Closed jakerundall closed 2 months ago
billglick
commented
2 months ago There was a part of me that questioned if we should move bad keytab file aside so that theoretically Puppet could fix it. But after thinking about that for a few minutes, I realized some manual clean up will almost always be required if that is the case.
jakerundall
commented
2 months ago There was a part of me that questioned if we should move bad keytab file aside so that theoretically Puppet could fix it. But after thinking about that for a few minutes, I realized some manual clean up will almost always be required if that is the case.
It definitely could do that. And we could also update Puppet to delete any host principal that already exists in that case so it can recreate it. However I think we generally use createhost principals, which can only create and not delete AFAIK, for Puppet. But something to think about.
The check_keytab postscript makes sure that a keytab doesn't contain stale host principals. The goal is to identify this problem promptly on boot rather than finding out due to user reports, etc.
I've been testing this on MG since May.