[Freeipa-devel] Why do we require DNS record when service is being added?

Petr Spacek pspacek at redhat.com
Tue Jul 14 12:48:46 UTC 2015


On 14.7.2015 13:50, Alexander Bokovoy wrote:
> On Tue, 14 Jul 2015, Petr Spacek wrote:
>> On 14.7.2015 10:08, Alexander Bokovoy wrote:
>>> On Tue, 14 Jul 2015, Jan Pazdziora wrote:
>>>> On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote:
>>>>> On 13.7.2015 19:37, Jan Pazdziora wrote:
>>>>> >
>>>>> > However -- what is the purpose of the DNS check when adding service?
>>>>>
>>>>> The service is typically a Kerberos service, which usually is not going to
>>>>> work if the host does not have DNS record.
>>>>
>>>> So it's an error about existing *state* of the identity management
>>>> system, not an error of the service-add operation itself or error
>>>> about the result of that operation. IOW, the code tries to be smarter
>>>> than necessary, hitting users who attempt to do things right,
>>>> precreating host records. Plus it's an error about related object,
>>>> not the object being manipulated / created which in itself is
>>>> suspicious.
>>>>
>>>>> > Shouldn't that check be removed altogether?
>>>>> I would rather relax the check so it can detect usage of host-add
>>>>> --random/--password and emit a warning instead of hard error.
>>>>>
>>>>> What do you think about this approach?
>>>>
>>>> I guess you are then talking about not having that check in the
>>>> host-add operation, not service-add:
>>>>
>>>>     # ipa host-add --random client56.example.test
>>>>     ipa: ERROR: Host does not have corresponding DNS A/AAAA record
>>>>
>>>> Because to face the error during service-add, the user must already
>>>> have overriden the error for the host itself.
>>>>
>>>> So how about:
>>>>
>>>>     No DNS check / error in host-add when --random is used.
>>>>     No DNS check / error in service-add at all.
>>> I would still add a warning in service-add "Host ... does not exist in
>>> DNS, this service will not be accessible via Kerberos until A/AAAA
>>> record for the host will be created".
>>
>> Yes, this is what I meant - host-add should do the DNS check and spit only
>> warning if --random/--password is used. Service-add should require the host to
>> exist (as it does now) but again the check should spit a warning instead of
>> error if the host was created with --random.
> Sounds good to me.
> 
> Will you make a ticket?

I would hijack
https://fedorahosted.org/freeipa/ticket/3959 ...

-- 
Petr^2 Spacek




More information about the Freeipa-devel mailing list