On 13.10.2015 14:52, Simo Sorce wrote:
> On 13/10/15 04:04, Petr Spacek wrote:
>> On 13.10.2015 09:34, Martin Babinsky wrote:
>>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>>
>>>>> each service possessing Kerberos keytab wiil now remove it and destroy any
>>>>> associated credentials cache during its uninstall
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5243
>>>>
>>>> BTW some time ago Simo proposed that we should remove caches and old 
>>>> keytabs
>>>> during *install* so problems caused by failing uninstallation will be
>>>> fixed on
>>>> repeated install. This is yet another step towards idempotent installer.
>>>>
>>>> To me this makes more sense than doing so on uninstall. Does it make sense 
>>>> to
>>>> you, too?
>>>>
>>>
>>> If the problem is formulated like this (the endpoint is that services have
>>> their keytabs) then it makes more sense to me. I will rework the patch
>>> accordingly.
>>
>> Adding Simo to Cc, so we can be sure that we understood it properly :-)
>>
>> Simo, does it make sense to do that on installation rather than installation?
> 
> Actually on a server re-install it may make sense to check if the keytab is
> valid and keep it if it is.
> Make sure you do not break promotion by removing the host keytab or keytabs
> that have been legitimately created in the client.

I would expect that keytabs created in client installation should not be
touched/overwritten at all in server install, right?

In other words: ipa-client-install and ipa-replica-promote should be totally
separate tools and do not duplicate functionality.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to