[Freeipa-devel] Why do we require DNS record when service is being added?
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 14 08:08:32 UTC 2015
On Tue, 14 Jul 2015, Jan Pazdziora wrote:
>On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote:
>> On 13.7.2015 19:37, Jan Pazdziora wrote:
>> >
>> > However -- what is the purpose of the DNS check when adding service?
>>
>> The service is typically a Kerberos service, which usually is not going to
>> work if the host does not have DNS record.
>
>So it's an error about existing *state* of the identity management
>system, not an error of the service-add operation itself or error
>about the result of that operation. IOW, the code tries to be smarter
>than necessary, hitting users who attempt to do things right,
>precreating host records. Plus it's an error about related object,
>not the object being manipulated / created which in itself is
>suspicious.
>
>> > Shouldn't that check be removed altogether?
>> I would rather relax the check so it can detect usage of host-add
>> --random/--password and emit a warning instead of hard error.
>>
>> What do you think about this approach?
>
>I guess you are then talking about not having that check in the
>host-add operation, not service-add:
>
> # ipa host-add --random client56.example.test
> ipa: ERROR: Host does not have corresponding DNS A/AAAA record
>
>Because to face the error during service-add, the user must already
>have overriden the error for the host itself.
>
>So how about:
>
> No DNS check / error in host-add when --random is used.
> No DNS check / error in service-add at all.
I would still add a warning in service-add "Host ... does not exist in
DNS, this service will not be accessible via Kerberos until A/AAAA
record for the host will be created".
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list