Lance Dillon wrote:
------------------------------------------------------------------------
*From:* Rob Crittenden <[email protected]>
*To:* Martin Kosek <[email protected]>
*Cc:* freeipa-devel <[email protected]>
*Sent:* Thursday, July 5, 2012 3:18 PM
*Subject:* Re: [Freeipa-devel] [PATCH] 1032 allow multiple --server
in client install, don't always set _srv_
Martin Kosek wrote:
> On 07/04/2012 12:12 AM, Rob Crittenden wrote:
>> If you pass in --server and --fixed-primary then don't add _srv_
to ipa_server
>> in sssd.conf.
>>
>> This necessitates the desire to be able to provide multiple
servers so make
>> --server accept multiple values. This represents the bulk of the
code changes.
>> In every case we only use the additional values in sssd.conf.
>>
>> I also made some minor tweaks to discovery. There were cases
where DNS
>> discovery wasn't successful but we set dnsok anyway which could
cause some
>> cascading issues.
>>
>> There are a ton of possible corner cases with this so please, be
brutal.
>>
>> I tested the following against a DNS server that had SRV records
and against
>> one that did not.
>>
>> - ipa-client-install
>> - ipa-client-install --server=ipa.example.com --domain=example.com
>> - ipa-client-install --server=ipa.example.com
--server=ipa1.example.com
>> --domain-example.com
>> - ipa-client-install -server=ipa.example.com
--server=ipa1.example.com
>> --domain-example.com --fixed-primary
>> - ipa-client-install -server=ipa.example.com
--server=ipa1.example.com
>> --domain-example.com --fixed-primary --no-sssd
>> - ipa-client-install -server=ipa.example.com
--server=ipa1.example.com
>> --domain-example.com --no-sssd
>>
>> rob
>
> I did various checks, generally the patch behaves ok, I did not
find any major
> bug. I have just 2 questions/suggestions:
>
> 1) Since we allow more fixed servers to be passed as --server
parameter, we
> could name them all in /etc/krb5.conf in "kdc" and "admin_server"
options when
> DNS is not OK instead of writing just the first one in the list.
Kerberos tools
> then should be able to fall-back when some of them is not available.
Sure, that makes sense. Done.
> 2) What DNS discovery is not OK, we still add _srv_ to ipa_server
option in
> sssd.conf. Is it intentional?
Yes, it was sort of a future-proofing if SRV records are ever made
available.
rob
Could I request an option to not add _srv_ at all, like a
--no-dns-discovery option. This way those of us who unfortunately are
in situations where we can't create SRV records at all can have it
designated at install time? Otherwise I have to edit the config files
afterwards anyway to get rid of it.
It could be made default false, of course, but if set the _srv_ entry
would not be added.
You'll be able to do that by specifying --server and --fixed-primary.
rob
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
