URL: https://github.com/freeipa/freeipa/pull/5806 Author: abbra Title: #5806: [Backport][ipa-4-9] service: enforce keytab user when retrieving the keytab Action: opened
PR body: """ This PR was opened automatically because PR #5805 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5806/head:pr5806 git checkout pr5806
From 42ee0b5873c8e061e96369ac1df1595716fb59ca Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 3 Jun 2021 10:30:02 +0300 Subject: [PATCH] service: enforce keytab user when retrieving the keytab HTTP service uses different user for keytab ownership than the service user. On Fedora this leads to http.keytab being owned by 'apache' user after IPA deployment while it should be owned by 'root' to allow GSSPROXY configuration to work correctly. The situation is fixed during upgrade (ipa-server-upgrade) but it means for new deployments there might be a period of unexplained Web UI authentication failures. Fixes: https://pagure.io/freeipa/issue/8872 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 3603ad3931f..13ae346bccc 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -768,7 +768,7 @@ def set_keytab_owner(self, keytab=None, owner=None): if keytab is None: keytab = self.keytab if owner is None: - owner = self.service_user + owner = self.keytab_user owner.chown(keytab) def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure