The Identity, Policy and Audit system
CentOS Sources
2016-08-02 35e84f4e05b37a9f2eb6472a44416cbcc05ba072
import ipa-4.2.0-15.el7_2.18
1 files added
1 files deleted
1 files modified
129 ■■■■■ changed files
SOURCES/0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch 59 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 32 ●●●●● patch | view | raw | blame | history
SOURCES/0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch
New file
@@ -0,0 +1,59 @@
From 42e65d58596222a5480e7ddf0c8d793a04156af7 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Thu, 23 Jun 2016 15:58:15 +0200
Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.
It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.
With this feature there are two ccaches so there is no clash.
https://fedorahosted.org/freeipa/ticket/5653
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
 freeipa.spec.in       | 2 +-
 install/conf/ipa.conf | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 17b90fc4653bd7694bf389a19d5847d7df544890..d3c5748ca5df9c7fa5e57287fb428aeb649620b8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -123,7 +123,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_gssapi >= 1.1.0-2
+Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index e2b602c8573078f517badac00a8c8c5bd593db28..13df090eb214533ceb789a36327b76a74f80567f 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 18 - DO NOT REMOVE THIS LINE
+# VERSION 19 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -65,6 +65,7 @@ WSGIScriptReloading Off
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+  GssapiDelegCcacheUnique On
   GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
--
2.7.4
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -35,7 +35,7 @@
Name:           ipa
Version:        4.2.0
Release:        15%{?dist}.17
Release:        15%{?dist}.18
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -43,10 +43,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -255,6 +255,7 @@
Patch0202:      0202-Prevent-replica-install-from-overwriting-cert-profil.patch
Patch0203:      0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
Patch0204:      0204-replica-install-do-not-set-CA-renewal-master-flag.patch
Patch0205:      0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -266,7 +267,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
Patch1010:      1010-WebUI-add-API-browser-is-experimental-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -361,7 +361,7 @@
Requires: ntp
Requires: httpd >= 2.4.6-7
Requires: mod_wsgi
Requires: mod_auth_gssapi >= 1.1.0-2
Requires: mod_auth_gssapi >= 1.3.1-2
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
Requires: python-krbV
@@ -401,7 +401,7 @@
Requires: %{etc_systemd_dir}
Requires: gzip
# RHEL spec file only: START
# Requires: redhat-access-plugin-ipa
Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -610,10 +610,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1210,8 +1210,12 @@
# RHEL spec file only: DELETED: Do not build tests
%changelog
* Thu Jun 23 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.17
- Roll in CentOS Branding
* Mon Jun 27 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.18
- Resolves: #1350305 Multiple clients cannot join domain simultaneously:
  /var/run/httpd/ipa/clientcaches race condition?
  - mod_auth_gssapi: enable unique credential caches names
- Related: #1347175 Multiple clients cannot join domain simultaneously:
  /var/run/httpd/ipa/clientcaches race condition?
* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.17
- Resolves: #1339304 CA installed on replica is always marked as renewal master