[Freeipa-users] Dynamic DNS and Kerberos...
Rob Crittenden
rcritten at redhat.com
Mon Jun 7 13:48:29 UTC 2010
Rob Townley wrote:
> On Fri, May 28, 2010 at 10:02 AM, Stjepan Gros <sgros at zemris.fer.hr> wrote:
>> Hi!
>>
>> I have a simple question regarding adding hosts in Kerberos when hosts
>> are dynamically assigned IP addresses and registered to DNS. In such
>> cases, ipa-addservice complains that host has to have A record in DNS
>> and doesn't want to add new principal.
>>
>> So, there are two choices:
>>
>> 1. temporarily add DNS records, run ipa-addservice, and remove DNS
>> records, or
>>
>> 2. connect PC to network in order for host to receive IP address and
>> registers with DNS, and then run ipa-addservice
>>
>> Unfortunatelly, my situation is such that option 2 isn't possible, and
>> option 1 seems more like a hack than something systematic.
>>
>> So, is there a third option?
>>
>> Stjepan
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> i haven't even installed freeipa yet, so someone somewhere probably
> already addressed this. Consider these 4 random thoughts:
>
> Why not use an offline IP address and an online IP address?
> If a hosts normal online address is 10.10.10.125,
> a hosts offline IP address is 172.16.10.125.
> Actually, offline address is traditionally 0.0.0.0.
> Does ipa-addservice work when the dns entry is 0.0.0.0?
> Does ipa-addservice work when multiple hosts have the same zero ip 0.0.0.0?
>
>
> Some systems pull DNS info from LDAP (pdns-ldap
> http://www.linuxnetworks.de/doc/index.php/PowerDNS_LDAP_Backend). So
> even if the DNS entries are not all there, a precreated ldap entry
> could exist. Maybe the --force option does this.
>
>
> ipa-addservice could use UUID / GUID entries instead of IP addresses.
>
>
> If the clients are powered on and connected to the internet but not
> your LAN, then a secondary remotely accessible virtual IP may help,
> but there is likely a chicken and egg problem at this point.
The whole reason for the DNS check is that kerberos is basically useless
without a working DNS system. If hostnames don't match service
principals then nothing is going to work, so we enforce it. We added the
--force flag so an admin could work around this if they know what they
are doing.
rob
More information about the Freeipa-users
mailing list