On 13.7.2015 19:37, Jan Pazdziora wrote:
> we got a nack
> when attempting to address ticket
> Basically, when service is being added with ipa service-add, you
> have to use --force to add it if the underlying host record does
> not have DNS record.
> But it seems that the workflow of host created with --random OTP
> generated, service added to this host record (which still does not
> have IP address because no machine was enrolled), and only then
> IPA-enrolling with ipa-client --password OTP is a supported and
> increasingly promoted and used mechanism, for example with realm
> support for provisioned machines in Foreman.
> The initial intent of ticket
> was to lower the stress and confusion of new IPA users by making the
> error message that you get when there isn't DNS record for the host
> entry less scary and more helpful.
> There is objection to making it more helpful, with the fear that
> people will just learn to add --force to every command and avoid
> the safeguards.
> However -- what is the purpose of the DNS check when adding service?
The service is typically a Kerberos service, which usually is not going to
work if the host does not have DNS record.
> Shouldn't that check be removed altogether?
I would rather relax the check so it can detect usage of host-add
--random/--password and emit a warning instead of hard error.
What do you think about this approach?
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code