Simo Sorce wrote:
On Tue, 2013-05-07 at 18:34 +0200, Martin Kosek wrote:
On 05/07/2013 04:41 PM, Rob Crittenden wrote:
See the commit message for all the gory details but the bottom line is that
mod_auth_kerb doesn't work with DIR ccache which is the default in the latest
krb5 builds.
rob
Looks OK (just reading it).
This fixes just new server install. What about upgrades? Won't updated FreeIPA
servers' mod_auth_kerb crash too?
Indeed we need to fix on upgrade too.
Yes, it was an oversight when I did the commit. Updated patch to include
the one-liner upgrade call.
rob
From 0026d1149e44a7fc7feca42f66d69e026ae515cc Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 7 May 2013 10:33:55 -0400
Subject: [PATCH] Set KRB5CCNAME so httpd s4u2proxy can with with newer
krb5-server
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/uid isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.
https://fedorahosted.org/freeipa/ticket/3607
---
install/tools/ipa-upgradeconfig | 1 +
ipaserver/install/httpinstance.py | 18 ++
2 files changed, 19 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c9574b961452bb721c6d55344df46852ec565913..8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -916,6 +916,7 @@ def main():
http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache()
http.configure_selinux_for_httpd()
+http.configure_httpd_ccache()
ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 6da212ce50de6346d0c3c0a19bf579eedf88655d..375016262a5bdfb6e7f823a4640c4c1fd8f7a9b8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -22,6 +22,7 @@ import os.path
import tempfile
import pwd
import shutil
+import stat
import service
import certs
@@ -99,6 +100,7 @@ class HTTPInstance(service.Service):
self.step(creating a keytab for httpd, self.__create_http_keytab)
self.step(clean up any existing httpd ccache, self.remove_httpd_ccache)
self.step(configuring SELinux for httpd, self.configure_selinux_for_httpd)
+self.step(configure httpd ccache, self.configure_httpd_ccache)
self.step(restarting httpd, self.__start)
self.step(configuring httpd to start on boot, self.__enable)
@@ -192,6 +194,22 @@ class HTTPInstance(service.Service):
pent = pwd.getpwnam(apache)
installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
+def configure_httpd_ccache(self):
+pent = pwd.getpwnam(apache)
+ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+filepath = '/etc/sysconfig/httpd'
+if not os.path.exists(filepath):
+# file doesn't exist; create it with correct ownership mode
+open(filepath, 'a').close()
+os.chmod(filepath,
+stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+os.chown(filepath, 0, 0)
+
+replacevars = {'KRB5CCNAME': ccache}
+old_values = ipautil.backup_config_and_replace_variables(
+self.fstore, filepath, replacevars=replacevars)
+ipaservices.restore_context(filepath)
+
def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + ipa.conf, self.sub_dict)
--
1.8.2.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel