Martin Babinsky wrote: > On 03/02/2015 04:28 PM, Rob Crittenden wrote: >> Petr Vobornik wrote: >>>>>>>>> On 01/12/2015 05:45 PM, Martin Babinsky wrote: >>>>>>>>>> related to ticket https://fedorahosted.org/freeipa/ticket/4808 >>> >>> this patch seems to be a bit forgotten. >>> >>> It works, looks fine. >>> >>> One minor issue: trailing whitespaces in the man page. >>> >>> I also wonder if it shouldn't be used in other tools which call kinit >>> with keytab: >>> * ipa-client-automount:434 >>> * ipa-client-install:2591 (this usage should be fine since it's used for >>> server installation) >>> * dcerpc.py:545 >>> * rpcserver.py: 971, 981 (armor for web ui forms base auth) >>> >>> Most importantly the ipa-client-automount because it's called from >>> ipa-client-install (if location is specified) and therefore it might >>> fail during client installation. >>> >>> Or also, kinit call with admin creadentials worked for the user but I >>> wonder if it was just a coincidence and may break under slightly >>> different but similar conditions. >> >> I think that's a fine idea. In fact there is already a function that >> could be extended, kinit_hostprincipal(). >> >> rob >> > > So in principle we could add multiple TGT retries to > "kinit_hostprincipal()" and then plug this function to all the places > Petr mentioned in order to provide this functionality each time TGT is > requested using keytab. > > Do I understand it correctly? >
Honestly I think I'd only do the retries on client installation. I don't know that the other uses would really benefit or need this. But this is an opportunity to consolidate some code, so I guess the approach I'd take is to add an option to kinit_hostprincipal of retries=0 so that only a single kinit is done. The client installers would pass in some value. This change is quite a bit more invasive but it's also early in the release cycle so the risk will be spread out. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel