From c93227960164bb92f98dc1108c1bfb53850e06f5 Mon Sep 17 00:00:00 2001 From: Lin Liu Date: Tue, 21 May 2024 03:42:49 +0000 Subject: [PATCH] CA-393199: Disable external auth should clean pbis cache The domain information is cached by PBIS. Such cache can help to accelerate query of domain information. However, the cache data should be cleaned during disable external auth to make sure - release cache as the domain is left - rejoin domain refresh all the domain information Signed-off-by: Lin Liu --- ocaml/xapi/extauth_plugin_ADpbis.ml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ocaml/xapi/extauth_plugin_ADpbis.ml b/ocaml/xapi/extauth_plugin_ADpbis.ml index f0fd62b17a7..9e085899476 100644 --- a/ocaml/xapi/extauth_plugin_ADpbis.ml +++ b/ocaml/xapi/extauth_plugin_ADpbis.ml @@ -1052,6 +1052,14 @@ module AuthADlw : Auth_signature.AUTH_MODULE = struct let on_disable config_params = (* but in the ldap plugin, we should 'leave the AD/kerberos domain', i.e. we should *) (* (1) remove the machine account from the kerberos realm, (2) remove the keytab locally *) + + (* Clean pbis cache as we are disabling external auth and will leave domain *) + ( try pbis_common "/opt/pbis/bin/ad-cache" ["--delete-all"] |> ignore + with e -> + Printexc.to_string e + |> debug "Got error cleaning pbis cache, ignore the error %s" + ) ; + let pbis_failure = try ( if