The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/uid isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
https://fedorahosted.org/freeipa/ticket/3628
Without this patch, replication on F19 is broken.
Martin
From 1be93108c4c1506ea50879d645c47ab6843a6ee1 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 14 May 2013 18:36:50 +0200
Subject: [PATCH] Set KRB5CCNAME so that dirsrv can work with newer krb5-server
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/uid isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
https://fedorahosted.org/freeipa/ticket/3628
---
install/tools/ipa-upgradeconfig | 1 +
ipaserver/install/dsinstance.py | 18 ++
2 files changed, 19 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0..8e9357f20fe7c9a88908def6a2e3b2104f07d73a 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -919,6 +919,7 @@ def main():
http.configure_httpd_ccache()
ds = dsinstance.DsInstance()
+ds.configure_dirsrv_ccache()
fix_schema_file_syntax(ds)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index e6bb054ddad4a0d91d76d4c79eb477913e8776aa..3b841417e717587675d3ac748ec02182b3e14672 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -26,6 +26,7 @@
import time
import tempfile
import base64
+import stat
from ipapython.ipa_log_manager import *
from ipapython import ipautil, sysrestore, dogtag, ipaldap
@@ -213,6 +214,7 @@ def __common_setup(self, enable_ssl=False):
self.step(configuring certmap.conf, self.__certmap_conf)
self.step(configure autobind for root, self.__root_autobind)
self.step(configure new location for managed entries, self.__repoint_managed_entries)
+self.step(configure dirsrv ccache, self.configure_dirsrv_ccache)
self.step(restarting directory server, self.__restart_instance)
def __common_post_setup(self):
@@ -515,6 +517,22 @@ def __config_lockout_module(self):
def __repoint_managed_entries(self):
self._ldap_mod(repoint-managed-entries.ldif, self.sub_dict)
+def configure_dirsrv_ccache(self):
+pent = pwd.getpwnam(dirsrv)
+ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+filepath = '/etc/sysconfig/dirsrv'
+if not os.path.exists(filepath):
+# file doesn't exist; create it with correct ownership mode
+open(filepath, 'a').close()
+os.chmod(filepath,
+stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+os.chown(filepath, 0, 0)
+
+replacevars = {'KRB5CCNAME': ccache}
+old_values = ipautil.backup_config_and_replace_variables(
+self.fstore, filepath, replacevars=replacevars)
+ipaservices.restore_context(filepath)
+
def __managed_entries(self):
self._ldap_mod(managed-entries.ldif, self.sub_dict)
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
