On 19/08/14 13:40, Petr Spacek wrote:
Hello,

Fix ticket expiration check.

https://fedorahosted.org/bind-dyndb-ldap/ticket/131

This is one of obvious bugs when you finally see it :-)

The original code died miserably when named reload happened 0-300 seconds after ticket expiration. Symptoms (debug level 6):

registering dynamic ldap driver for ipa.
trying to establish LDAP connection to ldapi://%2fvar%2frun%2fslapd-IPA-EXAMPLE.socket
Using default keytab file name: FILE:/etc/named.keytab
Found valid Kerberos credentials in cache
trying interactive bind using GSSAPI mechanism
doing interactive bind
got request for SASL_CB_USER
bind to LDAP server failed: Local error
couldn't establish connection in LDAP connection pool: failure
LDAP instance 'ipa' destroyed
load_configuration: failure
reloading configuration failed: failure

There is at least one other problem which causes deadlock on shutdown from time to time, I will look into it separately.

Both problems are hard to reproduce.

It seems that the best chance is to change logrotate period (/etc/logrotate.d/named) or Kerberos ticket policy (ipa krbtpolicy-mod) to the same values, keep fingers crossed and hope. On my VM it manifests after several iterations.

This patch should go to all maintained branches (v2, v3, v4, master).



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ACK
Patch works for me.

--
Martin Basti

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to