Simo Sorce wrote:
On Tue, 2013-05-07 at 18:34 +0200, Martin Kosek wrote:
On 05/07/2013 04:41 PM, Rob Crittenden wrote:
See the commit message for all the gory details but the bottom line is that
mod_auth_kerb doesn't work with DIR ccache which is the default in the latest
krb5 builds.

rob


Looks OK (just reading it).

This fixes just new server install. What about upgrades? Won't updated FreeIPA
servers' mod_auth_kerb crash too?

Indeed we need to fix on upgrade too.

Yes, it was an oversight when I did the commit. Updated patch to include the one-liner upgrade call.

rob

>From 0026d1149e44a7fc7feca42f66d69e026ae515cc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 7 May 2013 10:33:55 -0400
Subject: [PATCH] Set KRB5CCNAME so httpd s4u2proxy can with with newer
 krb5-server

The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).

Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.

https://fedorahosted.org/freeipa/ticket/3607
---
 install/tools/ipa-upgradeconfig   |  1 +
 ipaserver/install/httpinstance.py | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c9574b961452bb721c6d55344df46852ec565913..8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -916,6 +916,7 @@ def main():
     http = httpinstance.HTTPInstance(fstore)
     http.remove_httpd_ccache()
     http.configure_selinux_for_httpd()
+    http.configure_httpd_ccache()
 
     ds = dsinstance.DsInstance()
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 6da212ce50de6346d0c3c0a19bf579eedf88655d..375016262a5bdfb6e7f823a4640c4c1fd8f7a9b8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -22,6 +22,7 @@ import os.path
 import tempfile
 import pwd
 import shutil
+import stat
 
 import service
 import certs
@@ -99,6 +100,7 @@ class HTTPInstance(service.Service):
         self.step("creating a keytab for httpd", self.__create_http_keytab)
         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+        self.step("configure httpd ccache", self.configure_httpd_ccache)
         self.step("restarting httpd", self.__start)
         self.step("configuring httpd to start on boot", self.__enable)
 
@@ -192,6 +194,22 @@ class HTTPInstance(service.Service):
         pent = pwd.getpwnam("apache")
         installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
 
+    def configure_httpd_ccache(self):
+        pent = pwd.getpwnam("apache")
+        ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+        filepath = '/etc/sysconfig/httpd'
+        if not os.path.exists(filepath):
+            # file doesn't exist; create it with correct ownership & mode
+            open(filepath, 'a').close()
+            os.chmod(filepath,
+                stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+            os.chown(filepath, 0, 0)
+
+        replacevars = {'KRB5CCNAME': ccache}
+        old_values = ipautil.backup_config_and_replace_variables(
+            self.fstore, filepath, replacevars=replacevars)
+        ipaservices.restore_context(filepath)
+
     def __configure_http(self):
         target_fname = '/etc/httpd/conf.d/ipa.conf'
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
-- 
1.8.2.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to