[Freeipa-devel] [PATCH] 968 don't allow reconnection to deleted master

[Rob Crittenden]

Martin Kosek wrote:
> On Tue, 2012-02-28 at 16:36 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Sat, 2012-02-25 at 17:43 -0500, Rob Crittenden wrote:
>>>> This patch does two things:
>>>>
>>>> 1. Prompts when deleting a master to make clear that this is irreversible
>>>> 2. Does not allow a deleted master to be reconnected.
>>>>
>>>> Reconnecting to a deleted master causes all heck to break loose because
>>>> we delete principals as part of deletion process. If you reconnect to a
>>>> deleted master then we replicate those deletes and the connected master
>>>> is now unusable (no principals).
>>>>
>>>> A simple test is:
>>>>
>>>> Install master
>>>> Install replica
>>>> ipa-replica-manage del replica
>>>> ipa-replica-manage connect replica
>>>> ipa-server-uninstall -U on replica
>>>> re-install replica
>>>>
>>>> The re-install should be successful.
>>>>
>>>> rob
>>>
>>> Generally, it looks and works well. I just miss some unattended way to
>>> deleted a replica, from other script for example.
>>>
>>> I think we may either re-use --force flag for this purpose or introduce
>>> an --unattended flag.
>>>
>>> I also found an issue with S4U2Proxy memberPrincipal added for each
>>> replica. Since the memberPrincipal values for deleted replica are not
>>> removed when a replica is being deleted, ipa-replica-install reports a
>>> (benign) error when it tries to add a duplicate value afterwards. I
>>> filed a ticket for this one:
>>>
>>> https://fedorahosted.org/freeipa/ticket/2451
>>>
>>> Martin
>>>
>>
>> OK, went with --force.
>>
>> rob
>
> The approach should be OK, but the patch you included is wrong.
>
> Martin
>

OK, this should be right.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-968-2-connect.patch
Type: text/x-diff
Size: 4317 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120229/69350154/attachment.bin>