we got a nack


when attempting to address ticket


Basically, when service is being added with ipa service-add, you
have to use --force to add it if the underlying host record does
not have DNS record.

But it seems that the workflow of host created with --random OTP
generated, service added to this host record (which still does not
have IP address because no machine was enrolled), and only then
IPA-enrolling with ipa-client --password OTP is a supported and
increasingly promoted and used mechanism, for example with realm
support for provisioned machines in Foreman.

The initial intent of ticket


was to lower the stress and confusion of new IPA users by making the
error message that you get when there isn't DNS record for the host
entry less scary and more helpful.

There is objection to making it more helpful, with the fear that
people will just learn to add --force to every command and avoid
the safeguards.

However -- what is the purpose of the DNS check when adding service?
Shouldn't that check be removed altogether?

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to