#1324 LDAP provider needs to use all available servers for GSSAPI if the child times out
Closed: Fixed None Opened 8 years ago by jhrozek.

There is a logic bug in the LDAP GSSAPI auth code. When the child times out[1], the sdap_kinit_ tevent request does not retry another KDC.

Also, when the request result is retrieved with sdap_kinit_recv, the LDAP server is marked as down, which is wrong, the kinit request only talks to KDC and its result shouldn't change the status of the LDAP server.

[1] Child timeout is the only really probable way the child tevent request can end with an error. The other reasons include OOM situations, child fork/exec failing. If the child operation itself fails (i.e. the keytab is wrong), the request ends with EOK and extended error information is returned in a separate variable.


Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fixed by:
- 163a17f (master)
- b13da92 (sssd-1-8)

component: SSSD => LDAP Provider
milestone: NEEDS_TRIAGE => SSSD 1.8.4 (LTM)
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.8.4 (LTM)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2366

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata