[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Martin Babinsky
mbabinsk at redhat.com
Fri May 15 14:41:38 UTC 2015
On 05/15/2015 04:25 PM, Jan Cholasta wrote:
> Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
>> These two patches fix two issues reported by David Kupka in most recent
>> freeipa-master builds, which are caused by my previous patch 0031
>> "provide a dedicated ccache file to httpd".
>>
>> Patch 0033 moves `clientcaches` and `krbcache` directories under a
>> common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
>> fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
>> installed together with IPA. The removal of the former Apache module
>> removes also the `krbcache` directory, thus invalidating the ccache path
>> in KRB5CCNAME.
>>
>> This of course causes spectacular explosions when calling RPC interface
>> (aka always).
>>
>> Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
>> our `httpd.service` override during uninstall. This fixes an issue
>> related to uninstall of an old IPA server and immediate install of new
>> IPA server.
>>
>> In this case the old CCache is left in httpd runtime dir, causing
>> "Decrypt integrity check failed" errors when connecting to RPC interface
>> (Old tickets are being send to KDC having new Apache secret key).
>>
>> However, issuing 'kdestroy -A' as apache user is not enough, because
>> systemd daemons use completely different isolated environments (and thus
>> completely different KRB5CCNAME than apache user). That's why we have to
>> explicitly remove ccache using 'kdestroy -c'.
>>
>> I would like to thank David for pointing out these issues.
>>
>
> Don't forget to bump the version at the top of install/conf/ipa.conf.
>
Attaching updated patch 0033 with the bumped version.
--
Martin^3 Babinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0033.1-move-IPA-related-http-runtime-directories-to-common-.patch
Type: text/x-patch
Size: 4039 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150515/802b2462/attachment.bin>
More information about the Freeipa-devel
mailing list