On Tue, 2012-11-20 at 16:09 +0200, Alexander Bokovoy wrote: > Hi, > > attached patch expands error checks when obtaining Kerberos ticket in > ipasam module. The change should cover observed corner cases which > caused ipasam to fail obtaining the ticket. > > Without the patch one will get something similar to what I get below > when manually moving time back on the server (with additional debug > statements to show error codes): > Nov 20 14:01:29 signfinity winbindd[15759]: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Ticket not yet valid) > Nov 20 14:01:29 signfinity winbindd[15759]: [2012/11/20 14:01:29.616951, 0] > ipa_sam.c:3829(bind_callback) > Nov 20 14:01:29 signfinity winbindd[15759]: bind_callback: > ldap_sasl_interactive_bind_s() call returned -2, kerberos code is 0 > Nov 20 14:01:29 signfinity winbindd[15759]: [2012/11/20 14:01:29.618787, 0] > ../source3/lib/smbldap.c:998(smbldap_connect_system) > Nov 20 14:01:29 signfinity winbindd[15759]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-IPA-TEAM.socket with dn="[Anonymous bind]" > Error: Local error > Nov 20 14:01:29 signfinity winbindd[15759]: #011SASL(-1): generic failure: > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (Ticket not yet valid > > After patching it now looks like this: > Nov 20 15:00:04 signfinity winbindd[18693]: GSSAPI Error: Unspecified GSS > failure. Minor code may provide more information (Ticket not yet valid) > Nov 20 15:00:04 signfinity winbindd[18693]: [2012/11/20 15:00:04.403051, 0] > ipa_sam.c:3829(bind_callback) > Nov 20 15:00:04 signfinity winbindd[18693]: bind_callback: > ldap_sasl_interactive_bind_s() call returned -2, kerberos code is 0 > Nov 20 15:00:20 signfinity winbindd[18693]: [2012/11/20 15:00:20.090270, 0] > ipa_sam.c:3829(bind_callback) > Nov 20 15:00:20 signfinity winbindd[18693]: bind_callback: > ldap_sasl_interactive_bind_s() call returned 0, kerberos code is 0 > > as you can see, winbindd has recovered automatically.
ACK Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
