[Freeipa-devel] ipa-client-install domain autodiscovery - try _kerberos first?
Petr Spacek
pspacek at redhat.com
Thu Aug 27 11:14:35 UTC 2015
Hello,
while investigating a problem reported on ipa-users, I found out that
check_domain() method in ipaclient/ipadiscovery.py checks _ldap._tcp SRV
record first.
This seems to be based on assumption that IPA client is in the same DNS
sub-tree as the main IPA domain.
IMHO it would be better to find _kerberos TXT record in client's domain (or
its parent domains) and then check _ldap._tcp SRV records in domain pointed to
by _kerberos record.
Do you agree? Am I missing something?
Side note:
ipadiscovery.py could be re-used in ipa-server-install as mechanism to detect
attempts to install IPA into a DNS domain which is already occupied by another
IPA, or AD, or something else.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list