On 03/22/2013 06:17 PM, Tomas Babej wrote: > On Fri 22 Mar 2013 05:54:12 PM CET, Rob Crittenden wrote: >> Petr Viktorin wrote: >>> On 03/18/2013 02:49 PM, Tomas Babej wrote: >>>> On 03/18/2013 02:46 PM, Tomas Babej wrote: >>>>> Hi, >>>>> >>>>> A new option --force-join has been added to ipa-client-install. >>>>> It forces the host enrollment even if the host entry exists. >>>>> Old certificate is revoked, new certificate and ssh key pair >>>>> generated. See the relevant design for the re-enrollment part: >>>>> http://freeipa.org/page/V3/Client_install_using_keytab >>> >>> --force-join is not mentioned there. Since you're adding a new option, >>> you need to document it. >> >> What is the difference between force-join and force? All force does is >> let the install continue if the join fails, so if we're forcing join >> to succeed too... >> > > There's more of different behaviour in ipa-client-install with --force option: > - in case of install error, changes are not rolled back > - in unattended mode, using --force allows to retrieve the CA cert using HTTP > - Kerberos and LDAP settings are forced > > I'm not against merging the options, It just seemed to me as though they > provide > support for slightly different use cases. > > Though, man page for ipa-client-install says about --force option the > following: > "Force the settings even if errors occur". >
That's true, I think that host reenrollment is quite specific action that deserves special force flag. Additionally, people reenrolling a client may not want the changes above. Thus, I am also for special force flag for this operation. Since Petr already checked the patch works, I am giving second ACK. Pushed to master (as agreed with Tomas, I just updated link to wiki page in commit message). Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
