Learn more about these different git repos.
Other Git URLs
The IPA subdomains provider calls ipa-getkeytab. This can call an NSS operation, like seen here:
(Wed Feb 27 06:14:44 2019) [sssd[be[trustcli16.test]]] [ipa_getkeytab_send] (0x0400): Retrieving keytab for TRUSTCLI16$@DTREE.QE from host-8-245-208.trustcli 16.test into /var/lib/sss/keytabs/dtree.qe.keytab2FjVce using ccache /var/lib/sss/db/ccache_TRUSTCLI16.TEST
At the same time, there is a request for user ipaapi in the NSS log (getpwnam(ipaapi)
(Wed Feb 27 06:14:44 2019) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #0: Setting "User by name" plugin (Wed Feb 27 06:14:44 2019) [sssd[nss]] [cache_req_send] (0x0400): CR #0: New request 'User by name' (Wed Feb 27 06:14:44 2019) [sssd[nss]] [cache_req_process_input] (0x0400): CR #0: Parsing input name [ipaapi] (Wed Feb 27 06:14:44 2019) [sssd[nss]] [sss_parse_inp_send] (0x0200): Requesting info for [(null)] from [<ALL>] (Wed Feb 27 06:14:44 2019) [sssd[nss]] [sss_domain_get_state] (0x1000): Domain trustcli16.test is Active (Wed Feb 27 06:14:44 2019) [sssd[nss]] [sbus_requests_add] (0x4000): Chaining request: -:0:sssd.dataprovider.getDomains:/sssd:
And this request chains to the getDomains which triggered the NSS call in the first place. This means that the request for ipaapi takes long enough that ipa-getkeytab times out and the keytab is never retrieved.
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1681279
Issue linked to Bugzilla: Bug 1681279
And this request chains to the getDomains which triggered the NSS call in the first place.
From my point of view, it doesn't matter if this request chains or this is first request. Anyway it is self-locked and ipa-getkeytab times out. So scope of circular dependency is broader.
ipa-getkeytab
In conversation with Alexander Bokovoy we found out that when ipa trust-add is called with --oneway=True it does not prefetch AD keytab. Related code is https://pagure.io/freeipa/blob/master/f/ipaserver/plugins/trust.py#_761
Alexander: "it is actually intended behavior right now and sssd should not depend on the keytab being produced by the helper"
It is the other way around -- we don't call to oddjobd helper in a case of two-way trust (as we have cross-realm TGT there). We'll get this fixed eventually and all situations will be handled with a prefetch but right now this means for two-way trust you can reproduce SSSD issue.
Metadata Update from @jhrozek: - Issue priority set to: critical (was: minor) - Issue set to the milestone: SSSD 2.2
Metadata Update from @atikhonov: - Custom field design_review adjusted to on - Custom field mark adjusted to on - Custom field patch adjusted to on - Custom field review adjusted to on - Custom field sensitive adjusted to on - Custom field testsupdated adjusted to on - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Was duplicated by https://pagure.io/SSSD/sssd/issue/3992
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4945
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.