[Freeipa-devel] [PATCH] 0138, 0141: ipa-kdb fixes
Petr Viktorin
pviktori at redhat.com
Wed Feb 26 13:21:17 UTC 2014
On 02/26/2014 02:17 PM, Tomas Babej wrote:
>
> On 02/26/2014 02:16 PM, Tomas Babej wrote:
>> On 02/26/2014 12:39 PM, Martin Kosek wrote:
>>> On 02/26/2014 09:33 AM, Alexander Bokovoy wrote:
>>>> On Wed, 26 Feb 2014, Martin Kosek wrote:
>>>>> On 02/25/2014 07:59 PM, Simo Sorce wrote:
>>>>>> On Tue, 2014-02-25 at 20:58 +0200, Alexander Bokovoy wrote:
>>>>>>> Resending patch 0138 together with another case Simo found out today:
>>>>>>> when authdata flag is cleared by admin for the service principal, we'll
>>>>>>> get NULL client database entry. In such case we have to bail out.
>>>>>> The patches look correct code-flow-wise to me.
>>>>>>
>>>>>> So tentative ack pending testing.
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>> Just checking - are we ok performance wise? If we for example add one
>>>>> additional LDAP search for every Kerberos authentication, it may increase the
>>>>> load on our LDAP server.
>>>> One additional LDAP query per S4U2Proxy ticket issuing. It is not much
>>>> and it has to be done because current code does it wrongly for MS-PAC.
>>>>
>>>> It is worth noting that issuing tickets should be relatively rare
>>>> operation -- with sessions in IPA server we don't hit HTTP/->ldap/
>>>> service ticket granting in S4U2Proxy case more than once.
>>>> 'ipa trust-add' case is a bit more specific but you rarely establish
>>>> trusts every second of the day, aren't you?
>>>>
>>>> For normal operations it wouldn't affect anything beyond statistical
>>>> noise level.
>>>>
>>> If this only hits web management of FreeIPA (i.e. S4U2 proxy scenario) and the
>>> usual SSSD operations, then I have no concerns here.
>>>
>>> Martin
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> After some thorough testing, ACK!
>>
>> With this patch, not only we solve the referenced IPA ticket, but
>> adding a trust no longer requires retries in CI (and works on the first
>> attempt).
>>
> And by patch, I mean both 138 and 141, of course.
>
Pushed to:
master: f7955abdda854e58c60b74039bbd155f2dc66e75
ipa-3-3: c771ba23a88ef6869499f53d172f2282be19dd4d
--
Petr³
More information about the Freeipa-devel
mailing list