The yesterday's fail over patch broke the IPA provider.. The IPA provider is a special case because it uses fail over port 0 for both LDAP and Kerberos. That is done to make sure that we never connect to LDAP port on one host and Kerberos port on a different host.
However, the cycle detection in fail over tripped over this because when performing a GSSAPI bind, we first request a server with port 0 to get the LDAP server and before we can mark the server status (or go offline), we also need to resolve the KDC, which, from fail over point of view is also running on port 0...
The attached patch adds a boolean parameter to be_resolve_server_send() and only performs the cycle check if the parameter is false, that is, when requesting another server during the same operation.
On Wed, Mar 07, 2012 at 05:48:45PM +0100, Jakub Hrozek wrote:
The yesterday's fail over patch broke the IPA provider.. The IPA provider is a special case because it uses fail over port 0 for both LDAP and Kerberos. That is done to make sure that we never connect to LDAP port on one host and Kerberos port on a different host.
However, the cycle detection in fail over tripped over this because when performing a GSSAPI bind, we first request a server with port 0 to get the LDAP server and before we can mark the server status (or go offline), we also need to resolve the KDC, which, from fail over point of view is also running on port 0...
The attached patch adds a boolean parameter to be_resolve_server_send() and only performs the cycle check if the parameter is false, that is, when requesting another server during the same operation.
Jan spotted I was assigning the same callback for a kpasswd resolve request twice. New patch is attached.
On Wed, Mar 07, 2012 at 05:48:45PM +0100, Jakub Hrozek wrote:
The yesterday's fail over patch broke the IPA provider.. The IPA provider is a special case because it uses fail over port 0 for both LDAP and Kerberos. That is done to make sure that we never connect to LDAP port on one host and Kerberos port on a different host.
However, the cycle detection in fail over tripped over this because when performing a GSSAPI bind, we first request a server with port 0 to get the LDAP server and before we can mark the server status (or go offline), we also need to resolve the KDC, which, from fail over point of view is also running on port 0...
The attached patch adds a boolean parameter to be_resolve_server_send() and only performs the cycle check if the parameter is false, that is, when requesting another server during the same operation.
Jan spotted I was assigning the same callback for a kpasswd resolve request twice. New patch is attached.
Ack and pushed to master and sssd-1-8
Thanks Jan
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Jan Zelený