Configure HTTPD to work via Gss-Proxy

https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 10 insertions, 1 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index bb09c9882..c58e1d2dd 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -90,6 +90,7 @@ dist_app_DATA =				\
 	ipa-httpd.conf.template		\
 	gssapi.login			\
 	ipa.conf.tmpfiles		\
+	gssproxy.conf.template		\
 	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
new file mode 100644
index 000000000..cb5775de6
--- /dev/null
+++ b/install/share/gssproxy.conf.template
@@ -0,0 +1,8 @@
+#Installed and maintained by ipa update tools, please do not modify
+[service/ipa-httpd]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  cred_store = client_keytab:$HTTP_KEYTAB
+  allow_protocol_transition = true
+  cred_usage = both
+  euid = $HTTPD_USER
diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index a907d73cc..8822066ba 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
 # Do not edit. Created by IPA installer.
 
 [Service]
-Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
 ExecStopPost=$POST