move IPA-related http runtime directories to common subdirectory

When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>

4 files changed, 12 insertions, 6 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 737364556..b14acee63 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
-install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
 
 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -685,7 +687,9 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
index ef1e6bfda..231f86f44 100644
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -1,4 +1,4 @@
 .include /usr/lib/systemd/system/httpd.service
 
 [Service]
-Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
+Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index b4503cc67..6eab2621c 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,3 +1,5 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
-d /var/run/httpd/clientcaches 0700 apache apache
+d /var/run/httpd/ipa 0700 apache apache
+d /var/run/httpd/ipa/clientcaches 0700 apache apache
+d /var/run/httpd/ipa/krbcache 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 92637c04d..57de2f1a9 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 17 - DO NOT REMOVE THIS LINE
+# VERSION 18 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -66,7 +66,7 @@ WSGIScriptReloading Off
   AuthName "Kerberos Login"
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
-  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
   GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html