On 05/15/2015 04:25 PM, Jan Cholasta wrote:
Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
These two patches fix two issues reported by David Kupka in most recent
freeipa-master builds, which are caused by my previous patch 0031
"provide a dedicated ccache file to httpd".

Patch 0033 moves `clientcaches` and `krbcache` directories under a
common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
installed together with IPA. The removal of the former Apache module
removes also the `krbcache` directory, thus invalidating the ccache path

This of course causes spectacular explosions when calling RPC interface
(aka always).

Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
our `httpd.service` override during uninstall. This fixes an issue
related to uninstall of an old IPA server and immediate install of new
IPA server.

In this case the old CCache is left in httpd runtime dir, causing
"Decrypt integrity check failed" errors when connecting to RPC interface
(Old tickets are being send to KDC having new Apache secret key).

However, issuing 'kdestroy -A' as apache user is not enough, because
systemd daemons use completely different isolated environments (and thus
completely different KRB5CCNAME than apache user). That's why we have to
explicitly remove ccache using 'kdestroy -c'.

I would like to thank David for pointing out these issues.

Don't forget to bump the version at the top of install/conf/ipa.conf.

Attaching updated patch 0033 with the bumped version.

Martin^3 Babinsky
From a748e53fc0c1f56a81af5716cd7f04fe6c0b8649 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 15 May 2015 15:37:05 +0200
Subject: [PATCH 1/2] move IPA-related http runtime directories to common

When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
 freeipa.spec.in                | 8 ++++++--
 init/systemd/httpd.service     | 2 +-
 init/systemd/ipa.conf.tmpfiles | 4 +++-
 install/conf/ipa.conf          | 4 ++--
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..159d4cc3c0a5b775e5bed9a3cc853ee4a3b5a8e8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
-install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -685,7 +687,9 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
 # NOTE: systemd specific section
 %attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
index ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7..231f86f44808156e0eb20d67ef15bb7d19550e19 100644
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,4 +1,4 @@
 .include /usr/lib/systemd/system/httpd.service
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index b4503cc673f3407421cd194091f5373ba204a483..6eab2621c18c9867d41b50afa2ebdee4dc46f308 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,3 +1,5 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
-d /var/run/httpd/clientcaches 0700 apache apache
+d /var/run/httpd/ipa 0700 apache apache
+d /var/run/httpd/ipa/clientcaches 0700 apache apache
+d /var/run/httpd/ipa/krbcache 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 92637c04d4f961a0b7f016fe125341c63f400285..57de2f1a9543e1395f3eb46b045334f86cc8e79f 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 # This file may be overwritten on upgrades.
@@ -66,7 +66,7 @@ WSGIScriptReloading Off
   AuthName "Kerberos Login"
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
-  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
   GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to