[Freeipa-devel] IPAv2, replica installation can be broken
Rob Crittenden
rcritten at redhat.com
Fri Jan 15 18:39:54 UTC 2010
Simo Sorce wrote:
> On Thu, 14 Jan 2010 15:53:55 -0500
> Rob Crittenden <rcritten at redhat.com> wrote:
>
>> I just discovered a problem with replica installation in IPAv2 and
>> wanted to get some additional opinions on it.
>>
>> The scenario is this: You've installed a master, perhaps added some
>> entries on it, everything is working fine. You've got some hosts that
>> you added entries for as well, perhaps even creating some service
>> keytabs.
>>
>> Now you want to make one of those hosts an IPA replica. Things will
>> blow up gloriously because some principals needed for the replica may
>> already exist in the DB.
>>
>> So the question is, do we want to enforce that any replica hosts
>> don't already exist in the database before proceeding? It seems
>> reasonable to me but I'm pretty draconian about such things.
>>
>> Thoughts?
>
> Ok so the best solution would be to detect that and just use the
> existing entries.
>
> Although if it is really just krb keys, I think it is perfectly
> acceptable to simply delete existing ones at replica-install time and
> regenerate new ones. (with a warning that some clients may need to
> refresh their credential cache in the hours right after the operation).
>
> It would be probably much easier if we can get to do an online replica
> install instead of going through the current file based replica.
>
> Can we revisit what keeps us from doing that ? With the addition of
> dogtag in 2.0 are certificates still a problem ? What else do we miss ?
>
> Simo.
>
Certs are no problem.
One of the hangups was kpasswd.keytab which needs to be the same on all
machines. I seem to think that all the problems were related to
bootstrapping the KDC.
rob
More information about the Freeipa-devel
mailing list