[Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified
Jan Cholasta
jcholast at redhat.com
Tue Dec 8 07:28:13 UTC 2015
On 8.12.2015 08:23, Martin Kosek wrote:
> On 12/08/2015 07:57 AM, Jan Cholasta wrote:
>> On 7.12.2015 16:43, Martin Kosek wrote:
>>> On 12/07/2015 02:17 PM, Tomas Babej wrote:
>>>>
>>>>
>>>> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Avoids failing in the later stages during the ipa-client-install
>>>>>>> command.
>>>>>>>
>>>>>>> Tomas
>>>>>>
>>>>>> Is this change needed? Wouldn't it be better to update
>>>>>> ipa-client-install or ipa-replica-install to not require the --domain
>>>>>> option? I would hope that --domain can be figured out during
>>>>>> installation and not passed to ipa-replica-install manually by the admin.
>>>>>>
>>>>>> I just think that calling
>>>>>> # ipa-replica-install --server=master.example.com
>>>>>> is better than
>>>>>> # ipa-replica-install --server=master.example.com --domain example.com
>>>>>> if possible.
>>>>>
>>>>> IIRC this is for service discovery when using a specific server and not
>>>>> LDAP. This is the domain used to search for the kerberos realm, for
>>>>> example.
>>>>>
>>>>> That isn't to say this isn't discoverable but it would require another
>>>>> function in discovery to query what the IPA domain is from the given
>>>>> master but it gets tricky if anonymous search is disabled, for example.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> Needed or not, this is the behaviour that ipa-client-install has now.
>>>> Adding a domain detection method would be a RFE for ipa-client-install
>>>> (and imho not something we should be adding at this point).
>>>>
>>>> This patch only focuses on making the ipa-replica-install work more
>>>> smoothly.
>>>
>>> I am just thinking that client promotion (ipa-replica-install) and
>>> ipa-client-install are a bit different use cases. While ipa-client-install
>>> should be typically run in auto-discovery and you thus do not use --server
>>> option much, while with ipa-replica-install, you want to make sure you have the
>>> expected topology and should use --server all the time without gambling on it.
>>>
>>> But I do not think it has to be there since 4.3 GA, can you please file a
>>> ticket for this gap?
>>
>> I would rather do it now, because the change from optional to mandatory is
>> backward incompatible. (We don't want to break users' scripts, right?)
>
> I think it is the other way around - with the change I was suggesting
> (autodetecting --domain option instead of always requesting it, as in Tomas'
> patch which we can merge if my proposal is not doable for 4.3 GA).
>
"with ipa-replica-install, you want to make sure you have the expected
topology and should use --server all the time" sounds like you want to
make --server mandatory for ipa-replica-install, which should be done
either before 4.3 GA or never.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list