Currently ipa-addservice will just happily create a service without checking that the FQDN is a valid A name in DNS. A host FQDN should always be an A name as kerberos libraries will resolve any CNAME into an A name before asking a ticket from the KDC. ipa-addservice should at least warn if it can't find an A name corresponding to the FQDN part of the service principal we are about to create.
Created attachment 295981 [details] Require DNS A record for service principals David, I've added a new option to ipa-addservice: --force This will force a principal to created that is not an A record.
pushed in changeset 690
Updated doc at http://www.freeipa.com/page/ServerAdministration#Creating_and_Using_Service_Principals
QA Verified on May 22, 2008 (Yi) Build used: May 22, 2008 (x64) tests have been done: server64[05/22/24 10:41] ipa-addservice host/ipaclient.example.com The requested hostname is not a DNS A record. This is required by Kerberos. server64[05/22/24 10:45] ipa-addservice host/ipaclient.ipaqa.com server64[05/22/24 10:49] ipa-addservice host/ipa.ipaqa.com The requested hostname is not a DNS A record. This is required by Kerberos.