[Freeipa-devel] [PATCH] 1032 allow multiple --server in client install, don't always set _srv_

[Martin Kosek]

On 07/04/2012 12:12 AM, Rob Crittenden wrote:
> If you pass in --server and --fixed-primary then don't add _srv_ to ipa_server
> in sssd.conf.
> 
> This necessitates the desire to be able to provide multiple servers  so make
> --server accept multiple values. This represents the bulk of the code changes.
> In every case we only use the additional values in sssd.conf.
> 
> I also made some minor tweaks to discovery. There were cases where DNS
> discovery wasn't successful but we set dnsok anyway which could cause some
> cascading issues.
> 
> There are a ton of possible corner cases with this so please, be brutal.
> 
> I tested the following against a DNS server that had SRV records and against
> one that did not.
> 
> - ipa-client-install
> - ipa-client-install --server=ipa.example.com --domain=example.com
> - ipa-client-install --server=ipa.example.com --server=ipa1.example.com
> --domain-example.com
> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com
> --domain-example.com --fixed-primary
> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com
> --domain-example.com --fixed-primary --no-sssd
> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com
> --domain-example.com --no-sssd
> 
> rob

I did various checks, generally the patch behaves ok, I did not find any major
bug. I have just 2 questions/suggestions:

1) Since we allow more fixed servers to be passed as --server parameter, we
could name them all in /etc/krb5.conf in "kdc" and "admin_server" options when
DNS is not OK instead of writing just the first one in the list. Kerberos tools
then should be able to fall-back when some of them is not available.

2) What DNS discovery is not OK, we still add _srv_ to ipa_server option in
sssd.conf. Is it intentional?


Martin