Simo Sorce wrote:
On Thu, 14 Jan 2010 15:53:55 -0500
Rob Crittenden <rcrit...@redhat.com> wrote:
I just discovered a problem with replica installation in IPAv2 and
wanted to get some additional opinions on it.
The scenario is this: You've installed a master, perhaps added some
entries on it, everything is working fine. You've got some hosts that
you added entries for as well, perhaps even creating some service
Now you want to make one of those hosts an IPA replica. Things will
blow up gloriously because some principals needed for the replica may
already exist in the DB.
So the question is, do we want to enforce that any replica hosts
don't already exist in the database before proceeding? It seems
reasonable to me but I'm pretty draconian about such things.
Ok so the best solution would be to detect that and just use the
Although if it is really just krb keys, I think it is perfectly
acceptable to simply delete existing ones at replica-install time and
regenerate new ones. (with a warning that some clients may need to
refresh their credential cache in the hours right after the operation).
It would be probably much easier if we can get to do an online replica
install instead of going through the current file based replica.
Can we revisit what keeps us from doing that ? With the addition of
dogtag in 2.0 are certificates still a problem ? What else do we miss ?
Certs are no problem.
One of the hangups was kpasswd.keytab which needs to be the same on all
machines. I seem to think that all the problems were related to
bootstrapping the KDC.
Freeipa-devel mailing list