[Freeipa-devel] [PATCH 0036] Move ipa-otpd socket directory

Martin Kosek mkosek at redhat.com
Tue Feb 11 16:49:30 UTC 2014 

On 02/11/2014 05:06 PM, Nathaniel McCallum wrote:
> On Tue, 2014-02-11 at 09:50 +0100, Martin Kosek wrote:
>> On 02/07/2014 06:09 PM, Nathaniel McCallum wrote:
>>> NOTE: Special care is required with this patch. Specifically, it needs
>>> to be synchronized with this patch: https://github.com/krb5/krb5/pull/45
>>>
>>> The background here is the desire of SELinux folks to move the sockets
>>> into /run. MIT has agreed to use the new runstatedir in autoconf git
>>> master (soon to be 2.70). This change has been applied upstream and will
>>> be part of the 1.13 release. The major downside is that this patch is
>>> backwards incompatible.
>>>
>>> In the interest of making backwards incompatible changes as quickly as
>>> possible before increased adoption, Nalin and I have agreed to backport
>>> this patch to rawhide. We are also strongly considering a backport to
>>> F20.
>>>
>>> Nathaniel
>>
>>
>> This worked for me in a F20 downstream scratch build, socket was on the assumed
>> place.
>>
>> 1) I think you should also update the upstream reference spec file so that the
>> updated KDC is required:
>>
>> @@ -118,7 +119,7 @@ Requires: nss >= 3.14.3-12.0
>>  Requires: nss-tools >= 3.14.3-12.0
>>  %endif
>>  %if 0%{?krb5_dal_version} >= 4
>> -Requires: krb5-server >= 1.11.2-1
>> +Requires: krb5-server >= 1.11.5-3
>>  %else
>>  %if 0%{krb5_dal_version} == 3
>>  # krb5 1.11 bumped DAL interface major version, a rebuild is needed
> 
> Fix attached.
> 
>> 2) What do you mean by "backwards incompatible"? That updated KDC won't work
>> with non-patched FreeIPA?
> 
> Updated KDC will continue to work for all manually configured OTP
> servers. However, the KDC also supports "implicit configuration" which
> looks in a specific directory for sockets. This directory is what is
> changing. If you update the KDC without FreeIPA, the KDC won't be able
> to find the FreeIPA socket because we depend on implicit configuration.
> The FreeIPA patch just makes systemd create the socket in the right
> place. Either a reboot or "systemctl daemon-reload; systemctl restart
> ipa-otpd.socket" are required to make the changes take effect.
> 
>> Just checking - upgrades should work fine, right? I.e. when both FreeIPA and
>> KRB5KDC is updated, OTP will keep working? No re-install needed?
> 
> Correct.
> 

ACK, pushed to master.

freeipa-3.3.4-3.fc20 is now in build.

Martin

More information about the Freeipa-devel mailing list