5 files changed, 21 insertions, 4 deletions

diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 3e1c4c6f7..3984147b6 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -11,6 +11,7 @@ class BaseConstantsNamespace(object):
     DS_USER = 'dirsrv'
     DS_GROUP = 'dirsrv'
     HTTPD_USER = "apache"
+    GSSPROXY_USER = "root"
     IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
     KDCPROXY_USER = "kdcproxy"
     NAMED_USER = "named"
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 374a1987b..28db7f1fc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -49,7 +49,8 @@ class BasePathNamespace(object):
     HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
     HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
     HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
-    IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
     ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab"
     HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
     IDMAPD_CONF = "/etc/idmapd.conf"
@@ -328,7 +329,7 @@ class BasePathNamespace(object):
     IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     IPA_CCACHES = "/var/run/ipa/ccaches"
-    KRB5CC_HTTPD = "/var/run/ipa/ccaches/http.ccache"
+    HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
     IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
     SVC_LIST_FILE = "/var/run/ipa/services.list"
     KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
@@ -349,5 +350,6 @@ class BasePathNamespace(object):
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
     EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
+    GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
 
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 9c9a5ae78..8149ff1ef 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -42,7 +42,7 @@ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
                      'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname',
-                     'named', 'ods_enforcerd', 'ods_signerd']
+                     'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy']
 
 # The common ports for these services. This is used to wait for the
 # service to become available.
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index cc5d67477..5d8e1ecaa 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -68,6 +68,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
 redhat_system_units['ods-signerd'] = 'ods-signerd.service'
 redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
+redhat_system_units['gssproxy'] = 'gssproxy.service'
 
 
 # Service classes that implement Red Hat OS family-specific behaviour
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 1191acd07..c9b1c49aa 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -451,7 +451,6 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             os.path.join(paths.USR_SHARE_IPA_DIR, 'ipa-httpd.conf.template'),
             paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
             dict(
-                KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
                 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
                 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
                 POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
@@ -461,6 +460,20 @@ class RedHatTaskNamespace(BaseTaskNamespace):
         os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
         self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
 
+    def configure_http_gssproxy_conf(self):
+        ipautil.copy_template_file(
+            os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
+            paths.GSSPROXY_CONF,
+            dict(
+                HTTP_KEYTAB=paths.HTTP_KEYTAB,
+                HTTP_CCACHE=paths.HTTP_CCACHE,
+                HTTPD_USER=constants.HTTPD_USER
+            )
+        )
+
+        os.chmod(paths.GSSPROXY_CONF, 0o600)
+        self.restore_context(paths.GSSPROXY_CONF)
+
     def remove_httpd_service_ipa_conf(self):
         """Remove systemd config for httpd service of IPA"""
         try: