URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468
From 4cec7509d7601c155e8182ad9cfdb4eecfc33c70 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/redhat/tasks.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..39bcfcc 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 8db9e61..9993c38 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -351,5 +351,6 @@ class BasePathNamespace(object): IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' + KRB5CC_HTTPD = '/tmp/krb5cc-httpd' path_namespace = BasePathNamespace diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..123595e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, - POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) + KRB5CC_HTTPD=paths.KRB5CC_HTTPD, ) )
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code