[Freeipa-devel] [PATCH] 376-377, 385 Use tkey-gssapi-keytab in named.conf

Thu Mar 14 09:32:25 UTC 2013

On 03/13/2013 06:06 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 03/11/2013 09:39 AM, Petr Spacek wrote:
>>> On 11.3.2013 09:09, Martin Kosek wrote:
>>>> On 03/08/2013 09:49 AM, Petr Spacek wrote:
>>>>> On 8.3.2013 00:14, Rob Crittenden wrote:
>>>>>> Martin Kosek wrote:
>>>>>>> Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
>>>>>>> and tkey-domain and replace them with tkey-gssapi-keytab which avoids
>>>>>>> unnecessary Kerberos checks on BIND startup and can cause issues when
>>>>>>> KDC is not available.
>>>>>>>
>>>>>>> Both new and current IPA installations are updated.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/3429
>>>>>>>
>>>>>>
>>>>>> Still reviewing this but I noticed that after upgrading my 3.1.99 server
>>>>>> pre-patch to with with-patch version the connections argument in named.conf
>>>>>> got set to 4 (courtesy of ipa-upgradeconfig). Should we be setting that to 4
>>>>>> during the initial install too?
>>>>>
>>>>> For 3.2 it doesn't matter. Anything >= 2 should be okay, but more connections
>>>>> should not harm.
>>>>>
>>>>> Higher value should allow higher level of parallelism, it is one of tuning
>>>>> parameters. Value 4 was necessary to prevent deadlocks in some previous
>>>>> versions of bind-dyndb-ldap.
>>>>>
>>>>
>>>> Previously, when I implemented the upgrade script, I set connections arg only
>>>> if it was present in named.conf and thus bind-dyndb-ldap could not use a
>>>> reasonable default on its own decision.
>>>>
>>>> This was changed in e578183ea25a40aedf6dcc3e1ee4bcb19b73e70f and connections
>>>> is set always. Rob is correct, that in that case we might want to add it to
>>>> named.conf by default to make it consistent... or we could also fix upgrade
>>>> script to change connections only if it is present in named.conf.
>>>>
>>>> Petr, what does make more sense bind-dyndb-ldap wise?
>>>
>>> Default values should work. Personally I would include only "override" values
>>> in named.conf, but technically it doesn't matter.
>>>
>>> Note: Latest bind-dyndb-ldap versions refuse to start if configuration is
>>> insane. Fatal error will point admin to errors in configuration and should
>>> prevent surprises from auto-magically changed values.
>>>
>>> Invalid configurations - examples:
>>> connections < 1
>>> connections < 2 && psearch is enabled
>>> serial_autoincrement enabled && psearch disabled
>>>
>>
>> Ok, lets set the connections argument only if it is in named.conf _and_ it is
>> lower than the required minimum. All patches attached.
>>
>> Martin
>>
> 
> This works ok if the format of named.conf is stable.
> 
> If, for example, there are extra spaces between options and { then the values
> are not updated. This is nothing new with this patch, our previous code was
> also space dependent (augeas will address this eventually)
> 
> I just wonder: Should we log if a warning if a change has not been applied?
> 
> rob

There is already a warning if we could not match tkey-gssapi-credential,
tkey-domain or tkey-gssapi-keytab. It would look like that:

# ipa-upgradeconfig --quiet
Either tkey-gssapi-credential or tkey-domain is missing in /etc/named.conf.
Skip update.

At least I made our crappy named.conf parser more resilient to spaces in
section start (i.e. it should now work with "options      {" and made the
regular expression object naming more consistent. But you are right, this will
be eventually improved by augueas.

Important thing for now is, that our updater works fine with our template
named.conf we ship with freeipa including user changes, if user does not go too
wild into breaking what's already there...

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-376-2-update-named.conf-parser.patch
Type: text/x-patch
Size: 5978 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130314/042a273a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-377-2-use-tkey-gssapi-keytab-in-named.conf.patch
Type: text/x-patch
Size: 5121 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130314/042a273a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-385-2-do-not-force-named-connections-on-upgrades.patch
Type: text/x-patch
Size: 1188 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130314/042a273a/attachment-0002.bin>