3:53 p.m.
When attempting to debug another problem with FreeIPA, I noticed
something odd:
If I have an IPA domain example.com, I can do an ipa-client-install
from a machine named c.d.example.com and it successfully adds the
client to the domain and updates IPA's DNS, but if I do an ipa
host-add of c.d.example.com it gives an error saying
ipa: ERROR: DNS zone d.example.com. not found
which is correct, inasmuch as I never created a d.example.com zone.
But ipa-client-install happily added c.d to the example.com zone. So
which of these two commands is doing the right thing?
-- JF
4:19 p.m.
New subject: disparity between ipa-client-install and ipa host-add
Jay Fenlason via FreeIPA-users wrote:
When attempting to debug another problem with FreeIPA, I noticed
something odd:
If I have an IPA domain example.com, I can do an ipa-client-install
from a machine named c.d.example.com and it successfully adds the
client to the domain and updates IPA's DNS, but if I do an ipa
host-add of c.d.example.com it gives an error saying
ipa: ERROR: DNS zone d.example.com. not found
which is correct, inasmuch as I never created a d.example.com zone.
But ipa-client-install happily added c.d to the example.com zone. So
which of these two commands is doing the right thing?
ipa-client-install, via ipa-join, creates the host using the non-cli API
call join rather than host-add directly. join calls host-add with
--force so DNS checks are skipped.
The client, as you point out, by default will try to add the DNS records
itself in a later step, so it is not enforced up front.
rob
4:52 p.m.
New subject: disparity between ipa-client-install and ipa host-add
On Thu, Feb 20, 2020 at 05:19:50PM -0500, Rob Crittenden wrote:
Jay Fenlason via FreeIPA-users wrote:
> When attempting to debug another problem with FreeIPA, I noticed
> something odd:
>
> If I have an IPA domain example.com, I can do an ipa-client-install
> from a machine named c.d.example.com and it successfully adds the
> client to the domain and updates IPA's DNS, but if I do an ipa
> host-add of c.d.example.com it gives an error saying
> ipa: ERROR: DNS zone d.example.com. not found
> which is correct, inasmuch as I never created a d.example.com zone.
> But ipa-client-install happily added c.d to the example.com zone. So
> which of these two commands is doing the right thing?
ipa-client-install, via ipa-join, creates the host using the non-cli API
call join rather than host-add directly. join calls host-add with
--force so DNS checks are skipped.
The client, as you point out, by default will try to add the DNS records
itself in a later step, so it is not enforced up front.
Thank you for your useful analysis of why they work differently.
Note that
ipa host-add c.d.example.com --force --ip-address 192.168.56.5
fails with the same error as
ipa host-add c.d.example.com --ip-address 192.168.56.5
So you can't use --force with the command line to get the same
behavior as ipa-client-install.
The question here is really one of design. Should these commands
behave differently?
Should ipa-client-install be able to create a c.d entry in the example.com
zone, or should it flag the missing d.example.com domain as an error
the way ipa host-add does?
Or should ipa host-add add the c.d entry to the example.com zone the
way ipa-client-install does?
Or should both of them create the d.example.com zone and add the c
entry to it? :-)
-- JF
9:55 a.m.
New subject: disparity between ipa-client-install and ipa host-add
Jay Fenlason via FreeIPA-users wrote:
On Thu, Feb 20, 2020 at 05:19:50PM -0500, Rob Crittenden wrote:
> Jay Fenlason via FreeIPA-users wrote:
>> When attempting to debug another problem with FreeIPA, I noticed
>> something odd:
>>
>> If I have an IPA domain example.com, I can do an ipa-client-install
>> from a machine named c.d.example.com and it successfully adds the
>> client to the domain and updates IPA's DNS, but if I do an ipa
>> host-add of c.d.example.com it gives an error saying
>> ipa: ERROR: DNS zone d.example.com. not found
>> which is correct, inasmuch as I never created a d.example.com zone.
>> But ipa-client-install happily added c.d to the example.com zone. So
>> which of these two commands is doing the right thing?
>
> ipa-client-install, via ipa-join, creates the host using the non-cli API
> call join rather than host-add directly. join calls host-add with
> --force so DNS checks are skipped.
>
> The client, as you point out, by default will try to add the DNS records
> itself in a later step, so it is not enforced up front.
Thank you for your useful analysis of why they work differently.
Note that
ipa host-add c.d.example.com --force --ip-address 192.168.56.5
fails with the same error as
ipa host-add c.d.example.com --ip-address 192.168.56.5
So you can't use --force with the command line to get the same
behavior as ipa-client-install.
If you include an IP address then --force is ignored because it implies
that the host is already in DNS since you are trying to add an address
for it.
The question here is really one of design. Should these commands
behave differently?
Should ipa-client-install be able to create a c.d entry in the example.com
zone, or should it flag the missing d.example.com domain as an error
the way ipa host-add does?
As I said before, it's there because the client will use nsupdate to
attempt to update DNS. This doesn't happen with host-add.
Or should ipa host-add add the c.d entry to the example.com zone the
way ipa-client-install does?
It's there to make the admin pause a second since adding a host without
DNS is not all that useful.
Or should both of them create the d.example.com zone and add the c
entry to it? :-)
An enrollment can't create zones.
rob
1533
days inactive
1534
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Jay Fenlason -
Rob Crittenden