diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2013-05-07 10:33:55 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-05-09 09:15:47 +0200 |
| commit | 13cef6cac4c7f6c53e9fcfea97c5e830c8c69826 (patch) | |
| tree | b8192ba463dc1e9b1a3bf5e39e073bd417ab69dc | |
| parent | 8f6e6514c443dcc69fecdda548737f5c135156f4 (diff) | |
| download | freeipa-13cef6cac4c7f6c53e9fcfea97c5e830c8c69826.tar.gz freeipa-13cef6cac4c7f6c53e9fcfea97c5e830c8c69826.tar.xz freeipa-13cef6cac4c7f6c53e9fcfea97c5e830c8c69826.zip | |
Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-server
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.
https://fedorahosted.org/freeipa/ticket/3607
| -rw-r--r-- | install/tools/ipa-upgradeconfig | 1 | ||||
| -rw-r--r-- | ipaserver/install/httpinstance.py | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index c9574b96..8fa9b189 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -916,6 +916,7 @@ def main(): http = httpinstance.HTTPInstance(fstore) http.remove_httpd_ccache() http.configure_selinux_for_httpd() + http.configure_httpd_ccache() ds = dsinstance.DsInstance() diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 6da212ce..37501626 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -22,6 +22,7 @@ import os.path import tempfile import pwd import shutil +import stat import service import certs @@ -99,6 +100,7 @@ class HTTPInstance(service.Service): self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) + self.step("configure httpd ccache", self.configure_httpd_ccache) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) @@ -192,6 +194,22 @@ class HTTPInstance(service.Service): pent = pwd.getpwnam("apache") installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) + def configure_httpd_ccache(self): + pent = pwd.getpwnam("apache") + ccache = '/tmp/krb5cc_%d' % pent.pw_uid + filepath = '/etc/sysconfig/httpd' + if not os.path.exists(filepath): + # file doesn't exist; create it with correct ownership & mode + open(filepath, 'a').close() + os.chmod(filepath, + stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + os.chown(filepath, 0, 0) + + replacevars = {'KRB5CCNAME': ccache} + old_values = ipautil.backup_config_and_replace_variables( + self.fstore, filepath, replacevars=replacevars) + ipaservices.restore_context(filepath) + def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) |