From cd2fe2947589aaf8de0e9e64839c8840b68e9664 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 9 Dec 2020 11:15:20 +0200 Subject: [PATCH 1/2] Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to create unique credential caches in /run/ipa/ccaches for every client that connects to IPA with a new session. On F34, mod_auth_gssapi process running as 'apache' cannot create the ccache in /run/ipa/ccaches because it has no access rights. The core of the problem is that we have two different paths to obtaining a ccache: one where 'apache' running httpd process creates it directly and one where an internal redirect from 'ipaapi' running httpd process is happening. Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write to '/run/ipa/ccaches'. This fixes the problem. Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd do so, mod_auth_gssapi will do redirects and fail. Fixes: https://pagure.io/freeipa/issue/8613 Signed-off-by: Alexander Bokovoy --- init/tmpfilesd/ipa.conf.in | 3 ++- install/share/ipa.conf.template | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in index 183ceeda6..6467e1b93 100644 --- a/init/tmpfilesd/ipa.conf.in +++ b/init/tmpfilesd/ipa.conf.in @@ -1,2 +1,3 @@ d /run/ipa 0711 root root -d /run/ipa/ccaches 0770 ipaapi ipaapi +d /run/ipa/ccaches 6770 ipaapi ipaapi +a+ /run/ipa/ccaches - - - - g:apache:rwx diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template index ca51d2ea3..d74e14d4f 100644 --- a/install/share/ipa.conf.template +++ b/install/share/ipa.conf.template @@ -75,7 +75,7 @@ WSGIScriptReloading Off GssapiImpersonate On GssapiDelegCcacheDir $IPA_CCACHES - GssapiDelegCcachePerms mode:0660 gid:ipaapi + GssapiDelegCcachePerms mode:0660 GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 @@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" AuthType none GssapiDelegCcacheDir $IPA_CCACHES - GssapiDelegCcachePerms mode:0660 gid:ipaapi + GssapiDelegCcachePerms mode:0660 GssapiDelegCcacheUnique On SSLVerifyClient require SSLUserName SSL_CLIENT_CERT -- 2.29.2 From 786e0823cdc58ad232b8320af94ea9ad89df88d6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 9 Dec 2020 13:26:05 +0200 Subject: [PATCH 2/2] upgrade: provide DOMAIN to the server upgrade dictionary Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available in the dictionary. Regression was introduced with e731b2725a3772cd037683ff2e08c514fd02019f. Fixes: https://pagure.io/freeipa/issue/8615 Related: https://pagure.io/freeipa/issue/8595 Signed-off-by: Alexander Bokovoy --- ipaserver/install/server/upgrade.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 18891d53c..00a133a4d 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1578,6 +1578,7 @@ def upgrade_configuration(): IPA_CCACHES=paths.IPA_CCACHES, IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, + DOMAIN=api.env.domain, ) subject_base = find_subject_base() -- 2.29.2