On 13.10.2015 14:52, Simo Sorce wrote: > On 13/10/15 04:04, Petr Spacek wrote: >> On 13.10.2015 09:34, Martin Babinsky wrote: >>> On 10/13/2015 09:17 AM, Petr Spacek wrote: >>>> On 12.10.2015 13:38, Martin Babinsky wrote: >>>>> >>>>> each service possessing Kerberos keytab wiil now remove it and destroy any >>>>> associated credentials cache during its uninstall >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5243 >>>> >>>> BTW some time ago Simo proposed that we should remove caches and old >>>> keytabs >>>> during *install* so problems caused by failing uninstallation will be >>>> fixed on >>>> repeated install. This is yet another step towards idempotent installer. >>>> >>>> To me this makes more sense than doing so on uninstall. Does it make sense >>>> to >>>> you, too? >>>> >>> >>> If the problem is formulated like this (the endpoint is that services have >>> their keytabs) then it makes more sense to me. I will rework the patch >>> accordingly. >> >> Adding Simo to Cc, so we can be sure that we understood it properly :-) >> >> Simo, does it make sense to do that on installation rather than installation? > > Actually on a server re-install it may make sense to check if the keytab is > valid and keep it if it is. > Make sure you do not break promotion by removing the host keytab or keytabs > that have been legitimately created in the client.
I would expect that keytabs created in client installation should not be touched/overwritten at all in server install, right? In other words: ipa-client-install and ipa-replica-promote should be totally separate tools and do not duplicate functionality. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
