On Tue, 14 Jul 2015, Petr Spacek wrote:
On 14.7.2015 10:08, Alexander Bokovoy wrote:
On Tue, 14 Jul 2015, Jan Pazdziora wrote:
On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote:
On 13.7.2015 19:37, Jan Pazdziora wrote:
>
> However -- what is the purpose of the DNS check when adding service?

The service is typically a Kerberos service, which usually is not going to
work if the host does not have DNS record.

So it's an error about existing *state* of the identity management
system, not an error of the service-add operation itself or error
about the result of that operation. IOW, the code tries to be smarter
than necessary, hitting users who attempt to do things right,
precreating host records. Plus it's an error about related object,
not the object being manipulated / created which in itself is
suspicious.

> Shouldn't that check be removed altogether?
I would rather relax the check so it can detect usage of host-add
--random/--password and emit a warning instead of hard error.

What do you think about this approach?

I guess you are then talking about not having that check in the
host-add operation, not service-add:

    # ipa host-add --random client56.example.test
    ipa: ERROR: Host does not have corresponding DNS A/AAAA record

Because to face the error during service-add, the user must already
have overriden the error for the host itself.

So how about:

    No DNS check / error in host-add when --random is used.
    No DNS check / error in service-add at all.
I would still add a warning in service-add "Host ... does not exist in
DNS, this service will not be accessible via Kerberos until A/AAAA
record for the host will be created".

Yes, this is what I meant - host-add should do the DNS check and spit only
warning if --random/--password is used. Service-add should require the host to
exist (as it does now) but again the check should spit a warning instead of
error if the host was created with --random.
Sounds good to me.

Will you make a ticket?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to