Alexander Bokovoy wrote:
> On Tue, 13 Oct 2015, Martin Basti wrote:
>> On 13.10.2015 10:04, Petr Spacek wrote:
>>> On 13.10.2015 09:34, Martin Babinsky wrote:
>>>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>>> each service possessing Kerberos keytab wiil now remove it and
>>>>>> destroy any
>>>>>> associated credentials cache during its uninstall
>>>>> BTW some time ago Simo proposed that we should remove caches and
>>>>> old keytabs
>>>>> during *install* so problems caused by failing uninstallation will
>>>>> be fixed on
>>>>> repeated install. This is yet another step towards idempotent
>>>>> installer.
>>>>> To me this makes more sense than doing so on uninstall. Does it
>>>>> make sense to
>>>>> you, too?
>>>> If the problem is formulated like this (the endpoint is that
>>>> services have
>>>> their keytabs) then it makes more sense to me. I will rework the patch
>>>> accordingly.
>>> Adding Simo to Cc, so we can be sure that we understood it properly :-)
>>> Simo, does it make sense to do that on installation rather than
>>> installation?
>> I would like to keep removing keytabs during uninstall too, IPA should
>> clean own mess.
> It is better to remove on installation because we know what the state
> of the system should be after install. On uninstall we cannot be
> guaranteed that we wouldn't remove something that wasn't used anymore.
> Note that removing /etc/krb5.keytab doesn't mean that, for example,
> Apache will be unusable on this system if it was previously configured.
> In the ideal environment you don't even need /etc/krb5.conf to have it
> accepting Kerberos authentication.

See ipa-rmkeytab to safely remove principals by realm.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to