[Freeipa-devel] [PATCH] 968 don't allow reconnection to deleted master
Martin Kosek
mkosek at redhat.com
Wed Feb 29 09:10:59 UTC 2012
On Tue, 2012-02-28 at 16:36 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Sat, 2012-02-25 at 17:43 -0500, Rob Crittenden wrote:
> >> This patch does two things:
> >>
> >> 1. Prompts when deleting a master to make clear that this is irreversible
> >> 2. Does not allow a deleted master to be reconnected.
> >>
> >> Reconnecting to a deleted master causes all heck to break loose because
> >> we delete principals as part of deletion process. If you reconnect to a
> >> deleted master then we replicate those deletes and the connected master
> >> is now unusable (no principals).
> >>
> >> A simple test is:
> >>
> >> Install master
> >> Install replica
> >> ipa-replica-manage del replica
> >> ipa-replica-manage connect replica
> >> ipa-server-uninstall -U on replica
> >> re-install replica
> >>
> >> The re-install should be successful.
> >>
> >> rob
> >
> > Generally, it looks and works well. I just miss some unattended way to
> > deleted a replica, from other script for example.
> >
> > I think we may either re-use --force flag for this purpose or introduce
> > an --unattended flag.
> >
> > I also found an issue with S4U2Proxy memberPrincipal added for each
> > replica. Since the memberPrincipal values for deleted replica are not
> > removed when a replica is being deleted, ipa-replica-install reports a
> > (benign) error when it tries to add a duplicate value afterwards. I
> > filed a ticket for this one:
> >
> > https://fedorahosted.org/freeipa/ticket/2451
> >
> > Martin
> >
>
> OK, went with --force.
>
> rob
The approach should be OK, but the patch you included is wrong.
Martin
More information about the Freeipa-devel
mailing list