From 1be93108c4c1506ea50879d645c47ab6843a6ee1 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 14 May 2013 18:36:50 +0200 Subject: [PATCH] Set KRB5CCNAME so that dirsrv can work with newer krb5-server The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/ isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628 --- install/tools/ipa-upgradeconfig | 1 + ipaserver/install/dsinstance.py | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 8fa9b189a2dc207e2d90ab32131e65fac0f1f9e0..8e9357f20fe7c9a88908def6a2e3b2104f07d73a 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -919,6 +919,7 @@ def main(): http.configure_httpd_ccache() ds = dsinstance.DsInstance() + ds.configure_dirsrv_ccache() fix_schema_file_syntax(ds) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index e6bb054ddad4a0d91d76d4c79eb477913e8776aa..3b841417e717587675d3ac748ec02182b3e14672 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -26,6 +26,7 @@ import time import tempfile import base64 +import stat from ipapython.ipa_log_manager import * from ipapython import ipautil, sysrestore, dogtag, ipaldap @@ -213,6 +214,7 @@ def __common_setup(self, enable_ssl=False): self.step("configuring certmap.conf", self.__certmap_conf) self.step("configure autobind for root", self.__root_autobind) self.step("configure new location for managed entries", self.__repoint_managed_entries) + self.step("configure dirsrv ccache", self.configure_dirsrv_ccache) self.step("restarting directory server", self.__restart_instance) def __common_post_setup(self): @@ -515,6 +517,22 @@ def __config_lockout_module(self): def __repoint_managed_entries(self): self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict) + def configure_dirsrv_ccache(self): + pent = pwd.getpwnam("dirsrv") + ccache = '/tmp/krb5cc_%d' % pent.pw_uid + filepath = '/etc/sysconfig/dirsrv' + if not os.path.exists(filepath): + # file doesn't exist; create it with correct ownership & mode + open(filepath, 'a').close() + os.chmod(filepath, + stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + os.chown(filepath, 0, 0) + + replacevars = {'KRB5CCNAME': ccache} + old_values = ipautil.backup_config_and_replace_variables( + self.fstore, filepath, replacevars=replacevars) + ipaservices.restore_context(filepath) + def __managed_entries(self): self._ldap_mod("managed-entries.ldif", self.sub_dict) -- 1.8.1.4