From 0464676294273a8a5d71cafef99062c69d5eafdb Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 20 Dec 2016 05:26:30 +0000
Subject: [PATCH] Force combined keytab ownership

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 playbooks/groups/ipa.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/playbooks/groups/ipa.yml b/playbooks/groups/ipa.yml
index de4cfd59eb..795bab5630 100644
--- a/playbooks/groups/ipa.yml
+++ b/playbooks/groups/ipa.yml
@@ -60,6 +60,14 @@
     tags:
     - krb5
     - ipa/server
+  - name: Set owner and permissions on combined keytab
+    file: path="/etc/krb5.HTTP_id{{env_suffix}}.fedoraproject.org.keytab.combined"
+          owner=apache
+          group=apache
+          mode=0600
+    tags:
+    - krb5
+    - ipa/server
   # original: /etc/httpd/conf/ipa.keytab
   - name: Make IPA HTTP use the combined keytab
     lineinfile: dest=/etc/httpd/conf.d/ipa.conf