Rafael and all.
Another findings, I was able to update the reverse zones adding it’s PTR records, but
there are some limitations.
The only way to make the zone update was with the following policies:
grant NIX.EXAMPLE.COM<http://NIX.EXAMPLE.COM> krb5-subdomain 21.172.in-addr.arpa.
PTR;
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> krb5-subdomain 21.172.in-addr.arpa.
PTR;
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> ms-subdomain 21.172.in-addr.arpa.
PTR;
If using any of those variations, it does not work:
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> krb5-self * PTR
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> ms-self * PTR
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> krb5-subdomain * PTR
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> ms-subdomain * PTR
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> krb5-self 21.172.in-addr.arpa. PTR;
grant WIN.EXAMPLE.COM<http://WIN.EXAMPLE.COM> ms-self 21.172.in-addr.arpa. PTR;
All of them return the same error:
May 23 20:05:59 idm1 named-pkcs11[4237]: resolver priming query complete
May 23 20:05:59 idm1 named-pkcs11[4237]: client @0x7f0050161380 172.21.1.4#49286: update
'21.172.in-addr.arpa/IN' denied
May 23 20:05:59 idm1 named-pkcs11[4237]: client @0x7f0050161380 172.21.1.4#49954/key
ADMIN\$\(a)WIN.EXAMPLE.COM: updating zone '21.172.in-addr.arpa/IN': update failed:
rejected by secure update (REFUSED)
Allowing to update to subdomain is not that good. It may be an issue. An there’s another
question, selfsub isn’t supported either:
May 23 20:06:18 idm1 named-pkcs11[4237]: bug in get_match_type(): unsupported match type
'krb5-selfsub'
May 23 20:06:18 idm1 named-pkcs11[4237]: zone 21.172.in-addr.arpa/IN: disabling all
updates because of error in update policy configuration: not implemented
May 23 20:06:18 idm1 named-pkcs11[4237]: update_zone (syncrepl) failed for master zone DN
'idnsname=21.172.in-addr.arpa.,cn=dns,dc=nix,dc=example,dc=com'. Zones can be
outdated, run `rndc reload`: not implemented
I’m wondering if krb5-self and ms-self does not work because I’m running the reverse for
172.21.0.0/16 and not for 172.21.1.0/24; can this be the issue?
Thanks all,
On 22 May 2020, at 13:37, Vinícius Ferrão via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Thanks Rafael,
I still have another question, by default there’s a rule on reverse DNS zones on IPA:
grant
IPA.EXAMPLE.COM<http://ipa.example.com/> krb5-subdomain 21.172.in-addr.arpa.
PTR;
So adding the following will overlap:
grant
AD.EXAMPLE.COM<http://ad.example.com/> krb5-self * PTR;
grant
IPA.EXAMPLE.COM<http://ipa.example.com/> krb5-self * PTR;
1.
I’m trying to understand what the rule says, in the first case any client within the
subzone can add an IPA record for any address, including the address that the client does
not have or the client can’t do nothing, it’s the DHCP job to do it in the zone for any
PTR?
2.
The new rules states that’s only the client can update itself in any reverse zone it may
be. I can change * for 21.172.in-addr.arpa. since the rule is on this reverse zone.
Is this expected? Should I delete the default rule?
On 21 May 2020, at 16:55, Rafael Jeffman
<rjeffman@redhat.com<mailto:rjeffman@redhat.com>> wrote:
Hello Vinicius,
If you follow the rules found in Deployment Recomendations [1] I don't see why it
wouldn't work.
I think your best option is to follow the old discussion [2], and set delegation on AD
side, and PTR records on IPA side. You'll also need to grant permission for the
dynamic updates as stated in that same thread.
Rafael
[1]
https://www.freeipa.org/page/Deployment_Recommendations
[2]
https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
On Wed, May 20, 2020 at 10:04 PM Vinícius Ferrão via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
I would like to know how to handle reverse DNS zones when AD trust is enabled.
I do have separate domains for AD and IPA as required, but the reverse zones are mixed,
since the hosts are on the same network, which is common. In this scenario where should
the reverse DNS zone be hosted? On the AD side? On IPA? How to make this work without
breaking dynamic DNS updates for the PTR zones? Should any of them keep the zones as
slaves?
There’s some older discussions here on the list but without continuity and I don’t know
the results, like this one:
https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html
In this old thread, the recommendation was to move the reverse zone to IPA and make some
grants on BIND to allow Dynamic DNS updates.
But is this still the case?
There’s any oficial guidance in this issue?
This scenario is supported or I must have separate networks, even with VLANs and IP
addresses, for *nix and Windows clients?
Thanks,
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...