4:52 p.m.
On Thu, Feb 20, 2020 at 05:19:50PM -0500, Rob Crittenden wrote:
Jay Fenlason via FreeIPA-users wrote:
> When attempting to debug another problem with FreeIPA, I noticed
> something odd:
>
> If I have an IPA domain example.com, I can do an ipa-client-install
> from a machine named c.d.example.com and it successfully adds the
> client to the domain and updates IPA's DNS, but if I do an ipa
> host-add of c.d.example.com it gives an error saying
> ipa: ERROR: DNS zone d.example.com. not found
> which is correct, inasmuch as I never created a d.example.com zone.
> But ipa-client-install happily added c.d to the example.com zone. So
> which of these two commands is doing the right thing?
ipa-client-install, via ipa-join, creates the host using the non-cli API
call join rather than host-add directly. join calls host-add with
--force so DNS checks are skipped.
The client, as you point out, by default will try to add the DNS records
itself in a later step, so it is not enforced up front.
Thank you for your useful analysis of why they work differently.
Note that
ipa host-add c.d.example.com --force --ip-address 192.168.56.5
fails with the same error as
ipa host-add c.d.example.com --ip-address 192.168.56.5
So you can't use --force with the command line to get the same
behavior as ipa-client-install.
The question here is really one of design. Should these commands
behave differently?
Should ipa-client-install be able to create a c.d entry in the example.com
zone, or should it flag the missing d.example.com domain as an error
the way ipa host-add does?
Or should ipa host-add add the c.d entry to the example.com zone the
way ipa-client-install does?
Or should both of them create the d.example.com zone and add the c
entry to it? :-)
-- JF