[Freeipa-devel] [PATCH 0036] Move ipa-otpd socket directory

Nathaniel McCallum npmccallum at redhat.com
Tue Feb 11 16:06:53 UTC 2014 

On Tue, 2014-02-11 at 09:50 +0100, Martin Kosek wrote:
> On 02/07/2014 06:09 PM, Nathaniel McCallum wrote:
> > NOTE: Special care is required with this patch. Specifically, it needs
> > to be synchronized with this patch: https://github.com/krb5/krb5/pull/45
> > 
> > The background here is the desire of SELinux folks to move the sockets
> > into /run. MIT has agreed to use the new runstatedir in autoconf git
> > master (soon to be 2.70). This change has been applied upstream and will
> > be part of the 1.13 release. The major downside is that this patch is
> > backwards incompatible.
> > 
> > In the interest of making backwards incompatible changes as quickly as
> > possible before increased adoption, Nalin and I have agreed to backport
> > this patch to rawhide. We are also strongly considering a backport to
> > F20.
> > 
> > Nathaniel
> 
> 
> This worked for me in a F20 downstream scratch build, socket was on the assumed
> place.
> 
> 1) I think you should also update the upstream reference spec file so that the
> updated KDC is required:
> 
> @@ -118,7 +119,7 @@ Requires: nss >= 3.14.3-12.0
>  Requires: nss-tools >= 3.14.3-12.0
>  %endif
>  %if 0%{?krb5_dal_version} >= 4
> -Requires: krb5-server >= 1.11.2-1
> +Requires: krb5-server >= 1.11.5-3
>  %else
>  %if 0%{krb5_dal_version} == 3
>  # krb5 1.11 bumped DAL interface major version, a rebuild is needed

Fix attached.

> 2) What do you mean by "backwards incompatible"? That updated KDC won't work
> with non-patched FreeIPA?

Updated KDC will continue to work for all manually configured OTP
servers. However, the KDC also supports "implicit configuration" which
looks in a specific directory for sockets. This directory is what is
changing. If you update the KDC without FreeIPA, the KDC won't be able
to find the FreeIPA socket because we depend on implicit configuration.
The FreeIPA patch just makes systemd create the socket in the right
place. Either a reboot or "systemctl daemon-reload; systemctl restart
ipa-otpd.socket" are required to make the changes take effect.

> Just checking - upgrades should work fine, right? I.e. when both FreeIPA and
> KRB5KDC is updated, OTP will keep working? No re-install needed?

Correct.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-npmccallum-0036-2-Move-ipa-otpd-socket-directory.patch
Type: text/x-patch
Size: 3250 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140211/c82aec6b/attachment.bin>

More information about the Freeipa-devel mailing list