On Tue, 2014-02-11 at 09:50 +0100, Martin Kosek wrote:
> On 02/07/2014 06:09 PM, Nathaniel McCallum wrote:
> > NOTE: Special care is required with this patch. Specifically, it needs
> > to be synchronized with this patch: https://github.com/krb5/krb5/pull/45
> > 
> > The background here is the desire of SELinux folks to move the sockets
> > into /run. MIT has agreed to use the new runstatedir in autoconf git
> > master (soon to be 2.70). This change has been applied upstream and will
> > be part of the 1.13 release. The major downside is that this patch is
> > backwards incompatible.
> > 
> > In the interest of making backwards incompatible changes as quickly as
> > possible before increased adoption, Nalin and I have agreed to backport
> > this patch to rawhide. We are also strongly considering a backport to
> > F20.
> > 
> > Nathaniel
> 
> 
> This worked for me in a F20 downstream scratch build, socket was on the 
> assumed
> place.
> 
> 1) I think you should also update the upstream reference spec file so that the
> updated KDC is required:
> 
> @@ -118,7 +119,7 @@ Requires: nss >= 3.14.3-12.0
>  Requires: nss-tools >= 3.14.3-12.0
>  %endif
>  %if 0%{?krb5_dal_version} >= 4
> -Requires: krb5-server >= 1.11.2-1
> +Requires: krb5-server >= 1.11.5-3
>  %else
>  %if 0%{krb5_dal_version} == 3
>  # krb5 1.11 bumped DAL interface major version, a rebuild is needed

Fix attached.

> 2) What do you mean by "backwards incompatible"? That updated KDC won't work
> with non-patched FreeIPA?

Updated KDC will continue to work for all manually configured OTP
servers. However, the KDC also supports "implicit configuration" which
looks in a specific directory for sockets. This directory is what is
changing. If you update the KDC without FreeIPA, the KDC won't be able
to find the FreeIPA socket because we depend on implicit configuration.
The FreeIPA patch just makes systemd create the socket in the right
place. Either a reboot or "systemctl daemon-reload; systemctl restart
ipa-otpd.socket" are required to make the changes take effect.

> Just checking - upgrades should work fine, right? I.e. when both FreeIPA and
> KRB5KDC is updated, OTP will keep working? No re-install needed?

Correct.
>From d7ff60c52ca2c7d579c685c019ac126e3842d4e8 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Fri, 7 Feb 2014 11:56:33 -0500
Subject: [PATCH] Move ipa-otpd socket directory

https://fedorahosted.org/freeipa/ticket/4167
---
 daemons/configure.ac                | 6 +++---
 daemons/ipa-otpd/Makefile.am        | 2 +-
 daemons/ipa-otpd/ipa-otpd.socket.in | 4 ++--
 freeipa.spec.in                     | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/daemons/configure.ac b/daemons/configure.ac
index 3cdb9384c116e73a19c605a3c9401661772cf4d1..b4507a6d972f854331925e72869898576bdfd76f 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -60,10 +60,10 @@ AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto])
 AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
 KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"
 KRAD_LIBS="-lkrad"
-krb5kdcdir="${localstatedir}/kerberos/krb5kdc"
+krb5rundir="${localstatedir}/run/krb5kdc"
 AC_SUBST(KRB5_LIBS)
 AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5kdcdir)
+AC_SUBST(krb5rundir)
 
 dnl ---------------------------------------------------------------------------
 dnl - Check for Mozilla LDAP and OpenLDAP SDK
@@ -339,7 +339,7 @@ echo "
         sysconfdir:               ${sysconfdir}
         localstatedir:            ${localstatedir}
         datadir:                  ${datadir}
-        krb5kdcdir:               ${krb5kdcdir}
+        krb5rundir:               ${krb5rundir}
         systemdsystemunitdir:     ${systemdsystemunitdir}
         source code location:     ${srcdir}
         compiler:                 ${CC}
diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index af82a5fe08856573d2d245608ba1dbaad171c7fe..83921748426d801e1edeec23f956689be5fe98b5 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -9,7 +9,7 @@ systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
 ipa_otpd_SOURCES = bind.c forward.c main.c parse.c query.c queue.c stdio.c
 
 %.socket: %.socket.in
-	@sed -e 's|@krb5kdcdir[@]|$(krb5kdcdir)|g' \
+	@sed -e 's|@krb5rundir[@]|$(krb5rundir)|g' \
 	     -e 's|@UNLINK[@]|@UNLINK@|g' \
 	     $< > $@
 
diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
index b968beaa7b9e68c43b2c5386b62c096fa8b97764..ce3596d9f01b26e3e8bd63f447f85a486c8e0dff 100644
--- a/daemons/ipa-otpd/ipa-otpd.socket.in
+++ b/daemons/ipa-otpd/ipa-otpd.socket.in
@@ -2,8 +2,8 @@
 Description=ipa-otpd socket
 
 [Socket]
-ListenStream=@krb5kdcdir@/DEFAULT.socket
-ExecStopPre=@UNLINK@ @krb5kdcdir@/DEFAULT.socket
+ListenStream=@krb5rundir@/DEFAULT.socket
+ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
 SocketMode=0600
 Accept=true
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 16378e1313503c2367174304cb7e07a6aee4decd..e851313f8121d05a8774d89687c2f7c855ea6950 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -107,7 +107,7 @@ Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
 %endif
 %if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
+Requires: krb5-server >= 1.11.5-3
 %else
 %if 0%{krb5_dal_version} == 3
 # krb5 1.11 bumped DAL interface major version, a rebuild is needed
-- 
1.8.5.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to