mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name.
It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 -- Petr Vobornik
From f71c10172a8d54adbf2e87d2a042bb3312557a3d Mon Sep 17 00:00:00 2001 From: Petr Vobornik <pvobo...@redhat.com> Date: Thu, 23 Jun 2016 15:58:15 +0200 Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name. It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 --- freeipa.spec.in | 2 +- install/conf/ipa.conf | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index d31ddfaf78a455f4e4d65724bbbe23461e1336e0..fcdedf2a2e1cd30453053d164a28e9f3fd6e07e4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -141,7 +141,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_gssapi >= 1.3.0-2 +Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-gssapi >= 1.1.2 diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 20fc61fdb3c7bbd440c7719f9aa9faa415a9b2c9..3e7435903b2ad8c4ae5bfc48c0c9fca733757d5d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 21 - DO NOT REMOVE THIS LINE +# VERSION 22 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -66,6 +66,7 @@ WSGIScriptReloading Off GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches + GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
