[Freeipa-devel] [PATCH] 376-377 Use tkey-gssapi-keytab in named.conf
Martin Kosek
mkosek at redhat.com
Mon Mar 11 08:09:42 UTC 2013
On 03/08/2013 09:49 AM, Petr Spacek wrote:
> On 8.3.2013 00:14, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>> KDC is not available.
>>>
>>> Both new and current IPA installations are updated.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3429
>>>
>>
>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>> pre-patch to with with-patch version the connections argument in named.conf
>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to 4
>> during the initial install too?
>
> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more connections
> should not harm.
>
> Higher value should allow higher level of parallelism, it is one of tuning
> parameters. Value 4 was necessary to prevent deadlocks in some previous
> versions of bind-dyndb-ldap.
>
Previously, when I implemented the upgrade script, I set connections arg only
if it was present in named.conf and thus bind-dyndb-ldap could not use a
reasonable default on its own decision.
This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections is
set always. Rob is correct, that in that case we might want to add it to
named.conf by default to make it consistent... or we could also fix upgrade
script to change connections only if it is present in named.conf.
Petr, what does make more sense bind-dyndb-ldap wise?
Thanks,
Martin
More information about the Freeipa-devel
mailing list