Re: [Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
On 05/15/2015 04:41 PM, Martin Babinsky wrote: On 05/15/2015 04:25 PM, Jan Cholasta wrote: Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a): These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 provide a dedicated ccache file to httpd. Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. This of course causes spectacular explosions when calling RPC interface (aka always). Patch 0034 forces HTTPInstance to explicitly remove ccache specified in our `httpd.service` override during uninstall. This fixes an issue related to uninstall of an old IPA server and immediate install of new IPA server. In this case the old CCache is left in httpd runtime dir, causing Decrypt integrity check failed errors when connecting to RPC interface (Old tickets are being send to KDC having new Apache secret key). However, issuing 'kdestroy -A' as apache user is not enough, because systemd daemons use completely different isolated environments (and thus completely different KRB5CCNAME than apache user). That's why we have to explicitly remove ccache using 'kdestroy -c'. I would like to thank David for pointing out these issues. Don't forget to bump the version at the top of install/conf/ipa.conf. Attaching updated patch 0033 with the bumped version. Hi! Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Dne 19.5.2015 v 14:31 David Kupka napsal(a): On 05/15/2015 04:41 PM, Martin Babinsky wrote: On 05/15/2015 04:25 PM, Jan Cholasta wrote: Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a): These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 provide a dedicated ccache file to httpd. Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. This of course causes spectacular explosions when calling RPC interface (aka always). Patch 0034 forces HTTPInstance to explicitly remove ccache specified in our `httpd.service` override during uninstall. This fixes an issue related to uninstall of an old IPA server and immediate install of new IPA server. In this case the old CCache is left in httpd runtime dir, causing Decrypt integrity check failed errors when connecting to RPC interface (Old tickets are being send to KDC having new Apache secret key). However, issuing 'kdestroy -A' as apache user is not enough, because systemd daemons use completely different isolated environments (and thus completely different KRB5CCNAME than apache user). That's why we have to explicitly remove ccache using 'kdestroy -c'. I would like to thank David for pointing out these issues. Don't forget to bump the version at the top of install/conf/ipa.conf. Attaching updated patch 0033 with the bumped version. Hi! Works for me, ACK. Pushed to master: 5a741b614f39a148d849877e743200de5a7302db -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 provide a dedicated ccache file to httpd. Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. This of course causes spectacular explosions when calling RPC interface (aka always). Patch 0034 forces HTTPInstance to explicitly remove ccache specified in our `httpd.service` override during uninstall. This fixes an issue related to uninstall of an old IPA server and immediate install of new IPA server. In this case the old CCache is left in httpd runtime dir, causing Decrypt integrity check failed errors when connecting to RPC interface (Old tickets are being send to KDC having new Apache secret key). However, issuing 'kdestroy -A' as apache user is not enough, because systemd daemons use completely different isolated environments (and thus completely different KRB5CCNAME than apache user). That's why we have to explicitly remove ccache using 'kdestroy -c'. I would like to thank David for pointing out these issues. -- Martin^3 Babinsky From ab77ecb1d43b851f89fdd1f3f895166da30cd0fc Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Fri, 15 May 2015 15:37:05 +0200 Subject: [PATCH 1/2] move IPA-related http runtime directories to common subdirectory When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. --- freeipa.spec.in| 8 ++-- init/systemd/httpd.service | 2 +- init/systemd/ipa.conf.tmpfiles | 4 +++- install/conf/ipa.conf | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..159d4cc3c0a5b775e5bed9a3cc853ee4a3b5a8e8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -685,7 +687,9 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service index ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7..231f86f44808156e0eb20d67ef15bb7d19550e19 100644 --- a/init/systemd/httpd.service +++ b/init/systemd/httpd.service @@ -1,4 +1,4 @@ .include /usr/lib/systemd/system/httpd.service [Service] -Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache +Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index b4503cc673f3407421cd194091f5373ba204a483..6eab2621c18c9867d41b50afa2ebdee4dc46f308 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1,3 +1,5 @@ d /var/run/ipa_memcached 0700 apache apache d /var/run/ipa 0700 root root -d /var/run/httpd/clientcaches 0700 apache apache +d /var/run/httpd/ipa 0700 apache apache +d /var/run/httpd/ipa/clientcaches 0700 apache apache +d /var/run/httpd/ipa/krbcache 0700 apache apache diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 92637c04d4f961a0b7f016fe125341c63f400285..dd9b9fdc072a0815a84a2676fd292f734397446b 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -66,7 +66,7 @@ WSGIScriptReloading Off AuthName Kerberos Login GssapiCredStore
Re: [Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a): These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 provide a dedicated ccache file to httpd. Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. This of course causes spectacular explosions when calling RPC interface (aka always). Patch 0034 forces HTTPInstance to explicitly remove ccache specified in our `httpd.service` override during uninstall. This fixes an issue related to uninstall of an old IPA server and immediate install of new IPA server. In this case the old CCache is left in httpd runtime dir, causing Decrypt integrity check failed errors when connecting to RPC interface (Old tickets are being send to KDC having new Apache secret key). However, issuing 'kdestroy -A' as apache user is not enough, because systemd daemons use completely different isolated environments (and thus completely different KRB5CCNAME than apache user). That's why we have to explicitly remove ccache using 'kdestroy -c'. I would like to thank David for pointing out these issues. Don't forget to bump the version at the top of install/conf/ipa.conf. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache
On 05/15/2015 04:25 PM, Jan Cholasta wrote: Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a): These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 provide a dedicated ccache file to httpd. Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. This of course causes spectacular explosions when calling RPC interface (aka always). Patch 0034 forces HTTPInstance to explicitly remove ccache specified in our `httpd.service` override during uninstall. This fixes an issue related to uninstall of an old IPA server and immediate install of new IPA server. In this case the old CCache is left in httpd runtime dir, causing Decrypt integrity check failed errors when connecting to RPC interface (Old tickets are being send to KDC having new Apache secret key). However, issuing 'kdestroy -A' as apache user is not enough, because systemd daemons use completely different isolated environments (and thus completely different KRB5CCNAME than apache user). That's why we have to explicitly remove ccache using 'kdestroy -c'. I would like to thank David for pointing out these issues. Don't forget to bump the version at the top of install/conf/ipa.conf. Attaching updated patch 0033 with the bumped version. -- Martin^3 Babinsky From a748e53fc0c1f56a81af5716cd7f04fe6c0b8649 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Fri, 15 May 2015 15:37:05 +0200 Subject: [PATCH 1/2] move IPA-related http runtime directories to common subdirectory When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. --- freeipa.spec.in| 8 ++-- init/systemd/httpd.service | 2 +- init/systemd/ipa.conf.tmpfiles | 4 +++- install/conf/ipa.conf | 4 ++-- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..159d4cc3c0a5b775e5bed9a3cc853ee4a3b5a8e8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -685,7 +687,9 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service index ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7..231f86f44808156e0eb20d67ef15bb7d19550e19 100644 --- a/init/systemd/httpd.service +++ b/init/systemd/httpd.service @@ -1,4 +1,4 @@ .include /usr/lib/systemd/system/httpd.service [Service] -Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache +Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index b4503cc673f3407421cd194091f5373ba204a483..6eab2621c18c9867d41b50afa2ebdee4dc46f308 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1,3 +1,5 @@ d /var/run/ipa_memcached 0700 apache apache d /var/run/ipa 0700 root root -d /var/run/httpd/clientcaches 0700 apache apache +d /var/run/httpd/ipa 0700 apache apache +d /var/run/httpd/ipa/clientcaches 0700 apache apache +d /var/run/httpd/ipa/krbcache 0700 apache apache diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index