mod_auth_gssapi: enable unique credential caches names

mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.

It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.

With this feature there are two ccaches so there is no clash.

https://fedorahosted.org/freeipa/ticket/5653

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>

2 files changed, 3 insertions, 2 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6a12c2af7..c86fc3157 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -141,7 +141,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_gssapi >= 1.3.0-2
+Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.1.2
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 20fc61fdb..3e7435903 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 21 - DO NOT REMOVE THIS LINE
+# VERSION 22 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -66,6 +66,7 @@ WSGIScriptReloading Off
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+  GssapiDelegCcacheUnique On
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user