URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
We do not backup ccache, we back up apache keytab.

During restore into installer server we back up old Kerberos keys, but without 
any mechanism to purge the new apache ccache acquired during the installation 
of new server you would end up with key mismatch and nothing would work until 
the ccache expires.

As to why a) we backup Kerberos keys, and b) support restoring into running IPA 
server that is beyond me.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to