On 14.7.2015 13:50, Alexander Bokovoy wrote: > On Tue, 14 Jul 2015, Petr Spacek wrote: >> On 14.7.2015 10:08, Alexander Bokovoy wrote: >>> On Tue, 14 Jul 2015, Jan Pazdziora wrote: >>>> On Tue, Jul 14, 2015 at 08:31:19AM +0200, Petr Spacek wrote: >>>>> On 13.7.2015 19:37, Jan Pazdziora wrote: >>>>> > >>>>> > However -- what is the purpose of the DNS check when adding service? >>>>> >>>>> The service is typically a Kerberos service, which usually is not going to >>>>> work if the host does not have DNS record. >>>> >>>> So it's an error about existing *state* of the identity management >>>> system, not an error of the service-add operation itself or error >>>> about the result of that operation. IOW, the code tries to be smarter >>>> than necessary, hitting users who attempt to do things right, >>>> precreating host records. Plus it's an error about related object, >>>> not the object being manipulated / created which in itself is >>>> suspicious. >>>> >>>>> > Shouldn't that check be removed altogether? >>>>> I would rather relax the check so it can detect usage of host-add >>>>> --random/--password and emit a warning instead of hard error. >>>>> >>>>> What do you think about this approach? >>>> >>>> I guess you are then talking about not having that check in the >>>> host-add operation, not service-add: >>>> >>>> # ipa host-add --random client56.example.test >>>> ipa: ERROR: Host does not have corresponding DNS A/AAAA record >>>> >>>> Because to face the error during service-add, the user must already >>>> have overriden the error for the host itself. >>>> >>>> So how about: >>>> >>>> No DNS check / error in host-add when --random is used. >>>> No DNS check / error in service-add at all. >>> I would still add a warning in service-add "Host ... does not exist in >>> DNS, this service will not be accessible via Kerberos until A/AAAA >>> record for the host will be created". >> >> Yes, this is what I meant - host-add should do the DNS check and spit only >> warning if --random/--password is used. Service-add should require the host >> to >> exist (as it does now) but again the check should spit a warning instead of >> error if the host was created with --random. > Sounds good to me. > > Will you make a ticket?
I would hijack https://fedorahosted.org/freeipa/ticket/3959 ... -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
