[Freeipa-devel] [PATCH] 17 More exception handlers in ipa-client-install
Rob Crittenden
rcritten at redhat.com
Mon Mar 12 21:04:55 UTC 2012
Martin Kosek wrote:
> On Mon, 2012-03-12 at 11:17 -0400, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Fri, 2012-03-09 at 14:18 +0100, Ondrej Hamada wrote:
>>>> https://fedorahosted.org/freeipa/ticket/2415
>>>> https://fedorahosted.org/freeipa/ticket/1995
>>>>
>>>> Added exception handler to certutil operation of adding CA to the
>>>> default NSS database. If operation fails, installation is aborted and
>>>> changes are rolled back. #2415
>>>>
>>>> If obtaining host TGT fails, the installation is aborted and changes are
>>>> rolled back. #1995
>>>
>>> ACK. Pushed to master, ipa-2-2.
>>>
>>> Martin
>>
>> I wonder if we need to add an escape for --force here. The kinit is just
>> to do things like nsupdate and add the SSH host keys. One might deem
>> those not critical.
>>
>> rob
>
> This was a keytab kinit, as original ticket says a failure to get a
> correct keytab will make it impossible to login anyway as ldap binds
> from sssd will fail and auth verification will fail. This sounds pretty
> critical to me...
>
> Martin
>
Right, but we're not failing because kinit failed but because the
connection we're trying to make using that keytab failed. That can
happen for other reasons, like the NSS shutdown bug we addressed.
I won't press this, it is probably fine. Time will tell.
rob
More information about the Freeipa-devel
mailing list