freeipa

Clone
Source Code
GIT

#3626 [RFE] pac-type change must be effective immediately without kdc restart
Closed: Duplicate None Opened 10 years ago by steeve.

Closed: Duplicate
Reopen Issue

Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart

* When default pac-type is MS-PAC to start with

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:49:11  05/15/13 00:49:08  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0

* Change PAC type to PAD

[root@gondola ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:51:47  05/15/13 00:51:44  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0  # Size is same as when pac type was MS-PAC

* Restarted ipa

[root@gondola ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
ipa: INFO: The ipactl command was successful

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0

[root@gondola ~]# kdestroy

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:54:04  05/15/13 00:54:01  krbtgt/TESTRELM.COM@TESTRELM.COM
[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less

* Changed back to MS-PAC

[root@gondola ~]# ipa config-mod --pac-type MS-PAC
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@gondola ~]# kdestroy

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0  # no change in size

[root@gondola ~]# kvno host/gondola.testrelm.com@TESTRELM.COM
host/gondola.testrelm.com@TESTRELM.COM: kvno = 2

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com@TESTRELM.COM

* Restarted krb5kdc service

[root@gondola ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com@TESTRELM.COM

[root@gondola ~]# kdestroy

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:57:24  05/15/13 00:57:21  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0

Rename "trusts" component to "Trusts" to achieve correct sorting.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=970618

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=970620

Closing as duplicate to #4153.

Metadata Update from @steeve:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
enhancement
None
None
Trusts
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=970618, https://bugzilla.redhat.com/show_bug.cgi?id=970620
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.