krbExtraData is apparently NOT being modified but the ldap server believes it is which triggers an ldap mod & replication event because of it.
ssh logins should not trigger a modification that is replicated to FreeIPA replica servers due to storm concerns.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782975
Moving to next month iteration.
This should be fixed in 2.2 as the ipa-kdb driver behaves differently from the ldap_driver in 2.1
JR, any chance you can test this with latest 2.2 bits for git ?
JR confirmed krbExtraData is not replicated anymore.
However apparently modifiersName still is.
So the problem is "fixed" on the KDC side, but we still have a replication problem on the DS side of things.
We need to discuss this to understand how to proceed. Resetting milestone and flags.
Extra data fix:
master: 0c6e047
ipa-2-2: c8cdb75
It seems that this issue is a bit mishandled. We should close this ticket and open a different one to track a broader DS enhancement. Putting it into NEEDS_TRIAGE to confirm that this is the right plan.
Closing this out for now, we've done all we can. Opened ticket 2534 to track 389-ds work.
Metadata Update from @jraquino: - Issue assigned to someone - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.