[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Jan Cholasta
jcholast at redhat.com
Fri May 15 14:25:43 UTC 2015
Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
> These two patches fix two issues reported by David Kupka in most recent
> freeipa-master builds, which are caused by my previous patch 0031
> "provide a dedicated ccache file to httpd".
>
> Patch 0033 moves `clientcaches` and `krbcache` directories under a
> common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
> fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
> installed together with IPA. The removal of the former Apache module
> removes also the `krbcache` directory, thus invalidating the ccache path
> in KRB5CCNAME.
>
> This of course causes spectacular explosions when calling RPC interface
> (aka always).
>
> Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
> our `httpd.service` override during uninstall. This fixes an issue
> related to uninstall of an old IPA server and immediate install of new
> IPA server.
>
> In this case the old CCache is left in httpd runtime dir, causing
> "Decrypt integrity check failed" errors when connecting to RPC interface
> (Old tickets are being send to KDC having new Apache secret key).
>
> However, issuing 'kdestroy -A' as apache user is not enough, because
> systemd daemons use completely different isolated environments (and thus
> completely different KRB5CCNAME than apache user). That's why we have to
> explicitly remove ccache using 'kdestroy -c'.
>
> I would like to thank David for pointing out these issues.
>
Don't forget to bump the version at the top of install/conf/ipa.conf.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list