Alexander Bokovoy wrote: > On Tue, 13 Oct 2015, Martin Basti wrote: >> >> >> On 13.10.2015 10:04, Petr Spacek wrote: >>> On 13.10.2015 09:34, Martin Babinsky wrote: >>>> On 10/13/2015 09:17 AM, Petr Spacek wrote: >>>>> On 12.10.2015 13:38, Martin Babinsky wrote: >>>>>> each service possessing Kerberos keytab wiil now remove it and >>>>>> destroy any >>>>>> associated credentials cache during its uninstall >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5243 >>>>> BTW some time ago Simo proposed that we should remove caches and >>>>> old keytabs >>>>> during *install* so problems caused by failing uninstallation will >>>>> be fixed on >>>>> repeated install. This is yet another step towards idempotent >>>>> installer. >>>>> >>>>> To me this makes more sense than doing so on uninstall. Does it >>>>> make sense to >>>>> you, too? >>>>> >>>> If the problem is formulated like this (the endpoint is that >>>> services have >>>> their keytabs) then it makes more sense to me. I will rework the patch >>>> accordingly. >>> Adding Simo to Cc, so we can be sure that we understood it properly :-) >>> >>> Simo, does it make sense to do that on installation rather than >>> installation? >>> >> >> I would like to keep removing keytabs during uninstall too, IPA should >> clean own mess. > It is better to remove on installation because we know what the state > of the system should be after install. On uninstall we cannot be > guaranteed that we wouldn't remove something that wasn't used anymore. > > Note that removing /etc/krb5.keytab doesn't mean that, for example, > Apache will be unusable on this system if it was previously configured. > In the ideal environment you don't even need /etc/krb5.conf to have it > accepting Kerberos authentication.
See ipa-rmkeytab to safely remove principals by realm. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code