On 13/10/15 08:58, Petr Spacek wrote:
On 13.10.2015 14:52, Simo Sorce wrote:
On 13/10/15 04:04, Petr Spacek wrote:
On 13.10.2015 09:34, Martin Babinsky wrote:
On 10/13/2015 09:17 AM, Petr Spacek wrote:
On 12.10.2015 13:38, Martin Babinsky wrote:


each service possessing Kerberos keytab wiil now remove it and destroy any
associated credentials cache during its uninstall

https://fedorahosted.org/freeipa/ticket/5243

BTW some time ago Simo proposed that we should remove caches and old keytabs
during *install* so problems caused by failing uninstallation will be
fixed on
repeated install. This is yet another step towards idempotent installer.

To me this makes more sense than doing so on uninstall. Does it make sense to
you, too?


If the problem is formulated like this (the endpoint is that services have
their keytabs) then it makes more sense to me. I will rework the patch
accordingly.

Adding Simo to Cc, so we can be sure that we understood it properly :-)

Simo, does it make sense to do that on installation rather than installation?

Actually on a server re-install it may make sense to check if the keytab is
valid and keep it if it is.
Make sure you do not break promotion by removing the host keytab or keytabs
that have been legitimately created in the client.

I would expect that keytabs created in client installation should not be
touched/overwritten at all in server install, right?

In other words: ipa-client-install and ipa-replica-promote should be totally
separate tools and do not duplicate functionality.

They don't.

But there is no ipa-replica-promote, just ipa-replica-install, which will do promotion (and in future will do client install as well if client is not already installed before going on with promotion code).

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to