[Freeipa-devel] [PATCH 0278] Fix ticket expiration check
Petr Spacek
pspacek at redhat.com
Tue Sep 2 15:49:57 UTC 2014
On 2.9.2014 16:30, Martin Basti wrote:
> On 19/08/14 13:40, Petr Spacek wrote:
>> Hello,
>>
>> Fix ticket expiration check.
>>
>> https://fedorahosted.org/bind-dyndb-ldap/ticket/131
>>
>> This is one of obvious bugs when you finally see it :-)
>>
>> The original code died miserably when named reload happened 0-300 seconds
>> after ticket expiration. Symptoms (debug level 6):
>>
>>> registering dynamic ldap driver for ipa.
>>> trying to establish LDAP connection to
>>> ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket
>>> Using default keytab file name: FILE:/etc/named.keytab
>>> Found valid Kerberos credentials in cache
>>> trying interactive bind using GSSAPI mechanism
>>> doing interactive bind
>>> got request for SASL_CB_USER
>>> bind to LDAP server failed: Local error
>>> couldn't establish connection in LDAP connection pool: failure
>>> LDAP instance 'ipa' destroyed
>>> load_configuration: failure
>>> reloading configuration failed: failure
>>
>> There is at least one other problem which causes deadlock on shutdown from
>> time to time, I will look into it separately.
>>
>> Both problems are hard to reproduce.
>>
>> It seems that the best chance is to change logrotate period
>> (/etc/logrotate.d/named) or Kerberos ticket policy (ipa krbtpolicy-mod) to
>> the same values, keep fingers crossed and hope. On my VM it manifests after
>> several iterations.
>>
>> This patch should go to all maintained branches (v2, v3, v4, master).
>>
> ACK
> Patch works for me.
Thank you!
Pushed to Git:
master: 24f05cf9b9b6bd9c57d09dbd018da179eb8dc8bb
v4: bc5f3139b7ce55e5a116331eeec3b154a4204daa
v3: 55c91481ec3bdc6d3bca4d3bce58c5ba39b636db
v2: 80f7663f309c0d0b9cb89ed8f8b38301b207360d
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list