#1324 LDAP provider needs to use all available servers for GSSAPI if the child times out
Closed: Fixed None Opened 7 years ago by jhrozek.

There is a logic bug in the LDAP GSSAPI auth code. When the child times out[1], the sdap_kinit_ tevent request does not retry another KDC.

Also, when the request result is retrieved with sdap_kinit_recv, the LDAP server is marked as down, which is wrong, the kinit request only talks to KDC and its result shouldn't change the status of the LDAP server.

[1] Child timeout is the only really probable way the child tevent request can end with an error. The other reasons include OOM situations, child fork/exec failing. If the child operation itself fails (i.e. the keytab is wrong), the request ends with EOK and extended error information is returned in a separate variable.

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fixed by:
- 163a17f (master)
- b13da92 (sssd-1-8)

component: SSSD => LDAP Provider
milestone: NEEDS_TRIAGE => SSSD 1.8.4 (LTM)
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.8.4 (LTM)

2 years ago

Login to comment on this ticket.