Dne 19.5.2015 v 14:31 David Kupka napsal(a):
On 05/15/2015 04:41 PM, Martin Babinsky wrote:
On 05/15/2015 04:25 PM, Jan Cholasta wrote:
Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
These two patches fix two issues reported by David Kupka in most recent
freeipa-master builds, which are caused by my previous patch 0031
"provide a dedicated ccache file to httpd".
Patch 0033 moves `clientcaches` and `krbcache` directories under a
common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
installed together with IPA. The removal of the former Apache module
removes also the `krbcache` directory, thus invalidating the ccache
This of course causes spectacular explosions when calling RPC interface
Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
our `httpd.service` override during uninstall. This fixes an issue
related to uninstall of an old IPA server and immediate install of new
In this case the old CCache is left in httpd runtime dir, causing
"Decrypt integrity check failed" errors when connecting to RPC
(Old tickets are being send to KDC having new Apache secret key).
However, issuing 'kdestroy -A' as apache user is not enough, because
systemd daemons use completely different isolated environments (and
completely different KRB5CCNAME than apache user). That's why we
explicitly remove ccache using 'kdestroy -c'.
I would like to thank David for pointing out these issues.
Don't forget to bump the version at the top of install/conf/ipa.conf.
Attaching updated patch 0033 with the bumped version.
Works for me, ACK.
Pushed to master: 5a741b614f39a148d849877e743200de5a7302db
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code