Simo Sorce wrote:
On Thu, 14 Jan 2010 15:53:55 -0500
Rob Crittenden <rcrit...@redhat.com> wrote:

I just discovered a problem with replica installation in IPAv2 and wanted to get some additional opinions on it.

The scenario is this: You've installed a master, perhaps added some entries on it, everything is working fine. You've got some hosts that you added entries for as well, perhaps even creating some service
keytabs.

Now you want to make one of those hosts an IPA replica. Things will
blow up gloriously because some principals needed for the replica may
already exist in the DB.

So the question is, do we want to enforce that any replica hosts
don't already exist in the database before proceeding? It seems
reasonable to me but I'm pretty draconian about such things.

Thoughts?

Ok so the best solution would be to detect that and just use the
existing entries.

Although if it is really just krb keys, I think it is perfectly
acceptable to simply delete existing ones at replica-install time and
regenerate new ones. (with a warning that some clients may need to
refresh their credential cache in the hours right after the operation).

It would be probably much easier if we can get to do an online replica
install instead of going through the current file based replica.

Can we revisit what keeps us from doing that ? With the addition of
dogtag in 2.0 are certificates still a problem ? What else do we miss ?

Simo.


Certs are no problem.

One of the hangups was kpasswd.keytab which needs to be the same on all machines. I seem to think that all the problems were related to bootstrapping the KDC.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to