|
 |
ced1f5 |
From a2f7322b9d8e47c0c93463d9fe1f37dc869799df Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ced1f5 |
Date: Mon, 8 Jan 2018 18:30:57 +0100
|
|
|
ced1f5 |
Subject: [PATCH 91/96] IPA: Delay the first periodic refresh of trusted
|
|
|
ced1f5 |
domains
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
When the IPA subdomains code is initialized, the responders send a request
|
|
|
ced1f5 |
to fetch subdomains. This request first stores the list of trusted domains
|
|
|
ced1f5 |
to the cache and then runs the ipa-getkeytab helper.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
At the same time, the periodical task to update the subdomains is also
|
|
|
ced1f5 |
started. The task founds out that all the trusted domains are already known
|
|
|
ced1f5 |
and finishes the request, which replies to the Data Provider requests as
|
|
|
ced1f5 |
well even while the ipa-getkeytab request is still running.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
This unblocks requests from the responders, which try to connect to the AD
|
|
|
ced1f5 |
DCs even before the keytab is available, which switches the SSSD status to
|
|
|
ced1f5 |
offline.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
This patch simply delays the first periodic task in the IPA subdomains code
|
|
|
ced1f5 |
by 10 minutes, thus mitigating the startup race.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Resolves:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/3601
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
ced1f5 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit 261a84355d9d033ca03f46727dbc2cf4921f154e)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ipa/ipa_subdomains.c | 7 ++++++-
|
|
|
ced1f5 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
|
|
ced1f5 |
index 3d3341a3eff5e55ae0c6fa5ad40603adc609e692..7d2cf80c8137a0428880c5474d4d94ca3ad1a5d4 100644
|
|
|
ced1f5 |
--- a/src/providers/ipa/ipa_subdomains.c
|
|
|
ced1f5 |
+++ b/src/providers/ipa/ipa_subdomains.c
|
|
|
ced1f5 |
@@ -2379,6 +2379,11 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx,
|
|
|
ced1f5 |
struct ipa_options *ipa_options;
|
|
|
ced1f5 |
time_t period;
|
|
|
ced1f5 |
errno_t ret;
|
|
|
ced1f5 |
+ /* Delay the first ptask that refreshes the trusted domains so that a race between
|
|
|
ced1f5 |
+ * the first responder-induced request and the ptask doesn't cause issues, see
|
|
|
ced1f5 |
+ * also upstream ticket #3601
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ const time_t ptask_first_delay = 600;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
ipa_options = ipa_id_ctx->ipa_options;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -2401,7 +2406,7 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx,
|
|
|
ced1f5 |
struct ipa_subdomains_ctx, struct dp_subdomains_data, struct dp_reply_std);
|
|
|
ced1f5 |
|
|
|
ced1f5 |
period = be_ctx->domain->subdomain_refresh_interval;
|
|
|
ced1f5 |
- ret = be_ptask_create(sd_ctx, be_ctx, period, 0, 0, 0, period,
|
|
|
ced1f5 |
+ ret = be_ptask_create(sd_ctx, be_ctx, period, ptask_first_delay, 0, 0, period,
|
|
|
ced1f5 |
BE_PTASK_OFFLINE_DISABLE, 0,
|
|
|
ced1f5 |
ipa_subdomains_ptask_send, ipa_subdomains_ptask_recv, sd_ctx,
|
|
|
ced1f5 |
"Subdomains Refresh", NULL);
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|