Bug 970620 - [RFE] pac-type change must be effective immediately without kdc restart
[RFE] pac-type change must be effective immediately without kdc restart
Status: CLOSED DUPLICATE of bug 970618
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 09:15 EDT by Dmitri Pal
Modified: 2014-02-07 12:19 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-07 12:19:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-06-04 09:15:58 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3626

Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart
{{{
* When default pac-type is MS-PAC to start with

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:49:11  05/15/13 00:49:08  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0

* Change PAC type to PAD

[root@gondola ~]# ipa config-mod --pac-type PAD
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: PAD

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:51:47  05/15/13 00:51:44  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0  # Size is same as when pac type was MS-PAC

* Restarted ipa

[root@gondola ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
ipa: INFO: The ipactl command was successful

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:54:04  05/15/13 00:54:01  krbtgt/TESTRELM.COM@TESTRELM.COM
[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less

* Changed back to MS-PAC

[root@gondola ~]# ipa config-mod --pac-type MS-PAC
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0  # no change in size

[root@gondola ~]# kvno host/gondola.testrelm.com@TESTRELM.COM
host/gondola.testrelm.com@TESTRELM.COM: kvno = 2

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com@TESTRELM.COM

* Restarted krb5kdc service

[root@gondola ~]# service krb5kdc restart
Redirecting to /bin/systemctl restart  krb5kdc.service

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:55:24  05/15/13 00:55:21  krbtgt/TESTRELM.COM@TESTRELM.COM
05/14/13 00:56:09  05/15/13 00:55:21  host/gondola.testrelm.com@TESTRELM.COM

[root@gondola ~]# kdestroy 

[root@gondola ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@gondola ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
05/14/13 00:57:24  05/15/13 00:57:21  krbtgt/TESTRELM.COM@TESTRELM.COM

[root@gondola ~]# ll /tmp/krb5cc_0
-rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0
}}}
Comment 1 Martin Kosek 2014-02-07 12:19:45 EST

*** This bug has been marked as a duplicate of bug 970618 ***

Note You need to log in before you can comment on or make changes to this bug.