URL: https://github.com/SSSD/sssd/pull/5450 Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented: """ Thanks a lot Pavel for the further review, it is better to get everything resolved now than having to fix issues later. > If the cache contains uid that is not resolvable then kcm fails to start: > > ``` > [root /var/log/sssd]# /usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 > --debug-level 0xfff0 > (2021-03-25 12:12:49:260824): [sssd] [become_user] (0x0200): Trying to become > user [0][0]. > (2021-03-25 12:12:49:260883): [sssd] [become_user] (0x0200): Already user [0]. > (2021-03-25 12:12:49:263412): [kcm] [ldb] (0x0400): server_sort:Unable to > register control with rootdse! > (2021-03-25 12:12:49): [kcm] [server_setup] (0x0040): Starting with debug > level = 0xfff0 > (2021-03-25 12:12:49): [kcm] [server_setup] (0x0400): CONFDB: > /var/lib/sss/db/config.ldb > (2021-03-25 12:12:49): [kcm] [kcm_get_ccdb_be] (0x0100): KCM database type: > secdb > (2021-03-25 12:12:49): [kcm] [kcm_ccdb_init] (0x0200): KCM back end: > libsss_secrets > (2021-03-25 12:12:49): [kcm] [ccdb_secdb_init] (0x2000): secdb initialized > (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [91600000] > (2021-03-25 12:12:49): [kcm] [sss_sec_list_cc_uids] (0x2000): uid: [1000] > (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x2000): Found [2] > ccache uids > (2021-03-25 12:12:49): [kcm] [renew_check_ccaches] (0x0040): Failed to get > pwd entry for [91600000] > (2021-03-25 12:12:49): [kcm] [ccdb_secdb_renew_init] (0x0040): Error checking > ccaches in secdb > (2021-03-25 12:12:49): [kcm] [kcm_ccdb_renew_init] (0x0020): Failure to > execute ccdb renewal init > (2021-03-25 12:12:49): [kcm] [kcm_process_init] (0x0010): fatal error > initializing KCM ccdb renewals > (2021-03-25 12:12:49): [kcm] [kcm_responder_ctx_destructor] (0x0400): > Responder is being shut down > ``` Is it valid to treat renewal failures as not fatal, and return EOK from `kcm_ccdb_renew_init` instead of current behavior shown below? If not what is the preferred way to handle this? ``` 647 /* Add any renew-applicable KCM tickets to renew table */ 648 ret = kcm_ccdb_renew_init(renew_tgt_ctx->rctx, renew_tgt_ctx->krb5_ctx, 649 ev, renew_tgt_ctx->db); 650 if (ret != EOK) { 651 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add KCM tickets to table.\n"); 652 talloc_zfree(renew_tgt_ctx); 653 return; 654 } ``` > It might be better to move this to a function on its own, something like: > > ```c > errno_t kcm_renewals_init(...) > { > #ifndef HAVE_KCM_RENEWAL > return EOK; > #else > do stuff > #endif > } > ``` Can you help me understand what is the benefit of this change? """ See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-806744205
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure