Re: [Freeipa-devel] [PATCH] 459 remove Requires on python-krbV

2010-06-01 Thread Stephen Gallagher
On 06/01/2010 02:43 PM, Rob Crittenden wrote: I used python-krbV to get the configured kerberos realm so we could clean up /etc/krb5.keytab. This is a bit heavy-weight for one line of code. We can instead parse /etc/ipa/default.conf to get the same thing without an additional Requires. rob Pat

[Freeipa-devel] [PATCH] 459 remove Requires on python-krbV

2010-06-01 Thread Rob Crittenden
I used python-krbV to get the configured kerberos realm so we could clean up /etc/krb5.keytab. This is a bit heavy-weight for one line of code. We can instead parse /etc/ipa/default.conf to get the same thing without an additional Requires. rob freeipa-459-client.patch Description: applicati

Re: [Freeipa-devel] [PATCH] 458 catch no CA preop.pin

2010-06-01 Thread Rob Crittenden
Pavel Zuna wrote: On 05/28/2010 05:22 PM, Rob Crittenden wrote: The preop.pin is used to authenticate the admin when doing CA enrollment. We were assuming it would be available and things blow up badly if not (we end up passing None as an argument to exec). If there isn't a preop pin there is no

Re: [Freeipa-devel] [PATCH] 457 fall back to DM password in ipa-replica-manage

2010-06-01 Thread Rob Crittenden
Pavel Zuna wrote: On 05/27/2010 11:52 PM, Rob Crittenden wrote: ipa-replica-manage can use the current kerberos credentials for some commands now. To make it a bit nicer to use fall back to prompt for the DM password if there are no credentials. I've found it handy to have this in development.

Re: [Freeipa-devel] [PATCH] 455 upgrade over ldapi

2010-06-01 Thread Rob Crittenden
Pavel Zuna wrote: On 05/27/2010 07:04 PM, Rob Crittenden wrote: For v2 upgrades we want the LDAP server to be quiet so we will shut it down, disable its TCP listeners and bring it back up to update over ldapi. This also enables autobind so we can bind as root and perform operations as Directory

Re: [Freeipa-devel] [PATCH] 456 replica creation

2010-06-01 Thread Rob Crittenden
Pavel Zuna wrote: On 05/27/2010 11:51 PM, Rob Crittenden wrote: If a host is already enrolled (either as a client or a former replica) then ipa-replica-install will fail spectacularly with an error about a missing keytab. This is because some entries already exist and it totally confuses things.

Re: [Freeipa-devel] [PATCH] 456 replica creation

2010-06-01 Thread Pavel Zuna
On 05/27/2010 11:51 PM, Rob Crittenden wrote: If a host is already enrolled (either as a client or a former replica) then ipa-replica-install will fail spectacularly with an error about a missing keytab. This is because some entries already exist and it totally confuses things. We need to start t

Re: [Freeipa-devel] [PATCH] 455 upgrade over ldapi

2010-06-01 Thread Pavel Zuna
On 05/27/2010 07:04 PM, Rob Crittenden wrote: For v2 upgrades we want the LDAP server to be quiet so we will shut it down, disable its TCP listeners and bring it back up to update over ldapi. This also enables autobind so we can bind as root and perform operations as Directory Manager and not req

Re: [Freeipa-devel] [PATCH] 458 catch no CA preop.pin

2010-06-01 Thread Pavel Zuna
On 05/28/2010 05:22 PM, Rob Crittenden wrote: The preop.pin is used to authenticate the admin when doing CA enrollment. We were assuming it would be available and things blow up badly if not (we end up passing None as an argument to exec). If there isn't a preop pin there is no need to do anythin

Re: [Freeipa-devel] [PATCH] 457 fall back to DM password in ipa-replica-manage

2010-06-01 Thread Pavel Zuna
On 05/27/2010 11:52 PM, Rob Crittenden wrote: ipa-replica-manage can use the current kerberos credentials for some commands now. To make it a bit nicer to use fall back to prompt for the DM password if there are no credentials. I've found it handy to have this in development. I also fix up the e