On Wed, 2014-01-22 at 12:42 +0100, Petr Viktorin wrote:
> On 01/21/2014 05:12 PM, Martin Kosek wrote:
> > On 01/21/2014 03:07 PM, Petr Viktorin wrote:
> >> On 01/16/2014 02:16 PM, Martin Kosek wrote:
> >>> [freeipa-mkosek-448-add-runas-option-to-run-function.patch]:
> >>>
> >>> Run function can now run the specified command as different user by
> >>> setting the EUID and EGID for executed process.
> >>
> >> Please add the new argument to the docstring, otherwise ACK
> >>
> >>> [freeipa-mkosek-449-switch-httpd-to-use-default-ccache.patch]:
> >>>
> >>> Stock httpd no longer uses systemd EnvironmentFile option which is
> >>> making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
> >>> to debug problems during subsequent ipa-server-install's where HTTP
> >>> may use a stale CCACHE in the default kernel keyring CCACHE.
> >>>
> >>> Avoid forcing custom CCACHE and switch to system one, just make sure
> >>> that it is properly cleaned by kdestroy run as "apache" user during
> >>> FreeIPA server installation process.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/4084
> >>
> >> This does not fix the issue for me.
> >> On a fresh f20 machine, I installed the server, uninstalled it, and 
> >> installed
> >> again. The second installation failed with the ipa-client-install error
> >> described in the ticket.
> >>
> >
> > On your VM, I saw the method I use for running a command as different 
> > process
> > was indeed not effective. I had to change both effective and real UID/GID to
> > make the kdestroy function working.
> >
> > I also added the missing docstrings in 448, both for runas as well as other
> > missing options.
> 
> Great, thank you! ACK, fixed a typo in the docstring and pushed to 
> master: f49c26db2c38e5b60a6be990b95c2926ecfa6247
> 
> For the record, this problem appeared in an install-uninstall-install 
> cycle with no reboot. It's unlikely to appear in the wild, but happens 
> all the time in CI and on some developers' workflows.
> 

Arghh sorry to come in late, but the second patch is not sufficient :-(

You should run kdestroy -A to remove all ccaches, even non primary ones,
so that non primary ones are not mistakenly picked up later.
kdestroy w/o -A will only destroy the primary one if any is selected.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to