On 07/05/2012 09:18 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 07/04/2012 12:12 AM, Rob Crittenden wrote: >>> If you pass in --server and --fixed-primary then don't add _srv_ to >>> ipa_server >>> in sssd.conf. >>> >>> This necessitates the desire to be able to provide multiple servers so make >>> --server accept multiple values. This represents the bulk of the code >>> changes. >>> In every case we only use the additional values in sssd.conf. >>> >>> I also made some minor tweaks to discovery. There were cases where DNS >>> discovery wasn't successful but we set dnsok anyway which could cause some >>> cascading issues. >>> >>> There are a ton of possible corner cases with this so please, be brutal. >>> >>> I tested the following against a DNS server that had SRV records and against >>> one that did not. >>> >>> - ipa-client-install >>> - ipa-client-install --server=ipa.example.com --domain=example.com >>> - ipa-client-install --server=ipa.example.com --server=ipa1.example.com >>> --domain-example.com >>> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com >>> --domain-example.com --fixed-primary >>> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com >>> --domain-example.com --fixed-primary --no-sssd >>> - ipa-client-install -server=ipa.example.com --server=ipa1.example.com >>> --domain-example.com --no-sssd >>> >>> rob >> >> I did various checks, generally the patch behaves ok, I did not find any >> major >> bug. I have just 2 questions/suggestions: >> >> 1) Since we allow more fixed servers to be passed as --server parameter, we >> could name them all in /etc/krb5.conf in "kdc" and "admin_server" options >> when >> DNS is not OK instead of writing just the first one in the list. Kerberos >> tools >> then should be able to fall-back when some of them is not available. > > Sure, that makes sense. Done. > >> 2) What DNS discovery is not OK, we still add _srv_ to ipa_server option in >> sssd.conf. Is it intentional? > > Yes, it was sort of a future-proofing if SRV records are ever made available. > > rob
I did not find any other patch-related issue, I just hit an issue with SELinux which prevents IPA clients with --no-sssd from working: https://bugzilla.redhat.com/show_bug.cgi?id=838822 But since this issue is not related to your patch, it is good to go. ACK. Pushed to master. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
