[Freeipa-devel] [PATCH 0278] Fix ticket expiration check
Martin Basti
mbasti at redhat.com
Tue Sep 2 14:30:58 UTC 2014
On 19/08/14 13:40, Petr Spacek wrote:
> Hello,
>
> Fix ticket expiration check.
>
> https://fedorahosted.org/bind-dyndb-ldap/ticket/131
>
> This is one of obvious bugs when you finally see it :-)
>
> The original code died miserably when named reload happened 0-300
> seconds after ticket expiration. Symptoms (debug level 6):
>
>> registering dynamic ldap driver for ipa.
>> trying to establish LDAP connection to
>> ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket
>> Using default keytab file name: FILE:/etc/named.keytab
>> Found valid Kerberos credentials in cache
>> trying interactive bind using GSSAPI mechanism
>> doing interactive bind
>> got request for SASL_CB_USER
>> bind to LDAP server failed: Local error
>> couldn't establish connection in LDAP connection pool: failure
>> LDAP instance 'ipa' destroyed
>> load_configuration: failure
>> reloading configuration failed: failure
>
> There is at least one other problem which causes deadlock on shutdown
> from time to time, I will look into it separately.
>
> Both problems are hard to reproduce.
>
> It seems that the best chance is to change logrotate period
> (/etc/logrotate.d/named) or Kerberos ticket policy (ipa
> krbtpolicy-mod) to the same values, keep fingers crossed and hope. On
> my VM it manifests after several iterations.
>
> This patch should go to all maintained branches (v2, v3, v4, master).
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK
Patch works for me.
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140902/560cfc69/attachment.htm>
More information about the Freeipa-devel
mailing list