[Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall
Simo Sorce
simo at redhat.com
Tue Oct 13 13:08:14 UTC 2015
On 13/10/15 08:58, Petr Spacek wrote:
> On 13.10.2015 14:52, Simo Sorce wrote:
>> On 13/10/15 04:04, Petr Spacek wrote:
>>> On 13.10.2015 09:34, Martin Babinsky wrote:
>>>> On 10/13/2015 09:17 AM, Petr Spacek wrote:
>>>>> On 12.10.2015 13:38, Martin Babinsky wrote:
>>>>>>
>>>>>> each service possessing Kerberos keytab wiil now remove it and destroy any
>>>>>> associated credentials cache during its uninstall
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/5243
>>>>>
>>>>> BTW some time ago Simo proposed that we should remove caches and old keytabs
>>>>> during *install* so problems caused by failing uninstallation will be
>>>>> fixed on
>>>>> repeated install. This is yet another step towards idempotent installer.
>>>>>
>>>>> To me this makes more sense than doing so on uninstall. Does it make sense to
>>>>> you, too?
>>>>>
>>>>
>>>> If the problem is formulated like this (the endpoint is that services have
>>>> their keytabs) then it makes more sense to me. I will rework the patch
>>>> accordingly.
>>>
>>> Adding Simo to Cc, so we can be sure that we understood it properly :-)
>>>
>>> Simo, does it make sense to do that on installation rather than installation?
>>
>> Actually on a server re-install it may make sense to check if the keytab is
>> valid and keep it if it is.
>> Make sure you do not break promotion by removing the host keytab or keytabs
>> that have been legitimately created in the client.
>
> I would expect that keytabs created in client installation should not be
> touched/overwritten at all in server install, right?
>
> In other words: ipa-client-install and ipa-replica-promote should be totally
> separate tools and do not duplicate functionality.
They don't.
But there is no ipa-replica-promote, just ipa-replica-install, which
will do promotion (and in future will do client install as well if
client is not already installed before going on with promotion code).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list