URL: https://github.com/SSSD/sssd/pull/575 Author: jhrozek Title: #575: DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes Action: opened PR body: """ An initgroups request for an AD user consists of two parts - resolving the AD user, which internally calls an LDAP request and adding the IPA external group memberships. For (probably?) historical reasons from the time before we had any notion of subdomains, the initgrTimestamp attribute is written down at the LDAP request level when it finishes -- which means the initgrTimestamp is written before the IPA external group membership is evaluated. When two requests for initgroups arrive semi-concurrently, it can happen that the first request will trigger the whole machinery while the other one would evaluate the initgrTimestamp attribute that was just bumped, but the IPA group memberships were not yet written to the cache. The result is that the second racing request only returns AD groups. This fix removes writing the timestamp from the generic LDAP code and instead writes the timestamp only when the Data Provider request fully returns. Resolves: https://pagure.io/SSSD/sssd/issue/3744 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/575/head:pr575 git checkout pr575