
2015-09-11T16:24:05Z DEBUG Starting IPA discovery with domain=None,
servers=None, hostname=ipaclient.ipadomain.net
2015-09-11T16:24:05Z DEBUG Start searching for LDAP SRV record in
"ipadomain.net" (domain of the hostname) and its sub-domains
2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of
_ldap._tcp.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc1.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc2.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG [Kerberos realm search]
2015-09-11T16:24:05Z DEBUG Search DNS for TXT record of
_kerberos.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_kerberos.ipadomain.net.,type:16,class:1,rdata={data:ipadomain.net}
2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of
_kerberos._udp.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_kerberos._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:dc2.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_kerberos._udp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:dc1.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG [LDAP server check]
2015-09-11T16:24:05Z DEBUG Verifying that dc1.ipadomain.net (realm
ipadomain.net) is an IPA server
2015-09-11T16:24:05Z DEBUG Init LDAP connection with:
ldap://dc1.ipadomain.net:389
2015-09-11T16:24:05Z DEBUG Search LDAP server for IPA base DN
2015-09-11T16:24:05Z DEBUG Check if naming context 'dc=ipadomain,dc=net'
is for IPA
2015-09-11T16:24:05Z DEBUG Naming context 'dc=ipadomain,dc=net' is a valid
IPA context
2015-09-11T16:24:05Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=ipadomain,dc=net (sub)
2015-09-11T16:24:05Z DEBUG Found:
cn=ipadomain.net,cn=kerberos,dc=ipadomain,dc=net
2015-09-11T16:24:05Z DEBUG Discovery result: Success;
server=dc1.ipadomain.net, domain=ipadomain.net,
kdc=dc2.ipadomain.net,dc1.ipadomain.net, basedn=dc=ipadomain,dc=net
2015-09-11T16:24:05Z DEBUG Validated servers: dc1.ipadomain.net
2015-09-11T16:24:05Z DEBUG will use discovered domain: ipadomain.net
2015-09-11T16:24:05Z DEBUG Start searching for LDAP SRV record in
"ipadomain.net" (Validating DNS Discovery) and its sub-domains
2015-09-11T16:24:05Z DEBUG Search DNS for SRV record of
_ldap._tcp.ipadomain.net.
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc2.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS record found:
DNSResult::name:_ldap._tcp.ipadomain.net.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:dc1.ipadomain.net.}
2015-09-11T16:24:05Z DEBUG DNS validated, enabling discovery
2015-09-11T16:24:05Z DEBUG will use discovered server: dc1.ipadomain.net
2015-09-11T16:24:05Z INFO Discovery was successful!
2015-09-11T16:24:05Z DEBUG will use discovered realm: ipadomain.net
2015-09-11T16:24:05Z DEBUG will use discovered basedn: dc=ipadomain,dc=net
2015-09-11T16:24:05Z INFO Hostname: ipaclient.ipadomain.net
2015-09-11T16:24:05Z DEBUG

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread Nathan Peters 


On 9/11/2015 10:32 AM, Simo Sorce wrote:

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:

I have been trying to figure this out for a while now but when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create reverse entries.
Without the PTR records, kerberos logins are always failing on these
machines.

I am interested in understanding what fails exactly, stuff should not
depend on reverse resolution can you give me an example of a failure ?

For the PTR creation anyway have you enabled the option to allow setting
PTR records ?
There is a global DNS option (As awell as per-zone setting) called
"Allow PTR Sync" you may want to enable.



When we attempt to login using kerberos on a machine that has no reverse 
DNS entry defined, we are instead prompted with a password prompt.  The 
password authentication still works but the ticket does not.


From what I read, the Allow PTR Sync option is only used in conjunction 
with DNS IP address changes and does not apply to the initial join of 
the domain.


Is the joining process supposed to create reverse DNS entries for the 
clients or just forward entries and SSHFP entries?


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project