IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-server

Browse Source 
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).

Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.

https://fedorahosted.org/freeipa/ticket/3607
This commit is contained in:
Rob Crittenden
2013-05-07 10:33:55 -04:00
committed by Martin Kosek
parent 8f6e6514c4
commit 13cef6cac4
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
install/tools/ipa-upgradeconfig
View File

@@ -916,6 +916,7 @@ def main():
http = httpinstance.HTTPInstance(fstore) http = httpinstance.HTTPInstance(fstore)
http.remove_httpd_ccache() http.remove_httpd_ccache()
http.configure_selinux_for_httpd() http.configure_selinux_for_httpd()
http.configure_httpd_ccache()
ds = dsinstance.DsInstance() ds = dsinstance.DsInstance()

18
ipaserver/install/httpinstance.py
View File

@@ -22,6 +22,7 @@ import os.path
import tempfile import tempfile
import pwd import pwd
import shutil import shutil
import stat
import service import service
import certs import certs
@@ -99,6 +100,7 @@ class HTTPInstance(service.Service):
self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("creating a keytab for httpd", self.__create_http_keytab)
self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
self.step("configure httpd ccache", self.configure_httpd_ccache)
self.step("restarting httpd", self.__start) self.step("restarting httpd", self.__start)
self.step("configuring httpd to start on boot", self.__enable) self.step("configuring httpd to start on boot", self.__enable)
@@ -192,6 +194,22 @@ class HTTPInstance(service.Service):
pent = pwd.getpwnam("apache") pent = pwd.getpwnam("apache")
installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
def configure_httpd_ccache(self):
pent = pwd.getpwnam("apache")
ccache = '/tmp/krb5cc_%d' % pent.pw_uid
filepath = '/etc/sysconfig/httpd'
if not os.path.exists(filepath):
# file doesn't exist; create it with correct ownership & mode
open(filepath, 'a').close()
os.chmod(filepath,
stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
os.chown(filepath, 0, 0)
replacevars = {'KRB5CCNAME': ccache}
old_values = ipautil.backup_config_and_replace_variables(
self.fstore, filepath, replacevars=replacevars)
ipaservices.restore_context(filepath)
def __configure_http(self): def __configure_http(self):
target_fname = '/etc/httpd/conf.d/ipa.conf' target_fname = '/etc/httpd/conf.d/ipa.conf'
http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)