Hi,
re-adding the mailing list

On Wed, Sep 15, 2021 at 6:31 PM Buckley Ross <buckleyross42@gmail.com> wrote:
Hi Flo,

I think you misread my question.

Indeed. I interpreted "I found that on DNS records were provisioned..." as "I found that on <the> DNS <server>, records were provisioned" instead of "I found that no DNS records were provisioned". Sorry about that...


I am not running `ipa host-add`. I am running `ipa host-add-principal`. I would expect that if I am adding a new principal to a host, that principal's DNS name would be added with either a CNAME or an A record, pointing back to the original host. Is there a reason that this does not happen? I cannot understand the utility of being able to add a new principal to a host if that principal is not routable via DNS.

In your case you expect myhost and myalias to resolve to the same IP address, but that's not the general use case. Consider for instance a host with 2 different IP addresses, myhost resolving to the 1st one and myalias to the 2nd one. Adding the principal alias is de-coupled from the DNS records.

Hope this clarifies,
flo


Thanks,
Buckley Ross

On Tue, Sep 14, 2021 at 7:17 AM Florence Renaud <flo@redhat.com> wrote:
Hi,
I was not able to reproduce this issue:

# ipa host-add myhost.ipa.test --ip-address $IP
# ipa dnsrecord-find ipa.test
>> shows myhost.ipa.test has been added

# ipa host-add-principal myhost host/myalias.ipa.test
# ipa dnsrecord-find ipa.test
>> no new record added

DNS records are added when the command "ipa host-add --ip-address" is used, when a host is joined with ipa-client-install, or when "ipa dnsrecord-add" is called. You can check in /var/log/httpd/error_log if you find trace of such a command.

flo

On Mon, Sep 13, 2021 at 1:46 PM Buckley Ross via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello,

I'm trying to provision an HTTP service principal for a containerized service. The host on which the container is running also has a kerberized HTTP service running on it with a separate service principal (both services are highly critical, but for different systems, and thus should probably have separate keytabs).

Since both services share an IP address (but are serving HTTP on different ports), this seemed like a perfect application of kerberos host aliases. However, when I provisioned a host alias with `ipa host-add-principal myHost host/myAlias.domain.com`, I found that on DNS records were provisioned for `myAlias.domain.com`, thus making the alias completely useless for resolving to the container. Is this a bug in the host-alias system, or am I missing something?

Thank you for your time.

Thank you,
Buckley Ross
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure