[Freeipa-devel] [PATCH] 1032 allow multiple --server in client install, don't always set _srv_
Lance Dillon
riffraff169 at yahoo.com
Thu Jul 5 19:49:01 UTC 2012
>________________________________
> From: Rob Crittenden <rcritten at redhat.com>
>To: Martin Kosek <mkosek at redhat.com>
>Cc: freeipa-devel <freeipa-devel at redhat.com>
>Sent: Thursday, July 5, 2012 3:18 PM
>Subject: Re: [Freeipa-devel] [PATCH] 1032 allow multiple --server in client install, don't always set _srv_
>
>Martin Kosek wrote:
>> On 07/04/2012 12:12 AM, Rob Crittenden wrote:
>>> If you pass in --server and --fixed-primary then don't add _srv_ to ipa_server
>>> in sssd.conf.
>>>
>>> This necessitates the desire to be able to provide multiple servers so make
>>> --server accept multiple values. This represents the bulk of the code changes.
>>> In every case we only use the additional values in sssd.conf.
>>>
>>> I also made some minor tweaks to discovery. There were cases where DNS
>>> discovery wasn't successful but we set dnsok anyway which could cause some
>>> cascading issues.
>>>
>>> There are a ton of possible corner cases with this so please, be brutal.
>>>
>>> I tested the following against a DNS server that had SRV records and against
>>> one that did not.
>>>
>>> - ipa-client-install
>>> - ipa-client-install --server=ipa.example.com --domain=example.com
>>> - ipa-client-install --server=ipa.example.com --server=ipa1.example.com
>>> --domain-example.com
>>> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com
>>> --domain-example.com --fixed-primary
>>> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com
>>> --domain-example.com --fixed-primary --no-sssd
>>> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com
>>> --domain-example.com --no-sssd
>>>
>>> rob
>>
>> I did various checks, generally the patch behaves ok, I did not find any major
>> bug. I have just 2 questions/suggestions:
>>
>> 1) Since we allow more fixed servers to be passed as --server parameter, we
>> could name them all in /etc/krb5.conf in "kdc" and "admin_server" options when
>> DNS is not OK instead of writing just the first one in the list. Kerberos tools
>> then should be able to fall-back when some of them is not available.
>
>Sure, that makes sense. Done.
>
>> 2) What DNS discovery is not OK, we still add _srv_ to ipa_server option in
>> sssd.conf. Is it intentional?
>
>Yes, it was sort of a future-proofing if SRV records are ever made
>available.
>
>rob
>
>
Could I request an option to not add _srv_ at all, like a --no-dns-discovery option. This way those of us who unfortunately are in situations where we can't create SRV records at all can have it designated at install time? Otherwise I have to edit the config files afterwards anyway to get rid of it.
It could be made default false, of course, but if set the _srv_ entry would not be added.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120705/f0bb8e70/attachment.htm>
More information about the Freeipa-devel
mailing list