I just realized that the domain is used in ipadiscovery.py when checking if the target DS is the target DS. It is used to find out the realm and thus to also deduct what the right DS suffix is. But maybe there is an optimization to get rid of it.

Can't we just use some sane default when the --domain option is missing? Either the --server's domain or the local client's domain. You see, when I specify the --domain value, I really have no idea what value is the correct one and I believe other users might have the same problem.

Of course, if the user knows the correct value they want to use, let them use it. But do not force them to because they are likely to get it wrong anyway.

Hi, looks this is affecting other projects that are consuming FreeiPA like on https://bugzilla.redhat.com/show_bug.cgi?id=1874936, and I don't see a lot of movement on this issue.

Do we have a plan to have it fixed or to raise the severity/priority of it?

Can you please explain why are you using --server without --domain? What is the specific requirement for this configuration?

We cannot have default to '--server' domain portion because it is allowed to have IPA masters outside IPA primary domain without an issue. You still need to know primary domain and in this case deriving primary domain from --server value will fail and cause more confusion.

If the IPA server knows its primary domain, can't it use that (and report it back to ipa-client-install), if --domain is not specified?

The client installer needs to know the domain before contacting the server, to be able to set up an environment.