On Tue, 13 Oct 2015, Martin Basti wrote:

On 13.10.2015 10:04, Petr Spacek wrote:
On 13.10.2015 09:34, Martin Babinsky wrote:
On 10/13/2015 09:17 AM, Petr Spacek wrote:
On 12.10.2015 13:38, Martin Babinsky wrote:
each service possessing Kerberos keytab wiil now remove it and destroy any
associated credentials cache during its uninstall

BTW some time ago Simo proposed that we should remove caches and old keytabs
during *install* so problems caused by failing uninstallation will be fixed on
repeated install. This is yet another step towards idempotent installer.

To me this makes more sense than doing so on uninstall. Does it make sense to
you, too?

If the problem is formulated like this (the endpoint is that services have
their keytabs) then it makes more sense to me. I will rework the patch
Adding Simo to Cc, so we can be sure that we understood it properly :-)

Simo, does it make sense to do that on installation rather than installation?

I would like to keep removing keytabs during uninstall too, IPA should clean own mess.
It is better to remove on installation because we know what the state
of the system should be after install. On uninstall we cannot be
guaranteed that we wouldn't remove something that wasn't used anymore.

Note that removing /etc/krb5.keytab doesn't mean that, for example,
Apache will be unusable on this system if it was previously configured.
In the ideal environment you don't even need /etc/krb5.conf to have it
accepting Kerberos authentication.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to