23.03.2016, 01:10, Sam Hartman kirjoitti: > Not really. > The acl is clearly not a conffile, because there is no default that is > correct for a majority of sites. > So, it's not appropriate to ship in a package, but instead should be > created by a postinst somewhere. > (I've been planning to get rid of krb5_newrealm and move realm setup > into postinst/config, which may also complicate freeipa). > > It seems like you're going to run into the same policy issues with all > the KDC bits, and probably the only solution from a policy standpoint is > to have cooperation between the packages. Which I'm happy to do.
Hmm I'm not aware of policy issues here? > As for the technical issue, yes, it does seem like it would be a good > idea to provide a stub ACL template, and one of our postinsts can cause > it to get in place. Great! > I'm not sure what a good solution is for debconfing realm setup in the > simple case, but providing a smoothe user experience for freeipa. > I want to get rid of krb5_newrealm, because it means the realm setup > dialogue cannot be translated, and because it means realm setup > questions cannot easily be preceeded, and because it's an extra step. > Part of the answer may be asking the user whether they want automatic > configuration, but I'd imagine that question would typically be at > priority medium, so not everyone would see it. > There's probably some good answer here, and I'd be delighted to > brainstorm until we find it. Freeipa is kinda special since it's setup scripts (run by the admin, not the package install) have pretty much free control over every config that it needs to touch. I'm not planning to add any debconf integration to it, at least not in the foreseeable future. The setup is meant to run on a rather clean install and mostly just stay the way it was originally set up.. (though version upgrades update the ldap with new features etc) So I guess from freeipa POV the best would be for krb5* to not do anything on postinst. But priority medium should cover that, I think. -- t
