Tree - rpms/sssd - CentOS Git server

rpms / sssd

Files

Commit: ced1f5999da391400b61715bbeadd618c57a1623
Blob Blame History Raw
From a2f7322b9d8e47c0c93463d9fe1f37dc869799df Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 8 Jan 2018 18:30:57 +0100
Subject: [PATCH 91/96] IPA: Delay the first periodic refresh of trusted
 domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the IPA subdomains code is initialized, the responders send a request
to fetch subdomains. This request first stores the list of trusted domains
to the cache and then runs the ipa-getkeytab helper.

At the same time, the periodical task to update the subdomains is also
started. The task founds out that all the trusted domains are already known
and finishes the request, which replies to the Data Provider requests as
well even while the ipa-getkeytab request is still running.

This unblocks requests from the responders, which try to connect to the AD
DCs even before the keytab is available, which switches the SSSD status to
offline.

This patch simply delays the first periodic task in the IPA subdomains code
by 10 minutes, thus mitigating the startup race.

Resolves:
https://pagure.io/SSSD/sssd/issue/3601

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 261a84355d9d033ca03f46727dbc2cf4921f154e)
---
 src/providers/ipa/ipa_subdomains.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 3d3341a3eff5e55ae0c6fa5ad40603adc609e692..7d2cf80c8137a0428880c5474d4d94ca3ad1a5d4 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -2379,6 +2379,11 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx,
     struct ipa_options *ipa_options;
     time_t period;
     errno_t ret;
+    /* Delay the first ptask that refreshes the trusted domains so that a race between
+     * the first responder-induced request and the ptask doesn't cause issues, see
+     * also upstream ticket #3601
+     */
+    const time_t ptask_first_delay = 600;
 
     ipa_options = ipa_id_ctx->ipa_options;
 
@@ -2401,7 +2406,7 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx,
                   struct ipa_subdomains_ctx, struct dp_subdomains_data, struct dp_reply_std);
 
     period = be_ctx->domain->subdomain_refresh_interval;
-    ret = be_ptask_create(sd_ctx, be_ctx, period, 0, 0, 0, period,
+    ret = be_ptask_create(sd_ctx, be_ctx, period, ptask_first_delay, 0, 0, period,
                           BE_PTASK_OFFLINE_DISABLE, 0,
                           ipa_subdomains_ptask_send, ipa_subdomains_ptask_recv, sd_ctx,
                           "Subdomains Refresh", NULL);
-- 
2.14.3
rpms / sssd

Source Code

Files
