On 13.7.2015 19:37, Jan Pazdziora wrote: > > Hello, > > we got a nack > > https://www.redhat.com/archives/freeipa-devel/2015-July/msg00259.html > > when attempting to address ticket > > https://fedorahosted.org/freeipa/ticket/3959 > > Basically, when service is being added with ipa service-add, you > have to use --force to add it if the underlying host record does > not have DNS record. > > But it seems that the workflow of host created with --random OTP > generated, service added to this host record (which still does not > have IP address because no machine was enrolled), and only then > IPA-enrolling with ipa-client --password OTP is a supported and > increasingly promoted and used mechanism, for example with realm > support for provisioned machines in Foreman. > > The initial intent of ticket > > https://fedorahosted.org/freeipa/ticket/3959 > > was to lower the stress and confusion of new IPA users by making the > error message that you get when there isn't DNS record for the host > entry less scary and more helpful. > > There is objection to making it more helpful, with the fear that > people will just learn to add --force to every command and avoid > the safeguards. > > However -- what is the purpose of the DNS check when adding service?
The service is typically a Kerberos service, which usually is not going to work if the host does not have DNS record. > Shouldn't that check be removed altogether? I would rather relax the check so it can detect usage of host-add --random/--password and emit a warning instead of hard error. What do you think about this approach? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code