On Wed, 12 Nov 2014 16:36:00 +0100
Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
On (12/11/14 10:00), Simo Sorce wrote:
>I would create a helper function to be called on return that
>transforms the error accordingly. This will allow to write the code
>_and_ the comment once.
>
In this case, Stephan's patch is better
https://bugzilla.redhat.com/attachment.cgi?id=788567
Yes, this is a valid alternative.
>The comment should be changed to something like this in either
case:
>/* When sssd is stopped return a safe error code as if sss was not
>configured at all in nsswitch. This prevents bogus errors from
>causing issues in applications, before sssd starts or if it fails to
>respond. */
>
>No need to mention that sss is by default in nsswitch, as it is not
>in all distributions and it really is inconsequential, the same
>behaviour change hleps when sss is not the default but is has been
>manually added and sssd is stopped or not started yet (for example
>during boot).
nss-pam-ldapd has the same behaviour in the same situation.
Will we patch it as well? It's very likely we won't.
Sorry, I do not see how that matters :)
The biggest problem is that sss is by default in nsswitch on
fedora/rhel>=7 due to glibc caching and problem with GNOME,
a) sssd-client is installed by default on this platforms.
b) sssd need't be configured by default and in most cases won't be
=> sssd cannot run
c) glibc developers don't want to adjust the error return code in
glibc
As a result of this, we need to patch sssd.
I would say we should patch sssd just in downstream and
Stephan's patch works well. I tested it.
Ok, then let's go with Stephen's patch.
Simo.
--
Simo Sorce * Red Hat, Inc * New York