URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented:
"""
Thanks a lot Pavel for the further review, it is better to get everything
resolved now than having to fix issues later.
> If the cache contains uid that is not resolvable then kcm fails to start:
>
> ```
> [root /var/log/sssd]# /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0
> --debug-level 0xfff0
> (2021-03-25 12:12:49:260824): [sssd] [become_user] (0x0200): Trying to become
> user [0][0].
> (2021-03-25 12:12:49:260883): [sssd] [become_user] (0x0200): Already user [0].
> (2021-03-25 12:12:49:263412): [kcm] [ldb] (0x0400): server_sort:Unable to
> register control with rootdse!
> (2021-03-25 12:12:49): [kcm] [server_setup] (0x0040): Starting with debug
> level = 0xfff0
> (2021-03-25 12:12:49): [kcm] [server_setup] (0x0400): CONFDB:
> /var/lib/sss/db/config.ldb
> (2021-03-25 12:12:49): [kcm] [kcm_get_ccdb_be] (0x0100): KCM database type:
> secdb
> (2021-03-25 12:12:49): [kcm] [kcm_ccdb_init] (0x0200): KCM back end:
> libsss_secrets
> (2021-03-25 12:12:49): [kcm] [ccdb_secdb_init] (0x2000): secdb initialized
> (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [91600000]
> (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [1000]
> (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x2000): Found [2]
> ccache uids
> (2021-03-25 12:12:49): [kcm] [renew_check_ccaches] (0x0040): Failed to get
> pwd entry for [91600000]
> (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x0040): Error checking
> ccaches in secdb
> (2021-03-25 12:12:49): [kcm] [kcm_ccdb_renew_init] (0x0020): Failure to
> execute ccdb renewal init
> (2021-03-25 12:12:49): [kcm] [kcm_process_init] (0x0010): fatal error
> initializing KCM ccdb renewals
> (2021-03-25 12:12:49): [kcm] [kcm_responder_ctx_destructor] (0x0400):
> Responder is being shut down
> ```
Is it valid to treat renewal failures as not fatal, and return EOK from
`kcm_ccdb_renew_init` instead of current behavior shown below? If not what is
the preferred way to handle this?
```
647 /* Add any renew-applicable KCM tickets to renew table */
648 ret = kcm_ccdb_renew_init(renew_tgt_ctx->rctx, renew_tgt_ctx->krb5_ctx,
649 ev, renew_tgt_ctx->db);
650 if (ret != EOK) {
651 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add KCM tickets to table.\n");
652 talloc_zfree(renew_tgt_ctx);
653 return;
654 }
```
> It might be better to move this to a function on its own, something like:
>
> ```c
> errno_t kcm_renewals_init(...)
> {
> #ifndef HAVE_KCM_RENEWAL
> return EOK;
> #else
> do stuff
> #endif
> }
> ```
Can you help me understand what is the benefit of this change?
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5450#issuecomment-806744205
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
