From b43e73143de66b0068cd01379c134d5ef6e304e9 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Fri, 16 Feb 2018 20:58:52 +0100 Subject: [PATCH] realm domains: improve doc text It is quite unclear how realm domains behave without reading source code. New doc text describes its purpose and how it is managed. https://pagure.io/freeipa/issue/7424 Reviewed-By: Alexander Bokovoy Reviewed-By: Florence Blanc-Renaud --- ipaserver/plugins/realmdomains.py | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/realmdomains.py b/ipaserver/plugins/realmdomains.py index 13631e47c..f229d0571 100644 --- a/ipaserver/plugins/realmdomains.py +++ b/ipaserver/plugins/realmdomains.py @@ -36,6 +36,16 @@ Realm domains Manage the list of domains associated with IPA realm. +This list is useful for Domain Controllers from other realms which have +established trust with this IPA realm. They need the information to know +which request should be forwarded to KDC of this IPA realm. + +Automatic management: a domain is automatically added to the realm domains +list when a new DNS Zone managed by IPA is created. Same applies for deletion. + +Externally managed DNS: domains which are not managed in IPA server DNS +need to be manually added to the list using ipa realmdomains-mod command. + EXAMPLES: Display the current list of realm domains: @@ -118,10 +128,22 @@ class realmdomains(LDAPObject): ) - @register() class realmdomains_mod(LDAPUpdate): - __doc__ = _('Modify realm domains.') + __doc__ = _(""" + Modify realm domains + + DNS check: When manually adding a domain to the list, a DNS check is + performed by default. It ensures that the domain is associated with + the IPA realm, by checking whether the domain has a _kerberos TXT record + containing the IPA realm name. This check can be skipped by specifying + --force option. + + Removal: when a realm domain which has a matching DNS zone managed by + IPA is being removed, a corresponding _kerberos TXT record in the zone is + removed automatically as well. Other records in the zone or the zone + itself are not affected. + """) takes_options = LDAPUpdate.takes_options + ( Flag('force',