diff options
author | Petr Vobornik <pvoborni@redhat.com> | 2016-06-23 15:58:15 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-24 16:06:49 +0200 |
commit | fd840a9cd7974c735ab7b0f6773fd5cda8638585 (patch) | |
tree | 8833021ac3ecb21397ec05fa9043a1c41557610d | |
parent | 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 (diff) | |
download | freeipa-fd840a9cd7974c735ab7b0f6773fd5cda8638585.tar.gz freeipa-fd840a9cd7974c735ab7b0f6773fd5cda8638585.tar.xz freeipa-fd840a9cd7974c735ab7b0f6773fd5cda8638585.zip |
mod_auth_gssapi: enable unique credential caches names
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.
It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.
With this feature there are two ccaches so there is no clash.
https://fedorahosted.org/freeipa/ticket/5653
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-rw-r--r-- | freeipa.spec.in | 2 | ||||
-rw-r--r-- | install/conf/ipa.conf | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 6a12c2af7..c86fc3157 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -141,7 +141,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_gssapi >= 1.3.0-2 +Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-gssapi >= 1.1.2 diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 20fc61fdb..3e7435903 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 21 - DO NOT REMOVE THIS LINE +# VERSION 22 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -66,6 +66,7 @@ WSGIScriptReloading Off GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches + GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user |