mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.

It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.

With this feature there are two ccaches so there is no clash.

https://fedorahosted.org/freeipa/ticket/5653
-- 
Petr Vobornik
From f71c10172a8d54adbf2e87d2a042bb3312557a3d Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Thu, 23 Jun 2016 15:58:15 +0200
Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names

mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.

It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.

With this feature there are two ccaches so there is no clash.

https://fedorahosted.org/freeipa/ticket/5653
---
 freeipa.spec.in       | 2 +-
 install/conf/ipa.conf | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index d31ddfaf78a455f4e4d65724bbbe23461e1336e0..fcdedf2a2e1cd30453053d164a28e9f3fd6e07e4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -141,7 +141,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_gssapi >= 1.3.0-2
+Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.1.2
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 20fc61fdb3c7bbd440c7719f9aa9faa415a9b2c9..3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 21 - DO NOT REMOVE THIS LINE
+# VERSION 22 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -66,6 +66,7 @@ WSGIScriptReloading Off
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+  GssapiDelegCcacheUnique On
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to