Re: [Freeipa-users] shared ip space for iDM and AD
On 14.10.2015 20:11, Craig White wrote: > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek > Sent: Tuesday, October 13, 2015 11:57 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] shared ip space for iDM and AD > > On 14.10.2015 00:41, Craig White wrote: >> Our environment is mostly Linux servers but we do have some Windows servers >> running MSSQL. A co-worker spun up Active Directory Domain Controllers >> without conferring with me and the Windows boxes are all on one of the VLAN >> private LAN networks used by FreeIPA. Thus we not only have reverse DNS >> servers in FreeIPA but also in Active Directory. Is it possible to have >> Active Directory use the reverse DNS servers on iDM/FreeIPA? > > If you decide to manually configure/add records to reverse zones then yes, it > will work :-) > > If you want to use dynamic updates from IPA and Windows clients, then you > need to establish trust between AD and IPA domains and modify DNS update > policy on IPA server to accept updates from Windows clients. > > Please note that I did not test this, but it should work. > > > # this allows updates to A//SSHFP records $ ipa dnszone-mod > your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod > your.domain.example. --update-policy=' > grant IPA.REALM.EXAMPLE krb5-self * A; > grant IPA.REALM.EXAMPLE krb5-self * ; grant IPA.REALM.EXAMPLE krb5-self * > SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * > ; grant AD.REALM.EXAMPLE ms-self * SSHFP; ' > > # this instructs IPA server to update PTR records when updating A/ > records $ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa > dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE > > > Alternatively, you can allow unauthenticated updates to reverse zones, so > SyncPTR feature is not needed for Windows clients (because the clients would > do updates themselves): > $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa > dnszone-mod 2.0.192.in-addr.arpa. --update-policy=' > grant * tcp-self * PTR;' > > > Please let me know if it works for you. > > Nitpicking... > > $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE > s/b > $ ipa dnszone-mod your.domain.example. --dynamic-update=TRUE #update not > updates > > > ipa dnszone-mod your.domain.example. --sync-ptr=TRUE > s/b > ipa dnszone-mod your.domain.example. --allow-sync-ptr=TRUE #allow is required > > > Still waiting for AD to be joined to IPA for the first set of mods. BTW please be sure to follow http://www.freeipa.org/page/Deployment_Recommendations DNS configuration is especially important when it comes to AD trusts. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] shared ip space for iDM and AD
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Tuesday, October 13, 2015 11:57 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] shared ip space for iDM and AD On 14.10.2015 00:41, Craig White wrote: > Our environment is mostly Linux servers but we do have some Windows servers > running MSSQL. A co-worker spun up Active Directory Domain Controllers > without conferring with me and the Windows boxes are all on one of the VLAN > private LAN networks used by FreeIPA. Thus we not only have reverse DNS > servers in FreeIPA but also in Active Directory. Is it possible to have > Active Directory use the reverse DNS servers on iDM/FreeIPA? If you decide to manually configure/add records to reverse zones then yes, it will work :-) If you want to use dynamic updates from IPA and Windows clients, then you need to establish trust between AD and IPA domains and modify DNS update policy on IPA server to accept updates from Windows clients. Please note that I did not test this, but it should work. # this allows updates to A//SSHFP records $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod your.domain.example. --update-policy=' grant IPA.REALM.EXAMPLE krb5-self * A; grant IPA.REALM.EXAMPLE krb5-self * ; grant IPA.REALM.EXAMPLE krb5-self * SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * ; grant AD.REALM.EXAMPLE ms-self * SSHFP; ' # this instructs IPA server to update PTR records when updating A/ records $ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE Alternatively, you can allow unauthenticated updates to reverse zones, so SyncPTR feature is not needed for Windows clients (because the clients would do updates themselves): $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy=' grant * tcp-self * PTR;' Please let me know if it works for you. Nitpicking... $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE s/b $ ipa dnszone-mod your.domain.example. --dynamic-update=TRUE #update not updates ipa dnszone-mod your.domain.example. --sync-ptr=TRUE s/b ipa dnszone-mod your.domain.example. --allow-sync-ptr=TRUE #allow is required Still waiting for AD to be joined to IPA for the first set of mods. You're awesome, thanks. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] shared ip space for iDM and AD
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Tuesday, October 13, 2015 11:57 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] shared ip space for iDM and AD On 14.10.2015 00:41, Craig White wrote: > Our environment is mostly Linux servers but we do have some Windows servers > running MSSQL. A co-worker spun up Active Directory Domain Controllers > without conferring with me and the Windows boxes are all on one of the VLAN > private LAN networks used by FreeIPA. Thus we not only have reverse DNS > servers in FreeIPA but also in Active Directory. Is it possible to have > Active Directory use the reverse DNS servers on iDM/FreeIPA? If you decide to manually configure/add records to reverse zones then yes, it will work :-) If you want to use dynamic updates from IPA and Windows clients, then you need to establish trust between AD and IPA domains and modify DNS update policy on IPA server to accept updates from Windows clients. Please note that I did not test this, but it should work. # this allows updates to A//SSHFP records $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod your.domain.example. --update-policy=' grant IPA.REALM.EXAMPLE krb5-self * A; grant IPA.REALM.EXAMPLE krb5-self * ; grant IPA.REALM.EXAMPLE krb5-self * SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * ; grant AD.REALM.EXAMPLE ms-self * SSHFP; ' # this instructs IPA server to update PTR records when updating A/ records $ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE Alternatively, you can allow unauthenticated updates to reverse zones, so SyncPTR feature is not needed for Windows clients (because the clients would do updates themselves): $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy=' grant * tcp-self * PTR;' Please let me know if it works for you. Will do. My co-worker wants to be the one to join the domains together but he is procrastinating on it so I don't know when it will be done. Thanks for the great help. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] shared ip space for iDM and AD
On 14.10.2015 00:41, Craig White wrote: > Our environment is mostly Linux servers but we do have some Windows servers > running MSSQL. A co-worker spun up Active Directory Domain Controllers > without conferring with me and the Windows boxes are all on one of the VLAN > private LAN networks used by FreeIPA. Thus we not only have reverse DNS > servers in FreeIPA but also in Active Directory. Is it possible to have > Active Directory use the reverse DNS servers on iDM/FreeIPA? If you decide to manually configure/add records to reverse zones then yes, it will work :-) If you want to use dynamic updates from IPA and Windows clients, then you need to establish trust between AD and IPA domains and modify DNS update policy on IPA server to accept updates from Windows clients. Please note that I did not test this, but it should work. # this allows updates to A//SSHFP records $ ipa dnszone-mod your.domain.example. --dynamic-updates=TRUE $ ipa dnszone-mod your.domain.example. --update-policy=' grant IPA.REALM.EXAMPLE krb5-self * A; grant IPA.REALM.EXAMPLE krb5-self * ; grant IPA.REALM.EXAMPLE krb5-self * SSHFP; grant AD.REALM.EXAMPLE ms-self * A; grant AD.REALM.EXAMPLE ms-self * ; grant AD.REALM.EXAMPLE ms-self * SSHFP; ' # this instructs IPA server to update PTR records when updating A/ records $ ipa dnszone-mod your.domain.example. --sync-ptr=TRUE $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE Alternatively, you can allow unauthenticated updates to reverse zones, so SyncPTR feature is not needed for Windows clients (because the clients would do updates themselves): $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=TRUE $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy=' grant * tcp-self * PTR;' Please let me know if it works for you. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] shared ip space for iDM and AD
Our environment is mostly Linux servers but we do have some Windows servers running MSSQL. A co-worker spun up Active Directory Domain Controllers without conferring with me and the Windows boxes are all on one of the VLAN private LAN networks used by FreeIPA. Thus we not only have reverse DNS servers in FreeIPA but also in Active Directory. Is it possible to have Active Directory use the reverse DNS servers on iDM/FreeIPA? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
