[Freeipa-devel] [PATCH] 376-377, 385 Use tkey-gssapi-keytab in named.conf
Rob Crittenden
rcritten at redhat.com
Thu Mar 14 14:51:10 UTC 2013
Martin Kosek wrote:
> On 03/13/2013 06:06 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 03/11/2013 09:39 AM, Petr Spacek wrote:
>>>> On 11.3.2013 09:09, Martin Kosek wrote:
>>>>> On 03/08/2013 09:49 AM, Petr Spacek wrote:
>>>>>> On 8.3.2013 00:14, Rob Crittenden wrote:
>>>>>>> Martin Kosek wrote:
>>>>>>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>>>>>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>>>>>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>>>>>>> KDC is not available.
>>>>>>>>
>>>>>>>> Both new and current IPA installations are updated.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/3429
>>>>>>>>
>>>>>>>
>>>>>>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>>>>>>> pre-patch to with with-patch version the connections argument in named.conf
>>>>>>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to 4
>>>>>>> during the initial install too?
>>>>>>
>>>>>> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more connections
>>>>>> should not harm.
>>>>>>
>>>>>> Higher value should allow higher level of parallelism, it is one of tuning
>>>>>> parameters. Value 4 was necessary to prevent deadlocks in some previous
>>>>>> versions of bind-dyndb-ldap.
>>>>>>
>>>>>
>>>>> Previously, when I implemented the upgrade script, I set connections arg only
>>>>> if it was present in named.conf and thus bind-dyndb-ldap could not use a
>>>>> reasonable default on its own decision.
>>>>>
>>>>> This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections
>>>>> is set always. Rob is correct, that in that case we might want to add it to
>>>>> named.conf by default to make it consistent... or we could also fix upgrade
>>>>> script to change connections only if it is present in named.conf.
>>>>>
>>>>> Petr, what does make more sense bind-dyndb-ldap wise?
>>>>
>>>> Default values should work. Personally I would include only "override" values
>>>> in named.conf, but technically it doesn't matter.
>>>>
>>>> Note: Latest bind-dyndb-ldap versions refuse to start if configuration is
>>>> insane. Fatal error will point admin to errors in configuration and should
>>>> prevent surprises from auto-magically changed values.
>>>>
>>>> Invalid configurations - examples:
>>>> connections < 1
>>>> connections < 2 && psearch is enabled
>>>> serial_autoincrement enabled && psearch disabled
>>>>
>>>
>>> Ok, lets set the connections argument only if it is in named.conf _and_ it is
>>> lower than the required minimum. All patches attached.
>>>
>>> Martin
>>>
>>
>> This works ok if the format of named.conf is stable.
>>
>> If, for example, there are extra spaces between options and { then the values
>> are not updated. This is nothing new with this patch, our previous code was
>> also space dependent (augeas will address this eventually)
>>
>> I just wonder: Should we log if a warning if a change has not been applied?
>>
>> rob
>
> There is already a warning if we could not match tkey-gssapi-credential,
> tkey-domain or tkey-gssapi-keytab. It would look like that:
>
> # ipa-upgradeconfig --quiet
> Either tkey-gssapi-credential or tkey-domain is missing in /etc/named.conf.
> Skip update.
>
> At least I made our crappy named.conf parser more resilient to spaces in
> section start (i.e. it should now work with "options {" and made the
> regular expression object naming more consistent. But you are right, this will
> be eventually improved by augueas.
>
> Important thing for now is, that our updater works fine with our template
> named.conf we ship with freeipa including user changes, if user does not go too
> wild into breaking what's already there...
>
> Martin
>
ACK, pushed to master x 3.
rob
More information about the Freeipa-devel
mailing list