[Freeipa-devel] [PATCH] 376-377 Use tkey-gssapi-keytab in named.conf
Petr Spacek
pspacek at redhat.com
Mon Mar 11 08:39:18 UTC 2013
On 11.3.2013 09:09, Martin Kosek wrote:
> On 03/08/2013 09:49 AM, Petr Spacek wrote:
>> On 8.3.2013 00:14, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>>> KDC is not available.
>>>>
>>>> Both new and current IPA installations are updated.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3429
>>>>
>>>
>>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>>> pre-patch to with with-patch version the connections argument in named.conf
>>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to 4
>>> during the initial install too?
>>
>> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more connections
>> should not harm.
>>
>> Higher value should allow higher level of parallelism, it is one of tuning
>> parameters. Value 4 was necessary to prevent deadlocks in some previous
>> versions of bind-dyndb-ldap.
>>
>
> Previously, when I implemented the upgrade script, I set connections arg only
> if it was present in named.conf and thus bind-dyndb-ldap could not use a
> reasonable default on its own decision.
>
> This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections
> is set always. Rob is correct, that in that case we might want to add it to
> named.conf by default to make it consistent... or we could also fix upgrade
> script to change connections only if it is present in named.conf.
>
> Petr, what does make more sense bind-dyndb-ldap wise?
Default values should work. Personally I would include only "override" values
in named.conf, but technically it doesn't matter.
Note: Latest bind-dyndb-ldap versions refuse to start if configuration is
insane. Fatal error will point admin to errors in configuration and should
prevent surprises from auto-magically changed values.
Invalid configurations - examples:
connections < 1
connections < 2 && psearch is enabled
serial_autoincrement enabled && psearch disabled
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list