[Freeipa-devel] [PATCHES 0033-0034] fix recent bugs introduced by letting httpd use file-based ccache

Fri, 15 May 2015 07:18:30 -0700

These two patches fix two issues reported by David Kupka in most recent freeipa-master builds, which are caused by my previous patch 0031 "provide a dedicated ccache file to httpd".
Patch 0033 moves `clientcaches` and `krbcache` directories under a common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This fixes a situation when both mod_auth_kerb and mod_auth_gssapi are installed together with IPA. The removal of the former Apache module removes also the `krbcache` directory, thus invalidating the ccache path in KRB5CCNAME. 


This of course causes spectacular explosions when calling RPC interface 
(aka always).



Patch 0034 forces HTTPInstance to explicitly remove ccache specified in 
our `httpd.service` override during uninstall. This fixes an issue 
related to uninstall of an old IPA server and immediate install of new 
IPA server.



In this case the old CCache is left in httpd runtime dir, causing 
"Decrypt integrity check failed" errors when connecting to RPC interface 
(Old tickets are being send to KDC having new Apache secret key).



However, issuing 'kdestroy -A' as apache user is not enough, because 
systemd daemons use completely different isolated environments (and thus 
completely different KRB5CCNAME than apache user). That's why we have to 
explicitly remove ccache using 'kdestroy -c'.


I would like to thank David for pointing out these issues.

--
Martin^3 Babinsky

From ab77ecb1d43b851f89fdd1f3f895166da30cd0fc Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 15 May 2015 15:37:05 +0200
Subject: [PATCH 1/2] move IPA-related http runtime directories to common
 subdirectory

When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
---
 freeipa.spec.in                | 8 ++++++--
 init/systemd/httpd.service     | 2 +-
 init/systemd/ipa.conf.tmpfiles | 4 +++-
 install/conf/ipa.conf          | 2 +-
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 2bf14ef9e14f96b3100d45dd47d749b6bc3b4816..159d4cc3c0a5b775e5bed9a3cc853ee4a3b5a8e8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
-install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
 
 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -685,7 +687,9 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
index ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7..231f86f44808156e0eb20d67ef15bb7d19550e19 100644
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,4 +1,4 @@
 .include /usr/lib/systemd/system/httpd.service
 
 [Service]
-Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
+Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index b4503cc673f3407421cd194091f5373ba204a483..6eab2621c18c9867d41b50afa2ebdee4dc46f308 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,3 +1,5 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
-d /var/run/httpd/clientcaches 0700 apache apache
+d /var/run/httpd/ipa 0700 apache apache
+d /var/run/httpd/ipa/clientcaches 0700 apache apache
+d /var/run/httpd/ipa/krbcache 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 92637c04d4f961a0b7f016fe125341c63f400285..dd9b9fdc072a0815a84a2676fd292f734397446b 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -66,7 +66,7 @@ WSGIScriptReloading Off
   AuthName "Kerberos Login"
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
-  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
   GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
-- 
2.1.0


From 0a6792cebd832ce6ac4e736a3fd67e419e235782 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 15 May 2015 15:45:34 +0200
Subject: [PATCH 2/2] explicitly destroy httpd service ccache file during
 httpinstance removal

during IPA server uninstall, the httpd service ccache is not removed from
runtime directory. This file then causes server-side client install to fail
when performing subsequent installation without rebooting/recreating runtime
directories.

This patch ensures that the old httpd ccache is explicitly destroyed during
uninstallation.
---
 ipaplatform/base/paths.py         | 1 +
 ipaserver/install/httpinstance.py | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 3ad007ce93de66cbe4e23f1624883e8dd1952c2d..9ba87523b5619188f02bdad6c23d2446a2c4b0f2 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -327,6 +327,7 @@ class BasePathNamespace(object):
     VAR_OPENDNSSEC_DIR = "/var/opendnssec"
     OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
+    KRB5CC_HTTPD = "/var/run/httpd/ipa/krbcache/krb5ccache"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
     SVC_LIST_FILE = "/var/run/ipa/services.list"
     IPA_MEMCACHED_DIR = "/var/run/ipa_memcached"
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 18cf6bb1a55512f475bde62b2db7a775945a97ec..31eab022d97a3105e2086b5cf4479c0d1e2b525b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -412,6 +412,10 @@ class HTTPInstance(service.Service):
                 root_logger.debug(error)
                 pass
 
+        # Remove the ccache file for the HTTPD service
+        ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas='apache',
+                    raiseonerr=False)
+
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
         installutils.remove_file(paths.HTTPD_IPA_CONF)
-- 
2.1.0


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code





















					Reply via email to