On 12/08/2015 02:00 PM, Simo Sorce wrote:
On Tue, 2015-12-08 at 13:34 +0100, Martin Kosek wrote:
On 12/08/2015 08:28 AM, Jan Cholasta wrote:
On 8.12.2015 08:23, Martin Kosek wrote:
On 12/08/2015 07:57 AM, Jan Cholasta wrote:
On 7.12.2015 16:43, Martin Kosek wrote:
On 12/07/2015 02:17 PM, Tomas Babej wrote:

On 12/04/2015 08:22 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 12/04/2015 07:17 PM, Tomas Babej wrote:

Avoids failing in the later stages during the ipa-client-install


Is this change needed? Wouldn't it be better to update
ipa-client-install or ipa-replica-install to not require the --domain
option? I would hope that --domain can be figured out during
installation and not passed to ipa-replica-install manually by the admin.

I just think that calling
# ipa-replica-install --server=master.example.com
is better than
# ipa-replica-install --server=master.example.com --domain example.com
if possible.

IIRC this is for service discovery when using a specific server and not
LDAP. This is the domain used to search for the kerberos realm, for

That isn't to say this isn't discoverable but it would require another
function in discovery to query what the IPA domain is from the given
master but it gets tricky if anonymous search is disabled, for example.


Needed or not, this is the behaviour that ipa-client-install has now.
Adding a domain detection method would be a RFE for ipa-client-install
(and imho not something we should be adding at this point).

This patch only focuses on making the ipa-replica-install work more

I am just thinking that client promotion (ipa-replica-install) and
ipa-client-install are a bit different use cases. While ipa-client-install
should be typically run in auto-discovery and you thus do not use --server
option much, while with ipa-replica-install, you want to make sure you have
expected topology and should use --server all the time without gambling on it.

But I do not think it has to be there since 4.3 GA, can you please file a
ticket for this gap?

I would rather do it now, because the change from optional to mandatory is
backward incompatible. (We don't want to break users' scripts, right?)

I think it is the other way around - with the change I was suggesting
(autodetecting --domain option instead of always requesting it, as in Tomas'
patch which we can merge if my proposal is not doable for 4.3 GA).

"with ipa-replica-install, you want to make sure you have the expected topology
and should use --server all the time" sounds like you want to make --server
mandatory for ipa-replica-install, which should be done either before 4.3 GA or

Ah, no, this is not what I meant. I was only discussing the --domain option in
this mail the the typical use cases for --server option in ipa-client-install
and ipa-replica-install.

If we can trust ipa-replica-install to do a good job in picking a server to
replica from, the --server can stay optional. Although I am on fence here,
being more explicit when creating topology may be helpful. CCing Simo, in case
he has some opinions on this.

Leave it optional, our first order of business is making things simple,
then adding optional knobs to let the admin with knowledge to tweak


ACK for original  patch

Pushed to master: c3c8651ac1bac794e32b3c01f7e4f6b487dcef08
Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to