[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
David Kupka
dkupka at redhat.com
Tue May 19 12:31:34 UTC 2015
On 05/15/2015 04:41 PM, Martin Babinsky wrote:
> On 05/15/2015 04:25 PM, Jan Cholasta wrote:
>> Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
>>> These two patches fix two issues reported by David Kupka in most recent
>>> freeipa-master builds, which are caused by my previous patch 0031
>>> "provide a dedicated ccache file to httpd".
>>>
>>> Patch 0033 moves `clientcaches` and `krbcache` directories under a
>>> common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
>>> fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
>>> installed together with IPA. The removal of the former Apache module
>>> removes also the `krbcache` directory, thus invalidating the ccache path
>>> in KRB5CCNAME.
>>>
>>> This of course causes spectacular explosions when calling RPC interface
>>> (aka always).
>>>
>>> Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
>>> our `httpd.service` override during uninstall. This fixes an issue
>>> related to uninstall of an old IPA server and immediate install of new
>>> IPA server.
>>>
>>> In this case the old CCache is left in httpd runtime dir, causing
>>> "Decrypt integrity check failed" errors when connecting to RPC interface
>>> (Old tickets are being send to KDC having new Apache secret key).
>>>
>>> However, issuing 'kdestroy -A' as apache user is not enough, because
>>> systemd daemons use completely different isolated environments (and thus
>>> completely different KRB5CCNAME than apache user). That's why we have to
>>> explicitly remove ccache using 'kdestroy -c'.
>>>
>>> I would like to thank David for pointing out these issues.
>>>
>>
>> Don't forget to bump the version at the top of install/conf/ipa.conf.
>>
> Attaching updated patch 0033 with the bumped version.
>
Hi!
Works for me, ACK.
--
David Kupka
More information about the Freeipa-devel
mailing list