URL:
https://github.com/SSSD/sssd/pull/328
Author: jhrozek
Title: #328: KRB5: Return invalid credentials internally when attempting to renew an
expired TGT
Action: opened
PR body:
"""
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and the
ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map anymore.
The effect on the deamon is that just the single renewal fails, but the
failover code is not called and therefore sssd doesn't switch into offline
mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
"""
To pull the PR as Git branch:
git remote add ghsssd
https://github.com/SSSD/sssd
git fetch ghsssd pull/328/head:pr328
git checkout pr328