[Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall
Petr Spacek
pspacek at redhat.com
Tue Oct 13 12:58:01 UTC 2015
On 13.10.2015 14:52, Simo Sorce wrote:
> On 13/10/15 04:04, Petr Spacek wrote:
>> On 13.10.2015 09:34, Martin Babinsky wrote:
>>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>>
>>>>> each service possessing Kerberos keytab wiil now remove it and destroy any
>>>>> associated credentials cache during its uninstall
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5243
>>>>
>>>> BTW some time ago Simo proposed that we should remove caches and old keytabs
>>>> during *install* so problems caused by failing uninstallation will be
>>>> fixed on
>>>> repeated install. This is yet another step towards idempotent installer.
>>>>
>>>> To me this makes more sense than doing so on uninstall. Does it make sense to
>>>> you, too?
>>>>
>>>
>>> If the problem is formulated like this (the endpoint is that services have
>>> their keytabs) then it makes more sense to me. I will rework the patch
>>> accordingly.
>>
>> Adding Simo to Cc, so we can be sure that we understood it properly :-)
>>
>> Simo, does it make sense to do that on installation rather than installation?
>
> Actually on a server re-install it may make sense to check if the keytab is
> valid and keep it if it is.
> Make sure you do not break promotion by removing the host keytab or keytabs
> that have been legitimately created in the client.
I would expect that keytabs created in client installation should not be
touched/overwritten at all in server install, right?
In other words: ipa-client-install and ipa-replica-promote should be totally
separate tools and do not duplicate functionality.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list