#3601 race condition: sssd_be in a one-way trust accepts request before ipa-getkeytab finishes, marking the sssd offline
Closed: Fixed 6 years ago Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1517971

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

It seems like a request can be delivered to the back end after ipa-getkeytab was started, but before it finishes, which causes the request to access a trusted domain with the ad_id_ctx still not fully initialized which sends the whole domain to offline mode.

There is code that should prevent the trusted domain objects from reaching the sssd_be unless the domain's subdomain provider has finished, but it seems we have some issues there.


Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1517971

6 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

6 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR, bug

6 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

6 years ago

master:

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.16.2)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4624

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata