Hello,
I would like to know how to handle reverse DNS zones when AD trust is enabled.
I do have separate domains for AD and IPA as required, but the reverse zones are mixed, since the hosts are on the same network, which is common. In this scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as slaves?
There’s some older discussions here on the list but without continuity and I don’t know the results, like this one: https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
In this old thread, the recommendation was to move the reverse zone to IPA and make some grants on BIND to allow Dynamic DNS updates.
But is this still the case? There’s any oficial guidance in this issue? This scenario is supported or I must have separate networks, even with VLANs and IP addresses, for *nix and Windows clients?
Thanks,
Hello Vinicius,
If you follow the rules found in Deployment Recomendations [1] I don't see why it wouldn't work.
I think your best option is to follow the old discussion [2], and set delegation on AD side, and PTR records on IPA side. You'll also need to grant permission for the dynamic updates as stated in that same thread.
Rafael
[1] https://www.freeipa.org/page/Deployment_Recommendations [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
On Wed, May 20, 2020 at 10:04 PM Vinícius Ferrão via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I would like to know how to handle reverse DNS zones when AD trust is
enabled.
I do have separate domains for AD and IPA as required, but the reverse
zones are mixed, since the hosts are on the same network, which is common. In this scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as slaves?
There’s some older discussions here on the list but without continuity
and I don’t know the results, like this one:
https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
In this old thread, the recommendation was to move the reverse zone to
IPA and make some grants on BIND to allow Dynamic DNS updates.
But is this still the case? There’s any oficial guidance in this issue? This scenario is supported or I must have separate networks, even with
VLANs and IP addresses, for *nix and Windows clients?
Thanks,
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
Thanks Rafael,
I still have another question, by default there’s a rule on reverse DNS zones on IPA:
grant IPA.EXAMPLE.COMhttp://IPA.EXAMPLE.COM krb5-subdomain 21.172.in-addr.arpa. PTR;
So adding the following will overlap: grant AD.EXAMPLE.COMhttp://AD.EXAMPLE.COM krb5-self * PTR; grant IPA.EXAMPLE.COMhttp://IPA.EXAMPLE.COM krb5-self * PTR;
1. I’m trying to understand what the rule says, in the first case any client within the subzone can add an IPA record for any address, including the address that the client does not have or the client can’t do nothing, it’s the DHCP job to do it in the zone for any PTR?
2. The new rules states that’s only the client can update itself in any reverse zone it may be. I can change * for 21.172.in-addr.arpa. since the rule is on this reverse zone.
Is this expected? Should I delete the default rule?
On 21 May 2020, at 16:55, Rafael Jeffman <rjeffman@redhat.commailto:rjeffman@redhat.com> wrote:
Hello Vinicius,
If you follow the rules found in Deployment Recomendations [1] I don't see why it wouldn't work.
I think your best option is to follow the old discussion [2], and set delegation on AD side, and PTR records on IPA side. You'll also need to grant permission for the dynamic updates as stated in that same thread.
Rafael
[1] https://www.freeipa.org/page/Deployment_Recommendations [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
On Wed, May 20, 2020 at 10:04 PM Vinícius Ferrão via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote:
I would like to know how to handle reverse DNS zones when AD trust is enabled.
I do have separate domains for AD and IPA as required, but the reverse zones are mixed, since the hosts are on the same network, which is common. In this scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as slaves?
There’s some older discussions here on the list but without continuity and I don’t know the results, like this one: https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
In this old thread, the recommendation was to move the reverse zone to IPA and make some grants on BIND to allow Dynamic DNS updates.
But is this still the case? There’s any oficial guidance in this issue? This scenario is supported or I must have separate networks, even with VLANs and IP addresses, for *nix and Windows clients?
Thanks,
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
Rafael and all.
Another findings, I was able to update the reverse zones adding it’s PTR records, but there are some limitations.
The only way to make the zone update was with the following policies: grant NIX.EXAMPLE.COMhttp://NIX.EXAMPLE.COM krb5-subdomain 21.172.in-addr.arpa. PTR; grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM krb5-subdomain 21.172.in-addr.arpa. PTR; grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM ms-subdomain 21.172.in-addr.arpa. PTR;
If using any of those variations, it does not work:
grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM krb5-self * PTR grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM ms-self * PTR
grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM krb5-subdomain * PTR grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM ms-subdomain * PTR
grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM krb5-self 21.172.in-addr.arpa. PTR; grant WIN.EXAMPLE.COMhttp://WIN.EXAMPLE.COM ms-self 21.172.in-addr.arpa. PTR;
All of them return the same error: May 23 20:05:59 idm1 named-pkcs11[4237]: resolver priming query complete May 23 20:05:59 idm1 named-pkcs11[4237]: client @0x7f0050161380 172.21.1.4#49286: update '21.172.in-addr.arpa/IN' denied May 23 20:05:59 idm1 named-pkcs11[4237]: client @0x7f0050161380 172.21.1.4#49954/key ADMIN$@WIN.EXAMPLE.COM: updating zone '21.172.in-addr.arpa/IN': update failed: rejected by secure update (REFUSED)
Allowing to update to subdomain is not that good. It may be an issue. An there’s another question, selfsub isn’t supported either: May 23 20:06:18 idm1 named-pkcs11[4237]: bug in get_match_type(): unsupported match type 'krb5-selfsub' May 23 20:06:18 idm1 named-pkcs11[4237]: zone 21.172.in-addr.arpa/IN: disabling all updates because of error in update policy configuration: not implemented May 23 20:06:18 idm1 named-pkcs11[4237]: update_zone (syncrepl) failed for master zone DN 'idnsname=21.172.in-addr.arpa.,cn=dns,dc=nix,dc=example,dc=com'. Zones can be outdated, run `rndc reload`: not implemented
I’m wondering if krb5-self and ms-self does not work because I’m running the reverse for 172.21.0.0/16 and not for 172.21.1.0/24; can this be the issue?
Thanks all,
On 22 May 2020, at 13:37, Vinícius Ferrão via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote:
Thanks Rafael,
I still have another question, by default there’s a rule on reverse DNS zones on IPA:
grant IPA.EXAMPLE.COMhttp://ipa.example.com/ krb5-subdomain 21.172.in-addr.arpa. PTR;
So adding the following will overlap: grant AD.EXAMPLE.COMhttp://ad.example.com/ krb5-self * PTR; grant IPA.EXAMPLE.COMhttp://ipa.example.com/ krb5-self * PTR;
1. I’m trying to understand what the rule says, in the first case any client within the subzone can add an IPA record for any address, including the address that the client does not have or the client can’t do nothing, it’s the DHCP job to do it in the zone for any PTR?
2. The new rules states that’s only the client can update itself in any reverse zone it may be. I can change * for 21.172.in-addr.arpa. since the rule is on this reverse zone.
Is this expected? Should I delete the default rule?
On 21 May 2020, at 16:55, Rafael Jeffman <rjeffman@redhat.commailto:rjeffman@redhat.com> wrote:
Hello Vinicius,
If you follow the rules found in Deployment Recomendations [1] I don't see why it wouldn't work.
I think your best option is to follow the old discussion [2], and set delegation on AD side, and PTR records on IPA side. You'll also need to grant permission for the dynamic updates as stated in that same thread.
Rafael
[1] https://www.freeipa.org/page/Deployment_Recommendations [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
On Wed, May 20, 2020 at 10:04 PM Vinícius Ferrão via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote:
I would like to know how to handle reverse DNS zones when AD trust is enabled.
I do have separate domains for AD and IPA as required, but the reverse zones are mixed, since the hosts are on the same network, which is common. In this scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as slaves?
There’s some older discussions here on the list but without continuity and I don’t know the results, like this one: https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
In this old thread, the recommendation was to move the reverse zone to IPA and make some grants on BIND to allow Dynamic DNS updates.
But is this still the case? There’s any oficial guidance in this issue? This scenario is supported or I must have separate networks, even with VLANs and IP addresses, for *nix and Windows clients?
Thanks,
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org