[Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified
Jan Cholasta
jcholast at redhat.com
Tue Dec 8 06:57:16 UTC 2015
On 7.12.2015 16:43, Martin Kosek wrote:
> On 12/07/2015 02:17 PM, Tomas Babej wrote:
>>
>>
>> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>>>>> Hi,
>>>>>
>>>>> Avoids failing in the later stages during the ipa-client-install
>>>>> command.
>>>>>
>>>>> Tomas
>>>>
>>>> Is this change needed? Wouldn't it be better to update
>>>> ipa-client-install or ipa-replica-install to not require the --domain
>>>> option? I would hope that --domain can be figured out during
>>>> installation and not passed to ipa-replica-install manually by the admin.
>>>>
>>>> I just think that calling
>>>> # ipa-replica-install --server=master.example.com
>>>> is better than
>>>> # ipa-replica-install --server=master.example.com --domain example.com
>>>> if possible.
>>>
>>> IIRC this is for service discovery when using a specific server and not
>>> LDAP. This is the domain used to search for the kerberos realm, for
>>> example.
>>>
>>> That isn't to say this isn't discoverable but it would require another
>>> function in discovery to query what the IPA domain is from the given
>>> master but it gets tricky if anonymous search is disabled, for example.
>>>
>>> rob
>>>
>>
>> Needed or not, this is the behaviour that ipa-client-install has now.
>> Adding a domain detection method would be a RFE for ipa-client-install
>> (and imho not something we should be adding at this point).
>>
>> This patch only focuses on making the ipa-replica-install work more
>> smoothly.
>
> I am just thinking that client promotion (ipa-replica-install) and
> ipa-client-install are a bit different use cases. While ipa-client-install
> should be typically run in auto-discovery and you thus do not use --server
> option much, while with ipa-replica-install, you want to make sure you have the
> expected topology and should use --server all the time without gambling on it.
>
> But I do not think it has to be there since 4.3 GA, can you please file a
> ticket for this gap?
I would rather do it now, because the change from optional to mandatory
is backward incompatible. (We don't want to break users' scripts, right?)
--
Jan Cholasta
More information about the Freeipa-devel
mailing list