<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 19/08/14 13:40, Petr Spacek wrote:<br>
    </div>
    <blockquote cite="mid:53F337C4.3040806@redhat.com" type="cite">Hello,
      <br>
      <br>
      Fix ticket expiration check.
      <br>
      <br>
      <a class="moz-txt-link-freetext" href="https://fedorahosted.org/bind-dyndb-ldap/ticket/131">https://fedorahosted.org/bind-dyndb-ldap/ticket/131</a>
      <br>
      <br>
      This is one of obvious bugs when you finally see it :-)
      <br>
      <br>
      The original code died miserably when named reload happened 0-300
      seconds after ticket expiration. Symptoms (debug level 6):
      <br>
      <br>
      <blockquote type="cite">registering dynamic ldap driver for ipa.
        <br>
        trying to establish LDAP connection to
        ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket
        <br>
        Using default keytab file name: <a class="moz-txt-link-freetext" href="FILE:/etc/named.keytab">FILE:/etc/named.keytab</a>
        <br>
        Found valid Kerberos credentials in cache
        <br>
        trying interactive bind using GSSAPI mechanism
        <br>
        doing interactive bind
        <br>
        got request for SASL_CB_USER
        <br>
        bind to LDAP server failed: Local error
        <br>
        couldn't establish connection in LDAP connection pool: failure
        <br>
        LDAP instance 'ipa' destroyed
        <br>
        load_configuration: failure
        <br>
        reloading configuration failed: failure
        <br>
      </blockquote>
      <br>
      There is at least one other problem which causes deadlock on
      shutdown from time to time, I will look into it separately.
      <br>
      <br>
      Both problems are hard to reproduce.
      <br>
      <br>
      It seems that the best chance is to change logrotate period
      (/etc/logrotate.d/named) or Kerberos ticket policy (ipa
      krbtpolicy-mod) to the same values, keep fingers crossed and hope.
      On my VM it manifests after several iterations.
      <br>
      <br>
      This patch should go to all maintained branches (v2, v3, v4,
      master).
      <br>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
    </blockquote>
    ACK<br>
    Patch works for me.<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Martin Basti</pre>
  </body>
</html>