Right now, if --force-join and --keytab options are used together in ipa-client-install, --keytab is simply ignored.
Since it does not make sense to use both --force-join and --keytab options together, we should fail if this is attempted.
We had an conversation with Ana where I approved this, but now I'm having second thoughts about this.
It is not true, as written in the ticket, that when --force-join and --keytab are used together, the --keytab option is ignored. The --keytab option actually invokes the same code that --force-join does - they both force the host entry on the server to be rewritten if it already exists.
What they differ in is that --force-join needs admin credentials (options -p/--principal) whereas --keytab option does not.
To make this more clear: --force-join = host entry rewritten if it exists[[BR]] --keytab = keytab authentication + host entry if it exists
The reason why is the --force-join included in --keytab is that it does not make sense to use it without it, for the keytab to be usable for authentication, host entry must exists and it must be active.
Long story short: 1.) --force-join and --keytab options used together equal --keytab option[[BR]] 2.) the options --keytab and --principal are mutually exclusive, since they provide two separate ways of authetication (using admin's credentials / host keytab)
My proposal: 1.) I'd rather not fail if --force-join used with --keytab, just print a warning that using --force-join has no additional effect when used with --keytab[[BR]] 2.) Make --keytab and --principal options mutually exclusive
Makes perfect sense, thanks for the detailed explanation.
I will implement a fix according to your proposal.
master: caf40e7[[BR]] ipa-3-2: 09d89e8
Metadata Update from @akrivoka: - Issue assigned to akrivoka - Issue set to the milestone: FreeIPA 3.2.x - 2013/06 (bug fixing)
Login to comment on this ticket.