Bug 970620

Summary: [RFE] pac-type change must be effective immediately without kdc restart
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED DUPLICATE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mkosek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-07 17:19:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-06-04 13:15:58 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3626

Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart
{{{
* When default pac-type is MS-PAC to start with

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:49:11  05/15/13 00:49:08  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0

* Change PAC type to PAD

[root@gondola ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@gondola ~]# kinit admin
Password for admin:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:51:47  05/15/13 00:51:44  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0  # Size is same as when pac type was MS-PAC

* Restarted ipa

[root@gondola ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
ipa: INFO: The ipactl command was successful

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:54:04  05/15/13 00:54:01  krbtgt/TESTRELM.COM
[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less

* Changed back to MS-PAC

[root@gondola ~]# ipa config-mod --pac-type MS-PAC
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0  # no change in size

[root@gondola ~]# kvno host/gondola.testrelm.com
host/gondola.testrelm.com: kvno = 2

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com

* Restarted krb5kdc service

[root@gondola ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
05/14/13 00:57:24  05/15/13 00:57:21  krbtgt/TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0
}}}

Comment 1 Martin Kosek 2014-02-07 17:19:45 UTC

*** This bug has been marked as a duplicate of bug 970618 ***