[Freeipa-devel] IPAv2, replica installation can be broken
Simo Sorce
ssorce at redhat.com
Fri Jan 15 17:40:24 UTC 2010
On Thu, 14 Jan 2010 15:53:55 -0500
Rob Crittenden <rcritten at redhat.com> wrote:
> I just discovered a problem with replica installation in IPAv2 and
> wanted to get some additional opinions on it.
>
> The scenario is this: You've installed a master, perhaps added some
> entries on it, everything is working fine. You've got some hosts that
> you added entries for as well, perhaps even creating some service
> keytabs.
>
> Now you want to make one of those hosts an IPA replica. Things will
> blow up gloriously because some principals needed for the replica may
> already exist in the DB.
>
> So the question is, do we want to enforce that any replica hosts
> don't already exist in the database before proceeding? It seems
> reasonable to me but I'm pretty draconian about such things.
>
> Thoughts?
Ok so the best solution would be to detect that and just use the
existing entries.
Although if it is really just krb keys, I think it is perfectly
acceptable to simply delete existing ones at replica-install time and
regenerate new ones. (with a warning that some clients may need to
refresh their credential cache in the hours right after the operation).
It would be probably much easier if we can get to do an online replica
install instead of going through the current file based replica.
Can we revisit what keeps us from doing that ? With the addition of
dogtag in 2.0 are certificates still a problem ? What else do we miss ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list