[Freeipa-devel] [PATCH] 376-377, 385 Use tkey-gssapi-keytab in named.conf

Martin Kosek mkosek at redhat.com
Wed Mar 13 10:00:42 UTC 2013 

On 03/11/2013 09:39 AM, Petr Spacek wrote:
> On 11.3.2013 09:09, Martin Kosek wrote:
>> On 03/08/2013 09:49 AM, Petr Spacek wrote:
>>> On 8.3.2013 00:14, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>>>> KDC is not available.
>>>>>
>>>>> Both new and current IPA installations are updated.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3429
>>>>>
>>>>
>>>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>>>> pre-patch to with with-patch version the connections argument in named.conf
>>>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to 4
>>>> during the initial install too?
>>>
>>> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more connections
>>> should not harm.
>>>
>>> Higher value should allow higher level of parallelism, it is one of tuning
>>> parameters. Value 4 was necessary to prevent deadlocks in some previous
>>> versions of bind-dyndb-ldap.
>>>
>>
>> Previously, when I implemented the upgrade script, I set connections arg only
>> if it was present in named.conf and thus bind-dyndb-ldap could not use a
>> reasonable default on its own decision.
>>
>> This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections
>> is set always. Rob is correct, that in that case we might want to add it to
>> named.conf by default to make it consistent... or we could also fix upgrade
>> script to change connections only if it is present in named.conf.
>>
>> Petr, what does make more sense bind-dyndb-ldap wise?
> 
> Default values should work. Personally I would include only "override" values
> in named.conf, but technically it doesn't matter.
> 
> Note: Latest bind-dyndb-ldap versions refuse to start if configuration is
> insane. Fatal error will point admin to errors in configuration and should
> prevent surprises from auto-magically changed values.
> 
> Invalid configurations - examples:
> connections < 1
> connections < 2 && psearch is enabled
> serial_autoincrement enabled && psearch disabled
> 

Ok, lets set the connections argument only if it is in named.conf _and_ it is
lower than the required minimum. All patches attached.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-376-update-named.conf-parser.patch
Type: text/x-patch
Size: 5421 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130313/f0306774/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-377-use-tkey-gssapi-keytab-in-named.conf.patch
Type: text/x-patch
Size: 5120 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130313/f0306774/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-385-do-not-force-named-connections-on-upgrades.patch
Type: text/x-patch
Size: 1184 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130313/f0306774/attachment-0002.bin>

More information about the Freeipa-devel mailing list