[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users

[Alexander Bokovoy]

On Tue, 16 Jul 2013, Jakub Hrozek wrote:
>> >>+        if self.enable_compat:
>> >>+            self.step("Enabling trusted domains support for older clients via Schema Compatibility plugin",
>> >
>> >                        ^^^^
>> >               Nitpick: all the other steps begin with lowercased
>> >               letter. Only this one is uppercased, which makes the
>> >               tool output looks inconsistent:
>> >[15/21]: adding special DNS service records
>> >[16/21]: Enabling trusted domains support for older clients via Schema Compatibility plugin
>> >[17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
>> Thanks. Lowcased it.
>>
>> Updated patch is attached.
>
>Maybe it would be nice if some native English speaker read the man page
>change as well. To me it sounds like there are some articles missing. But
>the code works correctly and sets up the SSSD compat attributes during
>install when told to.
>
>Ack from me, however.
Thanks.

When this patch will be pushed to master, you will need slapi-nis built
with my patch in order to actually provide older clients with trusted
domains' users.

The patch to slapi-nis uncovers dead-lock issue in slapi-nis because its
operation means SSSD will be contacted as part of serving LDAP query
over compat tree. SSSD then will want to obtain a TGT using
host/ipa.server principal to be able to contact AD DC. Our KDC driver will
modify host entry in the main LDAP tree which will cause post-op
callback triggered in slapi-nis. At this point the callback will
encounter that global slapi-nis write lock is already taken by the
original query and will dead-lock.

However, IPA patch can be applied safely because it only configures
slapi-nis trees to serve trusted domains' users over compat tree and if
there is no code in slapi-nis to do so, no dead-lock will be triggered.


-- 
/ Alexander Bokovoy