[PATCH] samba-tool domain provision with MIT KDC
Andrew Bartlett
abartlet at samba.org
Mon May 15 18:24:49 UTC 2017
On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> here are the patches implementing the provisioning in a cleaner way. It works
> on openSUSE, Fedora and Debian.
>
>
> Please review and push if OK :-)
>
Thanks!
This is much better than the previous approach. However, I'm a bit
worried about one thing, that is what should we do if we have to change
it?
This comes from the experience with provision-generated config files so
far. For example, we have a bug in our provision script where it
writes in the full list of services if you use DLZ_BIND9, rather than
just '-dns'.
We should fix that, naturally, but what should we do with all the old
configuration files (particularly when we add a service)?
If we write it out to private/ once, we have to live with exactly that
file forever, as we can't (trivially) know if the administrator
intended to change it, or it was an old config file before our required
settings changed.
This is still an important step forward, but I wanted to put it in
writing why I favour a tmp file generated just before the fork()/exec()
of the KDC.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list