IPA: Only re-fetch the keytab if modifyTimestamp is newer than last LDAP connection

Resolves:
    https://fedorahosted.org/sssd/ticket/2639

When a subdomain account lookup errors out, try to re-setup the trust
object. Only do this, if the connection was established after the last
re-set of the trust object.

Internally, the setup function looks at the modifyTimestamp operational
attribute of the TDO. If the modifyTimestamp is newer than the last
keytab check, then the trust was re-created and we need to fetch the
keytab again.

Marking the back end as online re-sets the TDO check timestamp so that
after cycling the sssd, the keytab would always be checked.

1 files changed, 4 insertions, 0 deletions

diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
index e81ccb34d..1e91fc599 100644
--- a/src/providers/ipa/ipa_id.c
+++ b/src/providers/ipa/ipa_id.c
@@ -1293,5 +1293,9 @@ void ipa_check_online(struct be_req *be_req)
     ipa_ctx = talloc_get_type(be_ctx->bet_info[BET_ID].pvt_bet_data,
                               struct ipa_id_ctx);
 
+    if (ipa_ctx->server_mode == NULL) {
+        ipa_subdom_reset_trust(ipa_ctx->server_mode);
+    }
+
     return sdap_do_online_check(be_req, ipa_ctx->sdap_id_ctx);
 }