On 25.11.2015 09:01, Jan Cholasta wrote:
On 24.11.2015 15:56, Tomas Babej wrote:
On 11/23/2015 04:43 PM, Jan Cholasta wrote:
On 23.11.2015 12:50, Tomas Babej wrote:
this patch implements the single command replica promotion&enrollment
1) ensure_enrolled() should be called from promote_check() after the
client check is done:
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
if not client_fstore.has_files():
Also it should no longer be decorated with @common_cleanup.
+ server_name = Knob(
+ str, None,
+ description="fully qualified name of IPA server to enrooll to",
Please use the same identifier ipa-client-install uses, i.e.
Also there is typo in the description: "enrooll".
You don't need to set cli_name anymore, as it's the same as the default.
+ host_name = Knob(
+ str, None,
+ description="fully qualified name of this host",
This knob is already defined in BaseServer, there's no need to redefine
it here (just remove the "host_name = None").
If you want to change the description, change it in BaseServer.
Yep, that was the reasoning here. Changed in BaseServer.
+ keytab = Knob(
+ str, None,
+ description="path to backed up keytab from previous
ipa-client-install uses the short name -k for the keytab option, it
should be used here as well.
You don't need to set cli_name here as well.
5) The replica file argument conflicts with the --realm, --domain,
--server, --admin-password and --principal options. This should be
checked in Replica.__init__().
The --hostname option should either be conflicting as well or be
implemented properly for legacy replica install.
All of them now conflict --replica-file.
Replica file is not an option but rather an argument in
I think the error message should use the same wording which is used for
--forwarder vs. --no-forwarder and --reverse-zone vs. --no-reverse: "You
cannot specify a --something option together with replica file".
6) I think --admin-password should be renamed to --password and the
description changed, since it now also allows OTP enrollment.
I changed the requirements to mandate --principal when --password is
used, as we discussed.
I was wrong here, sorry.
ipa-replica-install assumes "admin" for principal by default, so we just
need to make sure ipa-client-install is called with --principal when
password is used, whether it's the provided principal or the default
The name of the option cannot really be changed, as it is already taken
by the dm_password.
One more thing I remembered:
7) When you try replica promotion on domain level 0, ipa-replica-install
will install the client, then do the domain level check and fail,
leaving the client installed. The check should be done as soon as
possible, i.e. in ipa-client-install, so that nothing is installed in
This can be a separate patch though.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code