On 12/08/2015 07:57 AM, Jan Cholasta wrote: > On 7.12.2015 16:43, Martin Kosek wrote: >> On 12/07/2015 02:17 PM, Tomas Babej wrote: >>> >>> >>> On 12/04/2015 08:22 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On 12/04/2015 07:17 PM, Tomas Babej wrote: >>>>>> Hi, >>>>>> >>>>>> Avoids failing in the later stages during the ipa-client-install >>>>>> command. >>>>>> >>>>>> Tomas >>>>> >>>>> Is this change needed? Wouldn't it be better to update >>>>> ipa-client-install or ipa-replica-install to not require the --domain >>>>> option? I would hope that --domain can be figured out during >>>>> installation and not passed to ipa-replica-install manually by the admin. >>>>> >>>>> I just think that calling >>>>> # ipa-replica-install --server=master.example.com >>>>> is better than >>>>> # ipa-replica-install --server=master.example.com --domain example.com >>>>> if possible. >>>> >>>> IIRC this is for service discovery when using a specific server and not >>>> LDAP. This is the domain used to search for the kerberos realm, for >>>> example. >>>> >>>> That isn't to say this isn't discoverable but it would require another >>>> function in discovery to query what the IPA domain is from the given >>>> master but it gets tricky if anonymous search is disabled, for example. >>>> >>>> rob >>>> >>> >>> Needed or not, this is the behaviour that ipa-client-install has now. >>> Adding a domain detection method would be a RFE for ipa-client-install >>> (and imho not something we should be adding at this point). >>> >>> This patch only focuses on making the ipa-replica-install work more >>> smoothly. >> >> I am just thinking that client promotion (ipa-replica-install) and >> ipa-client-install are a bit different use cases. While ipa-client-install >> should be typically run in auto-discovery and you thus do not use --server >> option much, while with ipa-replica-install, you want to make sure you have >> the >> expected topology and should use --server all the time without gambling on >> it. >> >> But I do not think it has to be there since 4.3 GA, can you please file a >> ticket for this gap? > > I would rather do it now, because the change from optional to mandatory is > backward incompatible. (We don't want to break users' scripts, right?)
I think it is the other way around - with the change I was suggesting (autodetecting --domain option instead of always requesting it, as in Tomas' patch which we can merge if my proposal is not doable for 4.3 GA). -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
