[Freeipa-devel] Why do we require DNS record when service is being added?
Jan Pazdziora
jpazdziora at redhat.com
Tue Jul 14 07:45:40 UTC 2015
On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote:
> On 13.7.2015 19:37, Jan Pazdziora wrote:
> >
> > However -- what is the purpose of the DNS check when adding service?
>
> The service is typically a Kerberos service, which usually is not going to
> work if the host does not have DNS record.
So it's an error about existing *state* of the identity management
system, not an error of the service-add operation itself or error
about the result of that operation. IOW, the code tries to be smarter
than necessary, hitting users who attempt to do things right,
precreating host records. Plus it's an error about related object,
not the object being manipulated / created which in itself is
suspicious.
> > Shouldn't that check be removed altogether?
> I would rather relax the check so it can detect usage of host-add
> --random/--password and emit a warning instead of hard error.
>
> What do you think about this approach?
I guess you are then talking about not having that check in the
host-add operation, not service-add:
# ipa host-add --random client56.example.test
ipa: ERROR: Host does not have corresponding DNS A/AAAA record
Because to face the error during service-add, the user must already
have overriden the error for the host itself.
So how about:
No DNS check / error in host-add when --random is used.
No DNS check / error in service-add at all.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list