diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-09-21 15:53:50 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-09-23 09:45:57 +0200 |
commit | 3366a3cdbf93eea757123e11a32307a005c05443 (patch) | |
tree | daa33ad0cfa14def3e9989239405bd171b0e80aa /src/providers/ipa/ipa_subdomains_id.c | |
parent | c40b2e130b559caf90cf737977edba1f5703efc9 (diff) | |
download | sssd-3366a3cdbf93eea757123e11a32307a005c05443.tar.gz sssd-3366a3cdbf93eea757123e11a32307a005c05443.tar.xz sssd-3366a3cdbf93eea757123e11a32307a005c05443.zip |
IPA: Only re-fetch the keytab if modifyTimestamp is newer than last LDAP connection
Resolves:
https://fedorahosted.org/sssd/ticket/2639
When a subdomain account lookup errors out, try to re-setup the trust
object. Only do this, if the connection was established after the last
re-set of the trust object.
Internally, the setup function looks at the modifyTimestamp operational
attribute of the TDO. If the modifyTimestamp is newer than the last
keytab check, then the trust was re-created and we need to fetch the
keytab again.
Marking the back end as online re-sets the TDO check timestamp so that
after cycling the sssd, the keytab would always be checked.
Diffstat (limited to 'src/providers/ipa/ipa_subdomains_id.c')
-rw-r--r-- | src/providers/ipa/ipa_subdomains_id.c | 67 |
1 files changed, 55 insertions, 12 deletions
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 8f13608bc..2c5e6d195 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -681,8 +681,8 @@ fail: return req; } -static struct ad_id_ctx * -ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, +static struct ipa_ad_server_ctx * +ipa_get_trust_ctx(struct ipa_id_ctx *ipa_ctx, struct sss_domain_info *dom) { struct ipa_ad_server_ctx *iter; @@ -691,7 +691,17 @@ ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, if (iter->dom == dom) break; } - return (iter) ? iter->ad_id_ctx : NULL; + return iter; +} + +static struct ad_id_ctx * +ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom) +{ + struct ipa_ad_server_ctx *trust; + + trust = ipa_get_trust_ctx(ipa_ctx, dom); + return (trust) ? trust->ad_id_ctx : NULL; } static errno_t @@ -1365,6 +1375,7 @@ struct ipa_srv_ad_acct_state { }; static int ipa_srv_ad_acct_lookup_step(struct tevent_req *req); +static errno_t ipa_srv_ad_acct_retry(struct tevent_req *req); static void ipa_srv_ad_acct_lookup_done(struct tevent_req *subreq); static void ipa_srv_ad_acct_retried(struct tevent_req *subreq); @@ -1446,19 +1457,14 @@ static void ipa_srv_ad_acct_lookup_done(struct tevent_req *subreq) ret = ipa_get_ad_acct_recv(subreq, &dp_error); talloc_free(subreq); if (ret == ERR_SUBDOM_INACTIVE && state->retry == true) { - - state->retry = false; - DEBUG(SSSDBG_MINOR_FAILURE, "Sudomain lookup failed, will try to reset sudomain..\n"); - subreq = ipa_server_trusted_dom_setup_send(state, state->ev, - state->be_ctx, - state->ipa_ctx, - state->obj_dom); - if (subreq == NULL) { + ret = ipa_srv_ad_acct_retry(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Retry failed[ [%d]: %s\n", ret, sss_strerror(ret)); goto fail; } - tevent_req_set_callback(subreq, ipa_srv_ad_acct_retried, req); return; } else if (ret != EOK) { be_mark_dom_offline(state->obj_dom, state->be_ctx); @@ -1477,6 +1483,43 @@ fail: tevent_req_error(req, ret); } +static errno_t ipa_srv_ad_acct_retry(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct ipa_ad_server_ctx *trust; + struct ipa_srv_ad_acct_state *state = tevent_req_data(req, + struct ipa_srv_ad_acct_state); + + state->retry = false; + + trust = ipa_get_trust_ctx(state->ipa_ctx, state->obj_dom); + if (trust == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot find truct ctx for %s\n", state->obj_dom->name); + return EINVAL; + } + + if (trust->last_kt_check > trust->ad_id_ctx->ldap_ctx->conn_time) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Last kt check time %ld is past last connection time %ld\n", + trust->last_kt_check, trust->ad_id_ctx->ldap_ctx->conn_time); + return ERR_SUBDOM_INACTIVE; + } + + subreq = ipa_server_trusted_dom_setup_send( + state, state->ev, + state->be_ctx, + state->ipa_ctx, + state->obj_dom, + trust->ad_id_ctx->ldap_ctx->conn_time); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_srv_ad_acct_retried, req); + + return EOK; +} + static void ipa_srv_ad_acct_retried(struct tevent_req *subreq) { errno_t ret; |