Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

Mon, 07 Dec 2015 22:57:08 -0800 

On 7.12.2015 16:43, Martin Kosek wrote:

On 12/07/2015 02:17 PM, Tomas Babej wrote:



On 12/04/2015 08:22 PM, Rob Crittenden wrote:

Martin Kosek wrote:

On 12/04/2015 07:17 PM, Tomas Babej wrote:

Hi,

Avoids failing in the later stages during the ipa-client-install
command.

Tomas


Is this change needed? Wouldn't it be better to update
ipa-client-install or ipa-replica-install to not require the --domain
option? I would hope that --domain can be figured out during
installation and not passed to ipa-replica-install manually by the admin.

I just think that calling
# ipa-replica-install --server=master.example.com
is better than
# ipa-replica-install --server=master.example.com --domain example.com
if possible.


IIRC this is for service discovery when using a specific server and not
LDAP. This is the domain used to search for the kerberos realm, for
example.

That isn't to say this isn't discoverable but it would require another
function in discovery to query what the IPA domain is from the given
master but it gets tricky if anonymous search is disabled, for example.

rob



Needed or not, this is the behaviour that ipa-client-install has now.
Adding a domain detection method would be a RFE for ipa-client-install
(and imho not something we should be adding at this point).

This patch only focuses on making the ipa-replica-install work more
smoothly.


I am just thinking that client promotion (ipa-replica-install) and
ipa-client-install are a bit different use cases. While ipa-client-install
should be typically run in auto-discovery and you thus do not use --server
option much, while with ipa-replica-install, you want to make sure you have the
expected topology and should use --server all the time without gambling on it.

But I do not think it has to be there since 4.3 GA, can you please file a
ticket for this gap?



I would rather do it now, because the change from optional to mandatory 
is backward incompatible. (We don't want to break users' scripts, right?)


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to