[Freeipa-devel] [freeipa PR#5806][opened] [Backport][ipa-4-9] service: enforce keytab user when retrieving the keytab

Thu, 03 Jun 2021 03:36:14 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5806
Author: abbra
 Title: #5806: [Backport][ipa-4-9] service: enforce keytab user when retrieving 
the keytab
Action: opened

PR body:
"""
This PR was opened automatically because PR #5805 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5806/head:pr5806
git checkout pr5806

From 42ee0b5873c8e061e96369ac1df1595716fb59ca Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 3 Jun 2021 10:30:02 +0300
Subject: [PATCH] service: enforce keytab user when retrieving the keytab

HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.

The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.

Fixes: https://pagure.io/freeipa/issue/8872

Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/install/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 3603ad3931f..13ae346bccc 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -768,7 +768,7 @@ def set_keytab_owner(self, keytab=None, owner=None):
         if keytab is None:
             keytab = self.keytab
         if owner is None:
-            owner = self.service_user
+            owner = self.keytab_user
         owner.chown(keytab)
 
     def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to