[Freeipa-devel] Why do we require DNS record when service is being added?
Petr Spacek
pspacek at redhat.com
Tue Jul 14 06:31:19 UTC 2015
On 13.7.2015 19:37, Jan Pazdziora wrote:
>
> Hello,
>
> we got a nack
>
> https://www.redhat.com/archives/freeipa-devel/2015-July/msg00259.html
>
> when attempting to address ticket
>
> https://fedorahosted.org/freeipa/ticket/3959
>
> Basically, when service is being added with ipa service-add, you
> have to use --force to add it if the underlying host record does
> not have DNS record.
>
> But it seems that the workflow of host created with --random OTP
> generated, service added to this host record (which still does not
> have IP address because no machine was enrolled), and only then
> IPA-enrolling with ipa-client --password OTP is a supported and
> increasingly promoted and used mechanism, for example with realm
> support for provisioned machines in Foreman.
>
> The initial intent of ticket
>
> https://fedorahosted.org/freeipa/ticket/3959
>
> was to lower the stress and confusion of new IPA users by making the
> error message that you get when there isn't DNS record for the host
> entry less scary and more helpful.
>
> There is objection to making it more helpful, with the fear that
> people will just learn to add --force to every command and avoid
> the safeguards.
>
> However -- what is the purpose of the DNS check when adding service?
The service is typically a Kerberos service, which usually is not going to
work if the host does not have DNS record.
> Shouldn't that check be removed altogether?
I would rather relax the check so it can detect usage of host-add
--random/--password and emit a warning instead of hard error.
What do you think about this approach?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list