Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-109430

Improve error handling for directory services

    XMLWordPrintable

    Details

      Description

      PR: https://github.com/truenas/middleware/pull/6426

      This PR covers a few edge cases that may trip up some users.

      First off, we prevent users from simultaneously enabling AD and LDAP directory services. There are very few cases where users actually need to do this. One common example may be FreeIPA + AD in the same environment, but the typical resolution to this configuration need is to create a cross-realm trust between FreeIPA and AD and enable / configure trusted domains in the AD plugin.

      Kerberos libraries will let us kinit even if clock offset is larger than 3 minutes, but services behave badly in this situation. This PR makes us try a little harder. If CLDAP ping fails to get us a DC, then we switch to performing normal DNS lookup for a DC. If time offset is too large (or our service account can't be used for netlogon connection), then destroy the service account's kerberos ticket to prevent it from being used by middleware or other processes.

        Attachments

          Attachments

            JEditor

              Activity

                People

                Assignee:
                releng Triage Team
                Reporter:
                bugclerk Bug Clerk
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: