On 12/08/2015 08:28 AM, Jan Cholasta wrote:
> On 8.12.2015 08:23, Martin Kosek wrote:
>> On 12/08/2015 07:57 AM, Jan Cholasta wrote:
>>> On 7.12.2015 16:43, Martin Kosek wrote:
>>>> On 12/07/2015 02:17 PM, Tomas Babej wrote:
>>>>>
>>>>>
>>>>> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
>>>>>> Martin Kosek wrote:
>>>>>>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Avoids failing in the later stages during the ipa-client-install
>>>>>>>> command.
>>>>>>>>
>>>>>>>> Tomas
>>>>>>>
>>>>>>> Is this change needed? Wouldn't it be better to update
>>>>>>> ipa-client-install or ipa-replica-install to not require the --domain
>>>>>>> option? I would hope that --domain can be figured out during
>>>>>>> installation and not passed to ipa-replica-install manually by the 
>>>>>>> admin.
>>>>>>>
>>>>>>> I just think that calling
>>>>>>> # ipa-replica-install --server=master.example.com
>>>>>>> is better than
>>>>>>> # ipa-replica-install --server=master.example.com --domain example.com
>>>>>>> if possible.
>>>>>>
>>>>>> IIRC this is for service discovery when using a specific server and not
>>>>>> LDAP. This is the domain used to search for the kerberos realm, for
>>>>>> example.
>>>>>>
>>>>>> That isn't to say this isn't discoverable but it would require another
>>>>>> function in discovery to query what the IPA domain is from the given
>>>>>> master but it gets tricky if anonymous search is disabled, for example.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> Needed or not, this is the behaviour that ipa-client-install has now.
>>>>> Adding a domain detection method would be a RFE for ipa-client-install
>>>>> (and imho not something we should be adding at this point).
>>>>>
>>>>> This patch only focuses on making the ipa-replica-install work more
>>>>> smoothly.
>>>>
>>>> I am just thinking that client promotion (ipa-replica-install) and
>>>> ipa-client-install are a bit different use cases. While ipa-client-install
>>>> should be typically run in auto-discovery and you thus do not use --server
>>>> option much, while with ipa-replica-install, you want to make sure you have
>>>> the
>>>> expected topology and should use --server all the time without gambling on 
>>>> it.
>>>>
>>>> But I do not think it has to be there since 4.3 GA, can you please file a
>>>> ticket for this gap?
>>>
>>> I would rather do it now, because the change from optional to mandatory is
>>> backward incompatible. (We don't want to break users' scripts, right?)
>>
>> I think it is the other way around - with the change I was suggesting
>> (autodetecting --domain option instead of always requesting it, as in Tomas'
>> patch which we can merge if my proposal is not doable for 4.3 GA).
>>
> 
> "with ipa-replica-install, you want to make sure you have the expected 
> topology
> and should use --server all the time" sounds like you want to make --server
> mandatory for ipa-replica-install, which should be done either before 4.3 GA 
> or
> never.

Ah, no, this is not what I meant. I was only discussing the --domain option in
this mail the the typical use cases for --server option in ipa-client-install
and ipa-replica-install.

If we can trust ipa-replica-install to do a good job in picking a server to
replica from, the --server can stay optional. Although I am on fence here,
being more explicit when creating topology may be helpful. CCing Simo, in case
he has some opinions on this.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to