Lance Dillon wrote:


    ------------------------------------------------------------------------
    *From:* Rob Crittenden <rcrit...@redhat.com>
    *To:* Martin Kosek <mko...@redhat.com>
    *Cc:* freeipa-devel <freeipa-devel@redhat.com>
    *Sent:* Thursday, July 5, 2012 3:18 PM
    *Subject:* Re: [Freeipa-devel] [PATCH] 1032 allow multiple --server
    in client install, don't always set _srv_

    Martin Kosek wrote:
     > On 07/04/2012 12:12 AM, Rob Crittenden wrote:
     >> If you pass in --server and --fixed-primary then don't add _srv_
    to ipa_server
     >> in sssd.conf.
     >>
     >> This necessitates the desire to be able to provide multiple
    servers  so make
     >> --server accept multiple values. This represents the bulk of the
    code changes.
     >> In every case we only use the additional values in sssd.conf.
     >>
     >> I also made some minor tweaks to discovery. There were cases
    where DNS
     >> discovery wasn't successful but we set dnsok anyway which could
    cause some
     >> cascading issues.
     >>
     >> There are a ton of possible corner cases with this so please, be
    brutal.
     >>
     >> I tested the following against a DNS server that had SRV records
    and against
     >> one that did not.
     >>
     >> - ipa-client-install
     >> - ipa-client-install --server=ipa.example.com --domain=example.com
     >> - ipa-client-install --server=ipa.example.com
    --server=ipa1.example.com
     >> --domain-example.com
     >> - ipa-client-install -server=ipa.example.com
    --server=ipa1.example.com
     >> --domain-example.com --fixed-primary
     >> - ipa-client-install -server=ipa.example.com
    --server=ipa1.example.com
     >> --domain-example.com --fixed-primary --no-sssd
     >> - ipa-client-install -server=ipa.example.com
    --server=ipa1.example.com
     >> --domain-example.com --no-sssd
     >>
     >> rob
     >
     > I did various checks, generally the patch behaves ok, I did not
    find any major
     > bug. I have just 2 questions/suggestions:
     >
     > 1) Since we allow more fixed servers to be passed as --server
    parameter, we
     > could name them all in /etc/krb5.conf in "kdc" and "admin_server"
    options when
     > DNS is not OK instead of writing just the first one in the list.
    Kerberos tools
     > then should be able to fall-back when some of them is not available.

    Sure, that makes sense. Done.

     > 2) What DNS discovery is not OK, we still add _srv_ to ipa_server
    option in
     > sssd.conf. Is it intentional?

    Yes, it was sort of a future-proofing if SRV records are ever made
    available.

    rob

Could I request an option to not add _srv_ at all, like a
--no-dns-discovery option.  This way those of us who unfortunately are
in situations where we can't create SRV records at all can have it
designated at install time?  Otherwise I have to edit the config files
afterwards anyway to get rid of it.

It could be made default false, of course, but if set the _srv_ entry
would not be added.

You'll be able to do that by specifying --server and --fixed-primary.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to