On Mon, 2017-07-10 at 16:04 +0200, Jakub Hrozek wrote:
> On Tue, Jul 04, 2017 at 12:38:46AM +0300, Timo Aaltonen wrote:
> > On 31.05.2017 10:53, Jakub Hrozek wrote:
> > > On Wed, May 31, 2017 at 08:19:56AM +1000, Lachlan Musicman wrote:
> > > > Hi all,
> > > >
> > > > I noticed a while ago that 1.15.3 was versioned in the repo but
I've not
> > > > seen anything released? I'm mostly looking on the COPR
> > > > (
> > > >
https://pagure.io/SSSD/sssd/c/012ee7c3fe24a5e75d9b0465268c1bb8187b8337?br...
> > > > )
> > > >
> > > > This is purely selfish - I love all that you do, and I'm aware
that there
> > > > has been some fairly comprehensive infrastructural change.
> > > >
> > > > I'm just waiting on that one fix and have no roadmap visibility
:)
> > >
> > > Sorry, I agree our roadmap is not entirely clear.
> > >
> > > 1.15.3 will be released during June, most fixes planned for that release
> > > are either in or being reviewed.
> >
> > Freeipa 4.5.2 depends on a feature not available in 1.15.2, which feels
> > a bit backwards as it's a point-release which I think should not depend
> > on a not-yet-released features..
>
> You are right and I didn't realize that there was this dependency.
>
> The current status of 1.15.3 release is that we need to fix:
>
https://pagure.io/SSSD/sssd/issue/3441 - secondary group membership
> resolution of AD user fails if user information from other trusted
> domain is fetched first - this is a regression I would really not
> like to see in a release
>
> Currently the 1.15.3 milestone also contains
>
https://pagure.io/SSSD/sssd/issue/3420 which is quite important but I
> wouldn't hold the release over this bug and
>
https://pagure.io/SSSD/sssd/issue/3406 which is also a regression, but
> at the same time a bit of a corner case, so I'd be personally fine with
> moving this to 1.15.4..
Not a corner case here, every suspend over night causes it.
The fix is so simple I am surprised you haven't done it yet, just
revert the KRB5KRB_AP_ERR_TKT_EXPIRED part of the offending commit.
That part was not not needed anyway as far as I can tell.
Reverting changes in krb5_child is not the simples thing.
It can break many cases in sssd (OTP, migration, certificates ...)
I do not want to say that it would be the same with commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64
But it requires proper review and testing.
Feel free to provide a test + revert patch.
It's open source world.
LS