Thanks Rafael, I still have another question, by default there’s a rule on reverse DNS zones on IPA:
grant IPA.EXAMPLE.COM<http://IPA.EXAMPLE.COM> krb5-subdomain 21.172.in-addr.arpa. PTR; So adding the following will overlap: grant AD.EXAMPLE.COM<http://AD.EXAMPLE.COM> krb5-self * PTR; grant IPA.EXAMPLE.COM<http://IPA.EXAMPLE.COM> krb5-self * PTR; 1. I’m trying to understand what the rule says, in the first case any client within the subzone can add an IPA record for any address, including the address that the client does not have or the client can’t do nothing, it’s the DHCP job to do it in the zone for any PTR? 2. The new rules states that’s only the client can update itself in any reverse zone it may be. I can change * for 21.172.in-addr.arpa. since the rule is on this reverse zone. Is this expected? Should I delete the default rule? On 21 May 2020, at 16:55, Rafael Jeffman <rjeff...@redhat.com<mailto:rjeff...@redhat.com>> wrote: Hello Vinicius, If you follow the rules found in Deployment Recomendations [1] I don't see why it wouldn't work. I think your best option is to follow the old discussion [2], and set delegation on AD side, and PTR records on IPA side. You'll also need to grant permission for the dynamic updates as stated in that same thread. Rafael [1] https://www.freeipa.org/page/Deployment_Recommendations [2] https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html On Wed, May 20, 2020 at 10:04 PM Vinícius Ferrão via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > I would like to know how to handle reverse DNS zones when AD trust is enabled. > > I do have separate domains for AD and IPA as required, but the reverse zones > are mixed, since the hosts are on the same network, which is common. In this > scenario where should the reverse DNS zone be hosted? On the AD side? On IPA? > How to make this work without breaking dynamic DNS updates for the PTR zones? > Should any of them keep the zones as slaves? > > There’s some older discussions here on the list but without continuity and I > don’t know the results, like this one: > https://www.redhat.com/archives/freeipa-users/2015-June/msg00555.html > > In this old thread, the recommendation was to move the reverse zone to IPA > and make some grants on BIND to allow Dynamic DNS updates. > > But is this still the case? > There’s any oficial guidance in this issue? > This scenario is supported or I must have separate networks, even with VLANs > and IP addresses, for *nix and Windows clients? > > Thanks, > > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
