URL:
https://github.com/SSSD/sssd/pull/328
Title: #328: KRB5: Return invalid credentials internally when attempting to renew an
expired TGT
jhrozek commented:
"""
On Thu, Jul 20, 2017 at 01:47:49AM -0700, lslebodn wrote:
On (20/07/17 00:59), Jakub Hrozek wrote:
>Since 1.14.2 and in particular commit
>d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
>krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
>
>However, when the action that krb5_child performs is ticket renewal and the
>ticket is totally expired, this can send the SSSD into offline mode.
>
>Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
>sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map anymore.
>
>The effect on the deamon is that just the single renewal fails, but the
>failover code is not called and therefore sssd doesn't switch into offline
>mode.
>
LGTM,
I will try to run some downstream tests.
Thank you. I'm also interested if this feels like too much of a hack.
During development, I was wondering whether we should add a new return
code instead of abusing ERR_CREDS_EXPIRED, but I think it's fine for
effectivelly handling a failure case..
"""
See the full comment at
https://github.com/SSSD/sssd/pull/328#issuecomment-316640068