On 10/13/2015 02:52 PM, Simo Sorce wrote:
I'm not sure how can we keep the keytabs when reinstalling the server.
We are re-creating the service principals with new keys and thus have to
recreate keytabs anyway. I would argue that we should wipe them (and any
leftover credentials caches) before installation.
On 13/10/15 04:04, Petr Spacek wrote:
On 13.10.2015 09:34, Martin Babinsky wrote:
On 10/13/2015 09:17 AM, Petr Spacek wrote:
On 12.10.2015 13:38, Martin Babinsky wrote:
each service possessing Kerberos keytab wiil now remove it and
associated credentials cache during its uninstall
BTW some time ago Simo proposed that we should remove caches and old
during *install* so problems caused by failing uninstallation will
be fixed on
repeated install. This is yet another step towards idempotent
To me this makes more sense than doing so on uninstall. Does it make
If the problem is formulated like this (the endpoint is that services
their keytabs) then it makes more sense to me. I will rework the patch
Adding Simo to Cc, so we can be sure that we understood it properly :-)
Simo, does it make sense to do that on installation rather than
Actually on a server re-install it may make sense to check if the keytab
is valid and keep it if it is.
But maybe I have missed something.
I was not poking host keytabs in my patch specifically for this reason.
There is some code in ipa-client-install that handles principal removal
from /etc/krb5.keytab during client uninstall. And since this code is
run after IPA server uninstall I left it to do its job.
Make sure you do not break promotion by removing the host keytab or
keytabs that have been legitimately created in the client.
But otherwise the direction is good.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code