On Thu, 2014-06-19 at 17:10 +0300, Alexander Bokovoy wrote: > On Thu, 19 Jun 2014, Simo Sorce wrote: > >> >> and named successfully started, with 389-ds showing autobind to the same > >> >> krprincipalname=dns/... in the logs. > >> > > >> >why do we need to associate bind to dns/whatever ?? > >> Because we already have ACIs given to dns/hostname to handle DNS > >> entries. > > > >Which are easy to change on upgrade. > > > >> >we can have a sysaccount called named, like we did for kerberos before > >> >we had the ipa-kdb driver. > >> A modification of DNS service with 'ipa service-mod' is all what we > >> need for single node case, I tried it. > > > >I do not like it at all, plus each server has a different object and > >they would all be duplicates. I prefer very much a single, passwordless > >special user in sysconfig, added to the same group that control access > >for the DNS tree. > autobind needs uidNumber=<uid>+gidNumber=<gid> search to resolve to a > single entry. Given that replicas might be running on machines where > 'named' user could deviate (think Fedora, RHEL, and Debian), there will > still be multiple 'named' sysaccounts and the whole story will break. I > don't see how this helps compared to having DNS/hostname principal > object extended to cover uidNumber/gidNumber.
This is not really a huge issue. We need to allow access to the DNS tree to a group, so all we need is for install/upgrade script to check what is the named user on the system and create a corresponding system account. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
