On Thu, 19 Jun 2014, Simo Sorce wrote:
>> and named successfully started, with 389-ds showing autobind to the same
>> krprincipalname=dns/... in the logs.
>
>why do we need to associate bind to dns/whatever ??
Because we already have ACIs given to dns/hostname to handle DNS
entries.
Which are easy to change on upgrade.
>we can have a sysaccount called named, like we did for kerberos before
>we had the ipa-kdb driver.
A modification of DNS service with 'ipa service-mod' is all what we
need for single node case, I tried it.
I do not like it at all, plus each server has a different object and
they would all be duplicates. I prefer very much a single, passwordless
special user in sysconfig, added to the same group that control access
for the DNS tree.
autobind needs uidNumber=<uid>+gidNumber=<gid> search to resolve to a
single entry. Given that replicas might be running on machines where
'named' user could deviate (think Fedora, RHEL, and Debian), there will
still be multiple 'named' sysaccounts and the whole story will break. I
don't see how this helps compared to having DNS/hostname principal
object extended to cover uidNumber/gidNumber.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
