|
 |
35e84f |
From 42e65d58596222a5480e7ddf0c8d793a04156af7 Mon Sep 17 00:00:00 2001
|
|
|
35e84f |
From: Petr Vobornik <pvoborni@redhat.com>
|
|
|
35e84f |
Date: Thu, 23 Jun 2016 15:58:15 +0200
|
|
|
35e84f |
Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names
|
|
|
35e84f |
|
|
|
35e84f |
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
|
|
|
35e84f |
Without it ccache name is derived from pricipal name.
|
|
|
35e84f |
|
|
|
35e84f |
It solves a race condition in two concurrent request of the same
|
|
|
35e84f |
principal. Where first request deletes the ccache and the second
|
|
|
35e84f |
tries to use it which then fails. It may lead e.g. to a failure of
|
|
|
35e84f |
two concurrent ipa-client-install.
|
|
|
35e84f |
|
|
|
35e84f |
With this feature there are two ccaches so there is no clash.
|
|
|
35e84f |
|
|
|
35e84f |
https://fedorahosted.org/freeipa/ticket/5653
|
|
|
35e84f |
|
|
|
35e84f |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
35e84f |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
35e84f |
---
|
|
|
35e84f |
freeipa.spec.in | 2 +-
|
|
|
35e84f |
install/conf/ipa.conf | 3 ++-
|
|
|
35e84f |
2 files changed, 3 insertions(+), 2 deletions(-)
|
|
|
35e84f |
|
|
|
35e84f |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
35e84f |
index 17b90fc4653bd7694bf389a19d5847d7df544890..d3c5748ca5df9c7fa5e57287fb428aeb649620b8 100644
|
|
|
35e84f |
--- a/freeipa.spec.in
|
|
|
35e84f |
+++ b/freeipa.spec.in
|
|
|
35e84f |
@@ -123,7 +123,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
|
|
|
35e84f |
Requires: ntp
|
|
|
35e84f |
Requires: httpd >= 2.4.6-6
|
|
|
35e84f |
Requires: mod_wsgi
|
|
|
35e84f |
-Requires: mod_auth_gssapi >= 1.1.0-2
|
|
|
35e84f |
+Requires: mod_auth_gssapi >= 1.4.0
|
|
|
35e84f |
Requires: mod_nss >= 1.0.8-26
|
|
|
35e84f |
Requires: python-ldap >= 2.4.15
|
|
|
35e84f |
Requires: python-krbV
|
|
|
35e84f |
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
|
|
|
35e84f |
index e2b602c8573078f517badac00a8c8c5bd593db28..13df090eb214533ceb789a36327b76a74f80567f 100644
|
|
|
35e84f |
--- a/install/conf/ipa.conf
|
|
|
35e84f |
+++ b/install/conf/ipa.conf
|
|
|
35e84f |
@@ -1,5 +1,5 @@
|
|
|
35e84f |
#
|
|
|
35e84f |
-# VERSION 18 - DO NOT REMOVE THIS LINE
|
|
|
35e84f |
+# VERSION 19 - DO NOT REMOVE THIS LINE
|
|
|
35e84f |
#
|
|
|
35e84f |
# This file may be overwritten on upgrades.
|
|
|
35e84f |
#
|
|
|
35e84f |
@@ -65,6 +65,7 @@ WSGIScriptReloading Off
|
|
|
35e84f |
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
|
|
|
35e84f |
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
|
|
|
35e84f |
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
|
|
|
35e84f |
+ GssapiDelegCcacheUnique On
|
|
|
35e84f |
GssapiUseS4U2Proxy on
|
|
|
35e84f |
Require valid-user
|
|
|
35e84f |
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
|
35e84f |
--
|
|
|
35e84f |
2.7.4
|
|
|
35e84f |
|