[Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall
Simo Sorce
simo at redhat.com
Tue Oct 13 12:52:37 UTC 2015
On 13/10/15 04:04, Petr Spacek wrote:
> On 13.10.2015 09:34, Martin Babinsky wrote:
>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>
>>>> each service possessing Kerberos keytab wiil now remove it and destroy any
>>>> associated credentials cache during its uninstall
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/5243
>>>
>>> BTW some time ago Simo proposed that we should remove caches and old keytabs
>>> during *install* so problems caused by failing uninstallation will be fixed on
>>> repeated install. This is yet another step towards idempotent installer.
>>>
>>> To me this makes more sense than doing so on uninstall. Does it make sense to
>>> you, too?
>>>
>>
>> If the problem is formulated like this (the endpoint is that services have
>> their keytabs) then it makes more sense to me. I will rework the patch
>> accordingly.
>
> Adding Simo to Cc, so we can be sure that we understood it properly :-)
>
> Simo, does it make sense to do that on installation rather than installation?
Actually on a server re-install it may make sense to check if the keytab
is valid and keep it if it is.
Make sure you do not break promotion by removing the host keytab or
keytabs that have been legitimately created in the client.
But otherwise the direction is good.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list