[Freeipa-devel] [PATCH] 376-377, 385 Use tkey-gssapi-keytab in named.conf

Wed Mar 13 17:06:24 UTC 2013

Martin Kosek wrote:
> On 03/11/2013 09:39 AM, Petr Spacek wrote:
>> On 11.3.2013 09:09, Martin Kosek wrote:
>>> On 03/08/2013 09:49 AM, Petr Spacek wrote:
>>>> On 8.3.2013 00:14, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>>>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>>>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>>>>> KDC is not available.
>>>>>>
>>>>>> Both new and current IPA installations are updated.
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/3429
>>>>>>
>>>>>
>>>>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>>>>> pre-patch to with with-patch version the connections argument in named.conf
>>>>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to 4
>>>>> during the initial install too?
>>>>
>>>> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more connections
>>>> should not harm.
>>>>
>>>> Higher value should allow higher level of parallelism, it is one of tuning
>>>> parameters. Value 4 was necessary to prevent deadlocks in some previous
>>>> versions of bind-dyndb-ldap.
>>>>
>>>
>>> Previously, when I implemented the upgrade script, I set connections arg only
>>> if it was present in named.conf and thus bind-dyndb-ldap could not use a
>>> reasonable default on its own decision.
>>>
>>> This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections
>>> is set always. Rob is correct, that in that case we might want to add it to
>>> named.conf by default to make it consistent... or we could also fix upgrade
>>> script to change connections only if it is present in named.conf.
>>>
>>> Petr, what does make more sense bind-dyndb-ldap wise?
>>
>> Default values should work. Personally I would include only "override" values
>> in named.conf, but technically it doesn't matter.
>>
>> Note: Latest bind-dyndb-ldap versions refuse to start if configuration is
>> insane. Fatal error will point admin to errors in configuration and should
>> prevent surprises from auto-magically changed values.
>>
>> Invalid configurations - examples:
>> connections < 1
>> connections < 2 && psearch is enabled
>> serial_autoincrement enabled && psearch disabled
>>
>
> Ok, lets set the connections argument only if it is in named.conf _and_ it is
> lower than the required minimum. All patches attached.
>
> Martin
>

This works ok if the format of named.conf is stable.

If, for example, there are extra spaces between options and { then the 
values are not updated. This is nothing new with this patch, our 
previous code was also space dependent (augeas will address this eventually)

I just wonder: Should we log if a warning if a change has not been applied?

rob