From 42e65d58596222a5480e7ddf0c8d793a04156af7 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Thu, 23 Jun 2016 15:58:15 +0200 Subject: [PATCH] mod_auth_gssapi: enable unique credential caches names mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name. It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 Reviewed-By: Stanislav Laznicka Reviewed-By: Robbie Harwood --- freeipa.spec.in | 2 +- install/conf/ipa.conf | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 17b90fc4653bd7694bf389a19d5847d7df544890..d3c5748ca5df9c7fa5e57287fb428aeb649620b8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -123,7 +123,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_gssapi >= 1.1.0-2 +Requires: mod_auth_gssapi >= 1.4.0 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-krbV diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index e2b602c8573078f517badac00a8c8c5bd593db28..13df090eb214533ceb789a36327b76a74f80567f 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 18 - DO NOT REMOVE THIS LINE +# VERSION 19 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -65,6 +65,7 @@ WSGIScriptReloading Off GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches + GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html -- 2.7.4