Martin Babinsky wrote:
> On 03/02/2015 04:28 PM, Rob Crittenden wrote:
>> Petr Vobornik wrote:
>>>>>>>>> On 01/12/2015 05:45 PM, Martin Babinsky wrote:
>>>>>>>>>> related to ticket
>>> this patch seems to be a bit forgotten.
>>> It works, looks fine.
>>> One minor issue: trailing whitespaces in the man page.
>>> I also wonder if it shouldn't be used in other tools which call kinit
>>> with keytab:
>>> * ipa-client-automount:434
>>> * ipa-client-install:2591 (this usage should be fine since it's used for
>>> server installation)
>>> *
>>> * 971, 981 (armor for web ui forms base auth)
>>> Most importantly the ipa-client-automount because it's called from
>>> ipa-client-install (if location is specified) and therefore it might
>>> fail during client installation.
>>> Or also, kinit call with admin creadentials worked for the user but I
>>> wonder if it was just a coincidence and may break under slightly
>>> different but similar conditions.
>> I think that's a fine idea. In fact there is already a function that
>> could be extended, kinit_hostprincipal().
>> rob
> So in principle we could add multiple TGT retries to
> "kinit_hostprincipal()" and then plug this function to all the places
> Petr mentioned in order to provide this functionality each time TGT is
> requested using keytab.
> Do I understand it correctly?

Honestly I think I'd only do the retries on client installation.  I
don't know that the other uses would really benefit or need this.

But this is an opportunity to consolidate some code, so I guess the
approach I'd take is to add an option to kinit_hostprincipal of
retries=0 so that only a single kinit is done. The client installers
would pass in some value.

This change is quite a bit more invasive but it's also early in the
release cycle so the risk will be spread out.


Freeipa-devel mailing list

Reply via email to