Set KRB5CCNAME so that dirsrv can work with newer krb5-server

The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
2025-02-25 18:55:28 -06:00 · 2013-05-14 18:36:50 +02:00
parent 8897b51814
commit ba89635679
2 changed files with 19 additions and 0 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -919,6 +919,7 @@ def main():
    http.configure_httpd_ccache()

    ds = dsinstance.DsInstance()
+    ds.configure_dirsrv_ccache()

    fix_schema_file_syntax(ds)

--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -26,6 +26,7 @@ import re
 import time
 import tempfile
 import base64
+import stat

 from ipapython.ipa_log_manager import *
 from ipapython import ipautil, sysrestore, dogtag, ipaldap
@@ -213,6 +214,7 @@ class DsInstance(service.Service):
        self.step("configuring certmap.conf", self.__certmap_conf)
        self.step("configure autobind for root", self.__root_autobind)
        self.step("configure new location for managed entries", self.__repoint_managed_entries)
+        self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
        self.step("restarting directory server", self.__restart_instance)

    def __common_post_setup(self):
@@ -515,6 +517,22 @@ class DsInstance(service.Service):
    def __repoint_managed_entries(self):
        self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)

+    def configure_dirsrv_ccache(self):
+        pent = pwd.getpwnam("dirsrv")
+        ccache = '/tmp/krb5cc_%d' % pent.pw_uid
+        filepath = '/etc/sysconfig/dirsrv'
+        if not os.path.exists(filepath):
+            # file doesn't exist; create it with correct ownership & mode
+            open(filepath, 'a').close()
+            os.chmod(filepath,
+                stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+            os.chown(filepath, 0, 0)
+
+        replacevars = {'KRB5CCNAME': ccache}
+        old_values = ipautil.backup_config_and_replace_variables(
+            self.fstore, filepath, replacevars=replacevars)
+        ipaservices.restore_context(filepath)
+
    def __managed_entries(self):
        self._ldap_mod("managed-entries.ldif", self.sub_dict)