On Wed, Mar 07, 2012 at 05:48:45PM +0100, Jakub Hrozek wrote:
> The yesterday's fail over patch broke the IPA provider.. The IPA provider
> is a special case because it uses fail over port 0 for both LDAP and
> Kerberos. That is done to make sure that we never connect to LDAP port on
> one host and Kerberos port on a different host.
>
> However, the cycle detection in fail over tripped over this because when
> performing a GSSAPI bind, we first request a server with port 0 to get
> the LDAP server and before we can mark the server status (or go
> offline), we also need to resolve the KDC, which, from fail over point
> of view is also running on port 0...
>
> The attached patch adds a boolean parameter to be_resolve_server_send()
> and only performs the cycle check if the parameter is false, that is,
> when requesting another server during the same operation.
Jan spotted I was assigning the same callback for a kpasswd resolve
request twice. New patch is attached.
Ack and pushed to master and sssd-1-8
Thanks
Jan