mod_auth_gssapi: enable unique credential caches names

mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name. It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-06-23 15:58:15 +02:00 · 2016-06-23 15:58:15 +02:00 · fd840a9cd7
commit fd840a9cd7
parent 1ce8d32fd6
2 changed files with 3 additions and 2 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -141,7 +141,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_gssapi >= 1.3.0-2
+Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.1.2
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@ -1,5 +1,5 @@
 #
-# VERSION 21 - DO NOT REMOVE THIS LINE
+# VERSION 22 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@ -66,6 +66,7 @@ WSGIScriptReloading Off
  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+  GssapiDelegCcacheUnique On
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user