From 42e65d58596222a5480e7ddf0c8d793a04156af7 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Thu, 23 Jun 2016 15:58:15 +0200
Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.
It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.
With this feature there are two ccaches so there is no clash.
https://fedorahosted.org/freeipa/ticket/5653
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
freeipa.spec.in | 2 +-
install/conf/ipa.conf | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 17b90fc4653bd7694bf389a19d5847d7df544890..d3c5748ca5df9c7fa5e57287fb428aeb649620b8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -123,7 +123,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-Requires: mod_auth_gssapi >= 1.1.0-2
+Requires: mod_auth_gssapi >= 1.4.0
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
Requires: python-krbV
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index e2b602c8573078f517badac00a8c8c5bd593db28..13df090eb214533ceb789a36327b76a74f80567f 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 18 - DO NOT REMOVE THIS LINE
+# VERSION 19 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -65,6 +65,7 @@ WSGIScriptReloading Off
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
+ GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
--
2.7.4