Dne 15.5.2015 v 16:16 Martin Babinsky napsal(a):
These two patches fix two issues reported by David Kupka in most recent
freeipa-master builds, which are caused by my previous patch 0031
"provide a dedicated ccache file to httpd".
Patch 0033 moves `clientcaches` and `krbcache` directories under a
common `ipa/` subdir in Apache runtime dir (`/var/run/httpd`). This
fixes a situation when both mod_auth_kerb and mod_auth_gssapi are
installed together with IPA. The removal of the former Apache module
removes also the `krbcache` directory, thus invalidating the ccache path
in KRB5CCNAME.
This of course causes spectacular explosions when calling RPC interface
(aka always).
Patch 0034 forces HTTPInstance to explicitly remove ccache specified in
our `httpd.service` override during uninstall. This fixes an issue
related to uninstall of an old IPA server and immediate install of new
IPA server.
In this case the old CCache is left in httpd runtime dir, causing
"Decrypt integrity check failed" errors when connecting to RPC interface
(Old tickets are being send to KDC having new Apache secret key).
However, issuing 'kdestroy -A' as apache user is not enough, because
systemd daemons use completely different isolated environments (and thus
completely different KRB5CCNAME than apache user). That's why we have to
explicitly remove ccache using 'kdestroy -c'.
I would like to thank David for pointing out these issues.
Don't forget to bump the version at the top of install/conf/ipa.conf.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
