URL:
https://github.com/SSSD/sssd/pull/328
Title: #328: KRB5: Return invalid credentials internally when attempting to renew an
expired TGT
lslebodn commented:
"""
On (20/07/17 01:51), Jakub Hrozek wrote:
On Thu, Jul 20, 2017 at 01:47:49AM -0700, lslebodn wrote:
> On (20/07/17 00:59), Jakub Hrozek wrote:
> >Since 1.14.2 and in particular commit
> >d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
> >krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
> >
> >However, when the action that krb5_child performs is ticket renewal and the
> >ticket is totally expired, this can send the SSSD into offline mode.
> >
> >Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
> >sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map anymore.
> >
> >The effect on the deamon is that just the single renewal fails, but the
> >failover code is not called and therefore sssd doesn't switch into offline
> >mode.
> >
> LGTM,
>
> I will try to run some downstream tests.
Thank you. I'm also interested if this feels like too much of a hack.
During development, I was wondering whether we should add a new return
code instead of abusing ERR_CREDS_EXPIRED, but I think it's fine for
effectivelly handling a failure case..
I ran krb5 related downstream tests and I could not find any failure.
So +1
BTW have you tried test-cases for
https://pagure.io/SSSD/sssd/issue/3174
Because I could not find automated test for it. (at least quick git grep
didn't reveal anything.)
BTW new return code might help but IMHO it would require bigger change.
LS
"""
See the full comment at
https://github.com/SSSD/sssd/pull/328#issuecomment-317389131