[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Jan Cholasta
jcholast at redhat.com
Tue May 19 12:59:40 UTC 2015
Dne 19.5.2015 v 14:31 David Kupka napsal(a):
> On 05/15/2015 04:41 PM, Martin Babinsky wrote:
>> On 05/15/2015 04:25 PM, Jan Cholasta wrote:
>>> Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
>>>> These two patches fix two issues reported by David Kupka in most recent
>>>> freeipa-master builds, which are caused by my previous patch 0031
>>>> "provide a dedicated ccache file to httpd".
>>>>
>>>> Patch 0033 moves `clientcaches` and `krbcache` directories under a
>>>> common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
>>>> fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
>>>> installed together with IPA. The removal of the former Apache module
>>>> removes also the `krbcache` directory, thus invalidating the ccache
>>>> path
>>>> in KRB5CCNAME.
>>>>
>>>> This of course causes spectacular explosions when calling RPC interface
>>>> (aka always).
>>>>
>>>> Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
>>>> our `httpd.service` override during uninstall. This fixes an issue
>>>> related to uninstall of an old IPA server and immediate install of new
>>>> IPA server.
>>>>
>>>> In this case the old CCache is left in httpd runtime dir, causing
>>>> "Decrypt integrity check failed" errors when connecting to RPC
>>>> interface
>>>> (Old tickets are being send to KDC having new Apache secret key).
>>>>
>>>> However, issuing 'kdestroy -A' as apache user is not enough, because
>>>> systemd daemons use completely different isolated environments (and
>>>> thus
>>>> completely different KRB5CCNAME than apache user). That's why we
>>>> have to
>>>> explicitly remove ccache using 'kdestroy -c'.
>>>>
>>>> I would like to thank David for pointing out these issues.
>>>>
>>>
>>> Don't forget to bump the version at the top of install/conf/ipa.conf.
>>>
>> Attaching updated patch 0033 with the bumped version.
>>
>
> Hi!
> Works for me, ACK.
>
Pushed to master: 5a741b614f39a148d849877e743200de5a7302db
--
Jan Cholasta
More information about the Freeipa-devel
mailing list