[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Martin Babinsky
mbabinsk at redhat.com
Fri May 15 14:16:38 UTC 2015
These two patches fix two issues reported by David Kupka in most recent
freeipa-master builds, which are caused by my previous patch 0031
"provide a dedicated ccache file to httpd".
Patch 0033 moves `clientcaches` and `krbcache` directories under a
common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
installed together with IPA. The removal of the former Apache module
removes also the `krbcache` directory, thus invalidating the ccache path
in KRB5CCNAME.
This of course causes spectacular explosions when calling RPC interface
(aka always).
Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
our `httpd.service` override during uninstall. This fixes an issue
related to uninstall of an old IPA server and immediate install of new
IPA server.
In this case the old CCache is left in httpd runtime dir, causing
"Decrypt integrity check failed" errors when connecting to RPC interface
(Old tickets are being send to KDC having new Apache secret key).
However, issuing 'kdestroy -A' as apache user is not enough, because
systemd daemons use completely different isolated environments (and thus
completely different KRB5CCNAME than apache user). That's why we have to
explicitly remove ccache using 'kdestroy -c'.
I would like to thank David for pointing out these issues.
--
Martin^3 Babinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0033-move-IPA-related-http-runtime-directories-to-common-.patch
Type: text/x-patch
Size: 3887 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150515/6d2123e1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0034-explicitly-destroy-httpd-service-ccache-file-during-.patch
Type: text/x-patch
Size: 2083 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150515/6d2123e1/attachment-0001.bin>
More information about the Freeipa-devel
mailing list