On 10/13/2015 02:52 PM, Simo Sorce wrote:
On 13/10/15 04:04, Petr Spacek wrote:
On 13.10.2015 09:34, Martin Babinsky wrote:
On 10/13/2015 09:17 AM, Petr Spacek wrote:
On 12.10.2015 13:38, Martin Babinsky wrote:

each service possessing Kerberos keytab wiil now remove it and
destroy any
associated credentials cache during its uninstall

https://fedorahosted.org/freeipa/ticket/5243

BTW some time ago Simo proposed that we should remove caches and old
keytabs
during *install* so problems caused by failing uninstallation will
be fixed on
repeated install. This is yet another step towards idempotent
installer.

To me this makes more sense than doing so on uninstall. Does it make
sense to
you, too?


If the problem is formulated like this (the endpoint is that services
have
their keytabs) then it makes more sense to me. I will rework the patch
accordingly.

Adding Simo to Cc, so we can be sure that we understood it properly :-)

Simo, does it make sense to do that on installation rather than
installation?

Actually on a server re-install it may make sense to check if the keytab
is valid and keep it if it is.
I'm not sure how can we keep the keytabs when reinstalling the server. We are re-creating the service principals with new keys and thus have to recreate keytabs anyway. I would argue that we should wipe them (and any leftover credentials caches) before installation.

But maybe I have missed something.
Make sure you do not break promotion by removing the host keytab or
keytabs that have been legitimately created in the client.

I was not poking host keytabs in my patch specifically for this reason. There is some code in ipa-client-install that handles principal removal from /etc/krb5.keytab during client uninstall. And since this code is run after IPA server uninstall I left it to do its job.

But otherwise the direction is good.

Simo.



--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to