[Freeipa-devel] Why do we require DNS record when service is being added?
Jan Pazdziora
jpazdziora at redhat.com
Mon Jul 13 17:37:39 UTC 2015
Hello,
we got a nack
https://www.redhat.com/archives/freeipa-devel/2015-July/msg00259.html
when attempting to address ticket
https://fedorahosted.org/freeipa/ticket/3959
Basically, when service is being added with ipa service-add, you
have to use --force to add it if the underlying host record does
not have DNS record.
But it seems that the workflow of host created with --random OTP
generated, service added to this host record (which still does not
have IP address because no machine was enrolled), and only then
IPA-enrolling with ipa-client --password OTP is a supported and
increasingly promoted and used mechanism, for example with realm
support for provisioned machines in Foreman.
The initial intent of ticket
https://fedorahosted.org/freeipa/ticket/3959
was to lower the stress and confusion of new IPA users by making the
error message that you get when there isn't DNS record for the host
entry less scary and more helpful.
There is objection to making it more helpful, with the fear that
people will just learn to add --force to every command and avoid
the safeguards.
However -- what is the purpose of the DNS check when adding service?
Shouldn't that check be removed altogether?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list