diff --git a/SOURCES/0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch b/SOURCES/0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch new file mode 100644 index 0000000..e34f786 --- /dev/null +++ b/SOURCES/0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch @@ -0,0 +1,59 @@ +From 42e65d58596222a5480e7ddf0c8d793a04156af7 Mon Sep 17 00:00:00 2001 +From: Petr Vobornik +Date: Thu, 23 Jun 2016 15:58:15 +0200 +Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names + +mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. +Without it ccache name is derived from pricipal name. + +It solves a race condition in two concurrent request of the same +principal. Where first request deletes the ccache and the second +tries to use it which then fails. It may lead e.g. to a failure of +two concurrent ipa-client-install. + +With this feature there are two ccaches so there is no clash. + +https://fedorahosted.org/freeipa/ticket/5653 + +Reviewed-By: Stanislav Laznicka +Reviewed-By: Robbie Harwood +--- + freeipa.spec.in | 2 +- + install/conf/ipa.conf | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 17b90fc4653bd7694bf389a19d5847d7df544890..d3c5748ca5df9c7fa5e57287fb428aeb649620b8 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -123,7 +123,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} + Requires: ntp + Requires: httpd >= 2.4.6-6 + Requires: mod_wsgi +-Requires: mod_auth_gssapi >= 1.1.0-2 ++Requires: mod_auth_gssapi >= 1.4.0 + Requires: mod_nss >= 1.0.8-26 + Requires: python-ldap >= 2.4.15 + Requires: python-krbV +diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf +index e2b602c8573078f517badac00a8c8c5bd593db28..13df090eb214533ceb789a36327b76a74f80567f 100644 +--- a/install/conf/ipa.conf ++++ b/install/conf/ipa.conf +@@ -1,5 +1,5 @@ + # +-# VERSION 18 - DO NOT REMOVE THIS LINE ++# VERSION 19 - DO NOT REMOVE THIS LINE + # + # This file may be overwritten on upgrades. + # +@@ -65,6 +65,7 @@ WSGIScriptReloading Off + GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab + GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab + GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches ++ GssapiDelegCcacheUnique On + GssapiUseS4U2Proxy on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html +-- +2.7.4 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 8fd5494..9d3ab71 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -35,7 +35,7 @@ Name: ipa Version: 4.2.0 -Release: 15%{?dist}.17 +Release: 15%{?dist}.18 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -43,10 +43,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -255,6 +255,7 @@ Patch0201: 0201-certdb-never-use-the-r-option-of-certutil.patch Patch0202: 0202-Prevent-replica-install-from-overwriting-cert-profil.patch Patch0203: 0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch Patch0204: 0204-replica-install-do-not-set-CA-renewal-master-flag.patch +Patch0205: 0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -266,7 +267,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -361,7 +361,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-7 Requires: mod_wsgi -Requires: mod_auth_gssapi >= 1.1.0-2 +Requires: mod_auth_gssapi >= 1.3.1-2 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-krbV @@ -401,7 +401,7 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -610,10 +610,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -1210,8 +1210,12 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Thu Jun 23 2016 CentOS Sources - 4.2.0-15.el7.centos.17 -- Roll in CentOS Branding +* Mon Jun 27 2016 Jan Cholasta - 4.2.0-15.18 +- Resolves: #1350305 Multiple clients cannot join domain simultaneously: + /var/run/httpd/ipa/clientcaches race condition? + - mod_auth_gssapi: enable unique credential caches names +- Related: #1347175 Multiple clients cannot join domain simultaneously: + /var/run/httpd/ipa/clientcaches race condition? * Tue May 24 2016 Jan Cholasta - 4.2.0-15.17 - Resolves: #1339304 CA installed on replica is always marked as renewal master