From a2f7322b9d8e47c0c93463d9fe1f37dc869799df Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 8 Jan 2018 18:30:57 +0100 Subject: [PATCH 91/96] IPA: Delay the first periodic refresh of trusted domains MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the IPA subdomains code is initialized, the responders send a request to fetch subdomains. This request first stores the list of trusted domains to the cache and then runs the ipa-getkeytab helper. At the same time, the periodical task to update the subdomains is also started. The task founds out that all the trusted domains are already known and finishes the request, which replies to the Data Provider requests as well even while the ipa-getkeytab request is still running. This unblocks requests from the responders, which try to connect to the AD DCs even before the keytab is available, which switches the SSSD status to offline. This patch simply delays the first periodic task in the IPA subdomains code by 10 minutes, thus mitigating the startup race. Resolves: https://pagure.io/SSSD/sssd/issue/3601 Reviewed-by: Sumit Bose Reviewed-by: Michal Židek Reviewed-by: Pavel Březina (cherry picked from commit 261a84355d9d033ca03f46727dbc2cf4921f154e) --- src/providers/ipa/ipa_subdomains.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 3d3341a3eff5e55ae0c6fa5ad40603adc609e692..7d2cf80c8137a0428880c5474d4d94ca3ad1a5d4 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -2379,6 +2379,11 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx, struct ipa_options *ipa_options; time_t period; errno_t ret; + /* Delay the first ptask that refreshes the trusted domains so that a race between + * the first responder-induced request and the ptask doesn't cause issues, see + * also upstream ticket #3601 + */ + const time_t ptask_first_delay = 600; ipa_options = ipa_id_ctx->ipa_options; @@ -2401,7 +2406,7 @@ errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx, struct ipa_subdomains_ctx, struct dp_subdomains_data, struct dp_reply_std); period = be_ctx->domain->subdomain_refresh_interval; - ret = be_ptask_create(sd_ctx, be_ctx, period, 0, 0, 0, period, + ret = be_ptask_create(sd_ctx, be_ctx, period, ptask_first_delay, 0, 0, period, BE_PTASK_OFFLINE_DISABLE, 0, ipa_subdomains_ptask_send, ipa_subdomains_ptask_recv, sd_ctx, "Subdomains Refresh", NULL); -- 2.14.3