Jay Fenlason via FreeIPA-users wrote: > On Thu, Feb 20, 2020 at 05:19:50PM -0500, Rob Crittenden wrote: >> Jay Fenlason via FreeIPA-users wrote: >>> When attempting to debug another problem with FreeIPA, I noticed >>> something odd: >>> >>> If I have an IPA domain example.com, I can do an ipa-client-install >>> from a machine named c.d.example.com and it successfully adds the >>> client to the domain and updates IPA's DNS, but if I do an ipa >>> host-add of c.d.example.com it gives an error saying >>> ipa: ERROR: DNS zone d.example.com. not found >>> which is correct, inasmuch as I never created a d.example.com zone. >>> But ipa-client-install happily added c.d to the example.com zone. So >>> which of these two commands is doing the right thing? >> >> ipa-client-install, via ipa-join, creates the host using the non-cli API >> call join rather than host-add directly. join calls host-add with >> --force so DNS checks are skipped. >> >> The client, as you point out, by default will try to add the DNS records >> itself in a later step, so it is not enforced up front. > > Thank you for your useful analysis of why they work differently. > > Note that > ipa host-add c.d.example.com --force --ip-address 192.168.56.5 > fails with the same error as > ipa host-add c.d.example.com --ip-address 192.168.56.5 > > So you can't use --force with the command line to get the same > behavior as ipa-client-install.
If you include an IP address then --force is ignored because it implies that the host is already in DNS since you are trying to add an address for it. > The question here is really one of design. Should these commands > behave differently? > > Should ipa-client-install be able to create a c.d entry in the example.com > zone, or should it flag the missing d.example.com domain as an error > the way ipa host-add does? As I said before, it's there because the client will use nsupdate to attempt to update DNS. This doesn't happen with host-add. > Or should ipa host-add add the c.d entry to the example.com zone the > way ipa-client-install does? It's there to make the admin pause a second since adding a host without DNS is not all that useful. > Or should both of them create the d.example.com zone and add the c > entry to it? :-) An enrollment can't create zones. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
