[Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall
Petr Spacek
pspacek at redhat.com
Tue Nov 10 16:36:21 UTC 2015
On 4.11.2015 11:56, Martin Babinsky wrote:
> On 10/22/2015 05:32 PM, Petr Spacek wrote:
>> On 21.10.2015 17:55, Martin Babinsky wrote:
>>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>>
>>>>> each service possessing Kerberos keytab wiil now remove it and destroy any
>>>>> associated credentials cache during its uninstall
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5243
>>>>
>>>> BTW some time ago Simo proposed that we should remove caches and old keytabs
>>>> during *install* so problems caused by failing uninstallation will be
>>>> fixed on
>>>> repeated install. This is yet another step towards idempotent installer.
>>>>
>>>> To me this makes more sense than doing so on uninstall. Does it make sense to
>>>> you, too?
>>>>
>>>
>>> Attaching updated patch that does cleanup also before each instance creation.
>>> It is a bit ugly I admit, but I couldn't think of a better way to do it and
>>> didn't want to poke into service/instance code more than neccesary.
>>
>> NACK, but we are almost there!
>>
>> * kdestroy -A is too aggressive and wipes root's keyring after each run of
>> ipa-*-install utils.
>>
>> * There are some scattered leftovers of ipautil.run['kdestroy'...] in the
>> tree. Please get rid of them.
>>
>> Thank you!
>>
> Attaching updated patch. It got lost somewhere in the list.
ACK, thank you for patience.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list