You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The directory /run/ipa/ccaches is used to store ccaches which are used for sessions. This is part of the IPA privilege separation.
If the directory permissions are incorrect then mod_auth_gssapi cannot update the ccache and a Negotiation error will be returned which is difficult to diagnose outside of strace (where EACCES will be thrown trying to write).
These directories are created by systemd tmpfiles. If this check can integrate that it will be more flexible but at a minimum the directories should be added for verification.
The text was updated successfully, but these errors were encountered:
/run/ipa/ccaches is the main target, to ensure it retains the
right owner/group/permissions for privilege separation to work
by setting setuid and setgid so the underlying ccaches are
only readable by the ipaapi user/group.
Fixes: freeipa#232
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
/run/ipa/ccaches is the main target, to ensure it retains the
right owner/group/permissions for privilege separation to work
by setting setuid and setgid so the underlying ccaches are
only readable by the ipaapi user/group.
Fixes: #232
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
The directory /run/ipa/ccaches is used to store ccaches which are used for sessions. This is part of the IPA privilege separation.
If the directory permissions are incorrect then mod_auth_gssapi cannot update the ccache and a Negotiation error will be returned which is difficult to diagnose outside of strace (where EACCES will be thrown trying to write).
These directories are created by systemd tmpfiles. If this check can integrate that it will be more flexible but at a minimum the directories should be added for verification.
The text was updated successfully, but these errors were encountered: