[Freeipa-devel] [PATCH] 947 fix synxtax in 30-s4u2proxy.update

[Martin Kosek]

On Wed, 2012-02-15 at 11:23 +0100, Martin Kosek wrote:
> On Tue, 2012-02-14 at 15:51 -0500, Rob Crittenden wrote:
> > Martin Kosek wrote:
> > > On Mon, 2012-02-13 at 11:43 -0500, Rob Crittenden wrote:
> > >> Remove quotes around a value in 30-s4u2proxy.update. The update was
> > >> failing to apply.
> > >>
> > >> I also noticed that FQDN wasn't being set properly in all cases in
> > >> sub_dict. This should fix it.
> > >>
> > >> rob
> > >
> > > This patch did not apply for me. I guess it depends on some other patch
> > > that fixes wrong DN in s4u2proxy ipaAllowedTargets:
> > >
> > > -default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX'
> > > +default: ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
> > >
> > > Current update file says:
> > >
> > > default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
> > >
> > > which is a non-existent DN.
> > >
> > > Martin
> > >
> > 
> > It relies on patch 941
> 
> Yeah, that's the one.
> 
> I am now testing all the upgrade patches, but I s4u2proxy does not work
> for me yet on upgraded server instance (tested on F16). krb5kdc keeps
> reporting decrypt errors:
> 
> /var/log/krb5kdc.log:
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
> <unknown client> for <unknown server>, Decrypt integrity check failed
> Feb 15 04:25:43 vm-068.idm.lab.bos.redhat.com krb5kdc[872](info):
> TGS_REQ (4 etypes {18 17 16 23}) 10.16.78.68: PROCESS_TGS: authtime 0,
> <unknown client> for <unknown server>, Decrypt integrity check failed
> 
> New installs on the same machine work though. I am still trying to find
> out the root cause of this.
> 
> Martin
> 

Ok, we found out the root cause. The problem was that Apache CCACHE from
previous install was not removed. Rob's patch 949 fixes that.

ACK for this patch. Pushed to master, ipa-2-2.

Martin