[Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
Martin Kosek
mkosek at redhat.com
Mon Mar 25 09:55:01 UTC 2013
On 03/22/2013 06:17 PM, Tomas Babej wrote:
> On Fri 22 Mar 2013 05:54:12 PM CET, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 03/18/2013 02:49 PM, Tomas Babej wrote:
>>>> On 03/18/2013 02:46 PM, Tomas Babej wrote:
>>>>> Hi,
>>>>>
>>>>> A new option --force-join has been added to ipa-client-install.
>>>>> It forces the host enrollment even if the host entry exists.
>>>>> Old certificate is revoked, new certificate and ssh key pair
>>>>> generated. See the relevant design for the re-enrollment part:
>>>>> http://freeipa.org/page/V3/Client_install_using_keytab
>>>
>>> --force-join is not mentioned there. Since you're adding a new option,
>>> you need to document it.
>>
>> What is the difference between force-join and force? All force does is
>> let the install continue if the join fails, so if we're forcing join
>> to succeed too...
>>
>
> There's more of different behaviour in ipa-client-install with --force option:
> - in case of install error, changes are not rolled back
> - in unattended mode, using --force allows to retrieve the CA cert using HTTP
> - Kerberos and LDAP settings are forced
>
> I'm not against merging the options, It just seemed to me as though they provide
> support for slightly different use cases.
>
> Though, man page for ipa-client-install says about --force option the following:
> "Force the settings even if errors occur".
>
That's true, I think that host reenrollment is quite specific action that
deserves special force flag. Additionally, people reenrolling a client may not
want the changes above. Thus, I am also for special force flag for this operation.
Since Petr already checked the patch works, I am giving second ACK.
Pushed to master (as agreed with Tomas, I just updated link to wiki page in
commit message).
Martin
More information about the Freeipa-devel
mailing list