Hi, re-adding the mailing list On Wed, Sep 15, 2021 at 6:31 PM Buckley Ross <[email protected]> wrote:
> Hi Flo, > > I think you misread my question. > Indeed. I interpreted "I found that on DNS records were provisioned..." as "I found that on <the> DNS <server>, records were provisioned" instead of "I found that *no* DNS records were provisioned". Sorry about that... I am not running `ipa host-add`. I am running `ipa host-add-principal`. I > would expect that if I am adding a new principal to a host, that > principal's DNS name would be added with either a CNAME or an A record, > pointing back to the original host. Is there a reason that this does not > happen? I cannot understand the utility of being able to add a new > principal to a host if that principal is not routable via DNS. > In your case you expect myhost and myalias to resolve to the same IP address, but that's not the general use case. Consider for instance a host with 2 different IP addresses, myhost resolving to the 1st one and myalias to the 2nd one. Adding the principal alias is de-coupled from the DNS records. Hope this clarifies, flo > Thanks, > Buckley Ross > > On Tue, Sep 14, 2021 at 7:17 AM Florence Renaud <[email protected]> wrote: > >> Hi, >> I was not able to reproduce this issue: >> >> # ipa host-add myhost.ipa.test --ip-address $IP >> # ipa dnsrecord-find ipa.test >> >> shows myhost.ipa.test has been added >> >> # ipa host-add-principal myhost host/myalias.ipa.test >> # ipa dnsrecord-find ipa.test >> >> no new record added >> >> DNS records are added when the command "ipa host-add --ip-address" is >> used, when a host is joined with ipa-client-install, or when "ipa >> dnsrecord-add" is called. You can check in /var/log/httpd/error_log if you >> find trace of such a command. >> >> flo >> >> On Mon, Sep 13, 2021 at 1:46 PM Buckley Ross via FreeIPA-users < >> [email protected]> wrote: >> >>> Hello, >>> >>> I'm trying to provision an HTTP service principal for a containerized >>> service. The host on which the container is running also has a kerberized >>> HTTP service running on it with a separate service principal (both services >>> are highly critical, but for different systems, and thus should probably >>> have separate keytabs). >>> >>> Since both services share an IP address (but are serving HTTP on >>> different ports), this seemed like a perfect application of kerberos host >>> aliases. However, when I provisioned a host alias with `ipa >>> host-add-principal myHost host/myAlias.domain.com`, I found that on DNS >>> records were provisioned for `myAlias.domain.com`, thus making the >>> alias completely useless for resolving to the container. Is this a bug in >>> the host-alias system, or am I missing something? >>> >>> Thank you for your time. >>> >>> Thank you, >>> Buckley Ross >>> _______________________________________________ >>> FreeIPA-users mailing list -- [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam on the list, report it: >>> https://pagure.io/fedora-infrastructure >>> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
