[Freeipa-devel] [PATCH] 0109-0110 Support querying AD DC when establishing trust as HTTP/ipa.server principal

[Martin Kosek]

On 07/23/2013 04:31 PM, Simo Sorce wrote:
> On Tue, 2013-07-23 at 16:11 +0300, Alexander Bokovoy wrote:
>> On Tue, 23 Jul 2013, Simo Sorce wrote:
>>> On Thu, 2013-07-18 at 18:37 +0300, Alexander Bokovoy wrote:
>>>> Hi!
>>>>
>>>> Attached patches make possible to use HTTP/ipa.server at REALM to query AD
>>>> DC over LDAP immediately after trust is established. We need this to get
>>>> range discovery working prior to creating range for trusted domain.
>>>>
>>>> The patch 0109 makes KDC hostname cached on ipadb context to avoid
>>>> resolving own hostname multiple times.
>>>>
>>>> The patch 0110 depends on ulc_casemap patches by Nathaniel and makes
>>>> exception for HTTP/ipa.server at REALM when TGT is requested and MS-PAC is
>>>> asked for -- we force refreshing list of trusted domains here.
>>>>
>>>> More details are available in the commit logs.
>>>
>>> I do not think that changing reinit interval is the right thing to do.
>>>
>>> I would rather pass a boolean that tells reinit to check if we have any
>>> trust info, and if not unconditionally try to reinit immediately.
>>>
>>> I see that you treat the interval sort of like a boolean but then you
>>> just race hoping the previous reload w/o trust info happened more than 1
>>> second earlier.
>>>
>>> I think and explicit "bool force_reload" flag would be much clearer.
>>>
>>> Otherwise ack.
>> Attached is modified patch that uses 'bool force_reinit' (as function is
>> called ipadb_reinit_mspac).
>>
>> I tested it together with updated Tomas patch 0076 which relies on these
>> patches so I'm going to commit whole set together.
> 
> LGTM, please proceed.
> 
> Simo.

Just to close this thread - patch was pushed to master.

Martin