[Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

Fri Dec 11 16:21:55 UTC 2015

On 12/08/2015 02:00 PM, Simo Sorce wrote:
> On Tue, 2015-12-08 at 13:34 +0100, Martin Kosek wrote:
>> On 12/08/2015 08:28 AM, Jan Cholasta wrote:
>>> On 8.12.2015 08:23, Martin Kosek wrote:
>>>> On 12/08/2015 07:57 AM, Jan Cholasta wrote:
>>>>> On 7.12.2015 16:43, Martin Kosek wrote:
>>>>>> On 12/07/2015 02:17 PM, Tomas Babej wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 12/04/2015 08:22 PM, Rob Crittenden wrote:
>>>>>>>> Martin Kosek wrote:
>>>>>>>>> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Avoids failing in the later stages during the ipa-client-install
>>>>>>>>>> command.
>>>>>>>>>>
>>>>>>>>>> Tomas
>>>>>>>>>
>>>>>>>>> Is this change needed? Wouldn't it be better to update
>>>>>>>>> ipa-client-install or ipa-replica-install to not require the --domain
>>>>>>>>> option? I would hope that --domain can be figured out during
>>>>>>>>> installation and not passed to ipa-replica-install manually by the admin.
>>>>>>>>>
>>>>>>>>> I just think that calling
>>>>>>>>> # ipa-replica-install --server=master.example.com
>>>>>>>>> is better than
>>>>>>>>> # ipa-replica-install --server=master.example.com --domain example.com
>>>>>>>>> if possible.
>>>>>>>>
>>>>>>>> IIRC this is for service discovery when using a specific server and not
>>>>>>>> LDAP. This is the domain used to search for the kerberos realm, for
>>>>>>>> example.
>>>>>>>>
>>>>>>>> That isn't to say this isn't discoverable but it would require another
>>>>>>>> function in discovery to query what the IPA domain is from the given
>>>>>>>> master but it gets tricky if anonymous search is disabled, for example.
>>>>>>>>
>>>>>>>> rob
>>>>>>>>
>>>>>>>
>>>>>>> Needed or not, this is the behaviour that ipa-client-install has now.
>>>>>>> Adding a domain detection method would be a RFE for ipa-client-install
>>>>>>> (and imho not something we should be adding at this point).
>>>>>>>
>>>>>>> This patch only focuses on making the ipa-replica-install work more
>>>>>>> smoothly.
>>>>>>
>>>>>> I am just thinking that client promotion (ipa-replica-install) and
>>>>>> ipa-client-install are a bit different use cases. While ipa-client-install
>>>>>> should be typically run in auto-discovery and you thus do not use --server
>>>>>> option much, while with ipa-replica-install, you want to make sure you have
>>>>>> the
>>>>>> expected topology and should use --server all the time without gambling on it.
>>>>>>
>>>>>> But I do not think it has to be there since 4.3 GA, can you please file a
>>>>>> ticket for this gap?
>>>>>
>>>>> I would rather do it now, because the change from optional to mandatory is
>>>>> backward incompatible. (We don't want to break users' scripts, right?)
>>>>
>>>> I think it is the other way around - with the change I was suggesting
>>>> (autodetecting --domain option instead of always requesting it, as in Tomas'
>>>> patch which we can merge if my proposal is not doable for 4.3 GA).
>>>>
>>>
>>> "with ipa-replica-install, you want to make sure you have the expected topology
>>> and should use --server all the time" sounds like you want to make --server
>>> mandatory for ipa-replica-install, which should be done either before 4.3 GA or
>>> never.
>>
>> Ah, no, this is not what I meant. I was only discussing the --domain option in
>> this mail the the typical use cases for --server option in ipa-client-install
>> and ipa-replica-install.
>>
>> If we can trust ipa-replica-install to do a good job in picking a server to
>> replica from, the --server can stay optional. Although I am on fence here,
>> being more explicit when creating topology may be helpful. CCing Simo, in case
>> he has some opinions on this.
>
> Leave it optional, our first order of business is making things simple,
> then adding optional knobs to let the admin with knowledge to tweak
> things.
>
> Simo.
>

ACK for original  patch

Pushed to master: c3c8651ac1bac794e32b3c01f7e4f6b487dcef08
-- 
Petr Vobornik