[Freeipa-devel] [PATCH 0278] Fix ticket expiration check
Petr Spacek
pspacek at redhat.com
Tue Aug 19 11:40:52 UTC 2014
Hello,
Fix ticket expiration check.
https://fedorahosted.org/bind-dyndb-ldap/ticket/131
This is one of obvious bugs when you finally see it :-)
The original code died miserably when named reload happened 0-300 seconds
after ticket expiration. Symptoms (debug level 6):
> registering dynamic ldap driver for ipa.
> trying to establish LDAP connection to ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket
> Using default keytab file name: FILE:/etc/named.keytab
> Found valid Kerberos credentials in cache
> trying interactive bind using GSSAPI mechanism
> doing interactive bind
> got request for SASL_CB_USER
> bind to LDAP server failed: Local error
> couldn't establish connection in LDAP connection pool: failure
> LDAP instance 'ipa' destroyed
> load_configuration: failure
> reloading configuration failed: failure
There is at least one other problem which causes deadlock on shutdown from
time to time, I will look into it separately.
Both problems are hard to reproduce.
It seems that the best chance is to change logrotate period
(/etc/logrotate.d/named) or Kerberos ticket policy (ipa krbtpolicy-mod) to the
same values, keep fingers crossed and hope. On my VM it manifests after
several iterations.
This patch should go to all maintained branches (v2, v3, v4, master).
--
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-dyndb-ldap-pspacek-0278-Fix-ticket-expiration-check.patch
Type: text/x-patch
Size: 1034 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140819/ce884134/attachment.bin>
More information about the Freeipa-devel
mailing list