On Tue, 2015-12-08 at 13:34 +0100, Martin Kosek wrote:
> On 12/08/2015 08:28 AM, Jan Cholasta wrote:
> > On 8.12.2015 08:23, Martin Kosek wrote:
> >> On 12/08/2015 07:57 AM, Jan Cholasta wrote:
> >>> On 7.12.2015 16:43, Martin Kosek wrote:
> >>>> On 12/07/2015 02:17 PM, Tomas Babej wrote:
> >>>>>
> >>>>>
> >>>>> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
> >>>>>> Martin Kosek wrote:
> >>>>>>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> Avoids failing in the later stages during the ipa-client-install
> >>>>>>>> command.
> >>>>>>>>
> >>>>>>>> Tomas
> >>>>>>>
> >>>>>>> Is this change needed? Wouldn't it be better to update
> >>>>>>> ipa-client-install or ipa-replica-install to not require the --domain
> >>>>>>> option? I would hope that --domain can be figured out during
> >>>>>>> installation and not passed to ipa-replica-install manually by the 
> >>>>>>> admin.
> >>>>>>>
> >>>>>>> I just think that calling
> >>>>>>> # ipa-replica-install --server=master.example.com
> >>>>>>> is better than
> >>>>>>> # ipa-replica-install --server=master.example.com --domain example.com
> >>>>>>> if possible.
> >>>>>>
> >>>>>> IIRC this is for service discovery when using a specific server and not
> >>>>>> LDAP. This is the domain used to search for the kerberos realm, for
> >>>>>> example.
> >>>>>>
> >>>>>> That isn't to say this isn't discoverable but it would require another
> >>>>>> function in discovery to query what the IPA domain is from the given
> >>>>>> master but it gets tricky if anonymous search is disabled, for example.
> >>>>>>
> >>>>>> rob
> >>>>>>
> >>>>>
> >>>>> Needed or not, this is the behaviour that ipa-client-install has now.
> >>>>> Adding a domain detection method would be a RFE for ipa-client-install
> >>>>> (and imho not something we should be adding at this point).
> >>>>>
> >>>>> This patch only focuses on making the ipa-replica-install work more
> >>>>> smoothly.
> >>>>
> >>>> I am just thinking that client promotion (ipa-replica-install) and
> >>>> ipa-client-install are a bit different use cases. While 
> >>>> ipa-client-install
> >>>> should be typically run in auto-discovery and you thus do not use 
> >>>> --server
> >>>> option much, while with ipa-replica-install, you want to make sure you 
> >>>> have
> >>>> the
> >>>> expected topology and should use --server all the time without gambling 
> >>>> on it.
> >>>>
> >>>> But I do not think it has to be there since 4.3 GA, can you please file a
> >>>> ticket for this gap?
> >>>
> >>> I would rather do it now, because the change from optional to mandatory is
> >>> backward incompatible. (We don't want to break users' scripts, right?)
> >>
> >> I think it is the other way around - with the change I was suggesting
> >> (autodetecting --domain option instead of always requesting it, as in 
> >> Tomas'
> >> patch which we can merge if my proposal is not doable for 4.3 GA).
> >>
> > 
> > "with ipa-replica-install, you want to make sure you have the expected 
> > topology
> > and should use --server all the time" sounds like you want to make --server
> > mandatory for ipa-replica-install, which should be done either before 4.3 
> > GA or
> > never.
> 
> Ah, no, this is not what I meant. I was only discussing the --domain option in
> this mail the the typical use cases for --server option in ipa-client-install
> and ipa-replica-install.
> 
> If we can trust ipa-replica-install to do a good job in picking a server to
> replica from, the --server can stay optional. Although I am on fence here,
> being more explicit when creating topology may be helpful. CCing Simo, in case
> he has some opinions on this.

Leave it optional, our first order of business is making things simple,
then adding optional knobs to let the admin with knowledge to tweak
things.

Simo.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to