CA-422713: XSI-2105: Pool.join failed due to AD status corrupt #6832

liulinC · 2026-01-14T06:49:55Z

The target pool has leaved AD, the joining host leave AD as well. However, the AD status is somehow corrupt

external_auth_type is empty, this is expected
external_auth_service_name is a valid domain

This confused pool.join as it thinks AD is not enabled, but somehow joined to a domain.

Normal domain leave does not resolve the issue, and it does not join domain
Join domain again(failed) also does not resolve it, as xapi will restore to the current value before join on failed.

This commit introduce force option to host.disable_external_auth API
to force clean up to recover host
BTW, current code try to keep them consistent already, but not atomic.

lindig

This looks clean to me. We could use a default for the force parameter and then even fewer changes would be required.

lindig · 2026-01-15T10:04:58Z

ocaml/xapi/xapi_host.ml

+            (* 3. CP-703: we always revalidate all sessions after the external authentication has been disabled *)
+            (* so that all sessions that were externally authenticated will be destroyed *)
+            debug
+              "calling revalidate_all_sessions after disabling external auth \


I think it would be better to leave logging to revalidate_all_sessions. It is indeed an unusual action that should be always logged.

Sorry, I did not understand the point here, I did not update any code, just put it under a condition. (master here).
Given the session management is a pool-level stuff, My latest update move it to xapi_pool

lindig · 2026-01-15T10:05:29Z

ocaml/xapi/xapi_host.ml

        match plugin_disable_failure with
-        | None ->
+        (* we do not want to stop pool_eject and permit Extauth_is_disabled during force *)
+        | Some e when during_pool_eject || (e = Extauth_is_disabled && force) ->


I like the use of when

last-genius · 2026-01-15T11:16:01Z

If this is a WIP, maybe worth converting to a draft?

liulinC · 2026-01-20T07:39:41Z

xenrt test looks good: 232815 (Dev Run)

liulinC · 2026-01-21T02:09:31Z

If this is a WIP, maybe worth converting to a draft?

It is ready for review now.

ocaml/idl/datamodel_host.ml

changlei-li · 2026-01-21T06:39:27Z

ocaml/xapi-cli-server/cli_operations.ml

  let host = Client.Host.get_by_uuid ~rpc ~session_id ~uuid:host_uuid in
  let config = read_map_params "config" params in
-  Client.Host.disable_external_auth ~rpc ~session_id ~host ~config
+  Client.Host.disable_external_auth ~rpc ~session_id ~host ~config ~force:true


Why not let the user pass the force value like xe host-disable-external-auth --force=true

this is let use use --force=true per my test.
note: force=true|--force is forced to reach here.

I see the command requires --force to make the user aware of it is a recover command only. So the user can't select force:false. It is intended, Right?

Yes, This API is hidden, only used for specific purpose with --force for awareness.

changlei-li · 2026-01-21T06:44:38Z

ocaml/xapi/xapi_pool.ml

        debug
          "The external authentication of all hosts in the pool was disabled \
           successfully"
+      )


Does it change the behavior? If the pool disable partially fails, some hosts have been disabled. Does it need to clear the session?

no, we should not clear the session.
That is also the problem of the old code.

changlei-li · 2026-01-21T06:46:23Z

ocaml/xapi/xapi_pool.ml

    (* this call will return an exception if something goes wrong *)
    Xapi_host.disable_external_auth_common ~during_pool_eject:true ~__context
-      ~host ~config:[] () ;
+      ~host ~config:[] ~force:false () ;


I am not clear for what cases we need force:false? What's the benefit of it?

we do not use force by default, until user want to use it manually.

changlei-li · 2026-01-21T09:29:29Z

ocaml/idl/datamodel_host.ml

+          param_type= Bool
+        ; param_name= "force"
+        ; param_doc= "Disable external auth even when not enabled"
+        ; param_release= numbered_release "26.1.0-next"


release number need to be updated before merge. 26.2.0 is tagged.

This PR has been pending for a while 🪐

The target pool has leaved AD, the joining host leave AD as well. However, the AD status is somehow corrupt - external_auth_type is empty, this is expected - external_auth_service_name is a valid domain This confused pool.join as it thinks AD is not enabled, but somehow joined to a domain. - Normal domain leave does not resolve the issue, and it does not join domain - Join domain again(failed) does not resolve it neither, as xapi will restore to the current value before join on failed. This commit introduce force option to host.disable_external_auth API to force clean up to recover host BTW, current code try to keep them consistent already, but not atomic. Signed-off-by: Lin Liu <[email protected]>

liulinC force-pushed the private/linl/XSI-2105 branch 3 times, most recently from 91c032c to 81c0764 Compare January 15, 2026 04:47

liulinC changed the title ~~CA-422713: XSI-2105: Pool.join failed due to AD status corrupt~~ (WIP) CA-422713: XSI-2105: Pool.join failed due to AD status corrupt Jan 15, 2026

lindig approved these changes Jan 15, 2026

View reviewed changes

liulinC force-pushed the private/linl/XSI-2105 branch from 81c0764 to ad9fb6d Compare January 20, 2026 07:38

liulinC changed the title ~~(WIP) CA-422713: XSI-2105: Pool.join failed due to AD status corrupt~~ CA-422713: XSI-2105: Pool.join failed due to AD status corrupt Jan 20, 2026

liulinC force-pushed the private/linl/XSI-2105 branch from ad9fb6d to a07cb45 Compare January 20, 2026 08:00

changlei-li reviewed Jan 21, 2026

View reviewed changes

liulinC force-pushed the private/linl/XSI-2105 branch from a07cb45 to 5b72cbb Compare January 21, 2026 07:03

changlei-li approved these changes Jan 21, 2026

View reviewed changes

liulinC force-pushed the private/linl/XSI-2105 branch from 5b72cbb to d73437c Compare January 21, 2026 09:36

liulinC added this pull request to the merge queue Jan 21, 2026

liulinC removed this pull request from the merge queue due to a manual request Jan 21, 2026

liulinC added this pull request to the merge queue Jan 21, 2026

Merged via the queue into xapi-project:master with commit 8116cf5 Jan 21, 2026
16 checks passed

CA-422713: XSI-2105: Pool.join failed due to AD status corrupt #6832

CA-422713: XSI-2105: Pool.join failed due to AD status corrupt #6832

Conversation

liulinC commented Jan 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lindig left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

last-genius commented Jan 15, 2026

Uh oh!

liulinC commented Jan 20, 2026

Uh oh!

liulinC commented Jan 21, 2026

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

liulinC commented Jan 14, 2026 •

edited

Loading