On 11/19/2013 12:35 PM, Petr Viktorin wrote: > On 11/05/2013 07:22 PM, Martin Kosek wrote: >> Server and client installer should allow kernel keyring ccache when >> supported. > > The patch needs a rebase.
Rebased. > > Can you add a function to check if persistent key is supported? It would > remove > some code duplication. Makes sense, this will make the code prettier. Fixed. > > How do I enable the kernel keyring? On f20 I get this: > > 2013-11-19T11:28:07Z DEBUG Starting external process > 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 > 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 > 2013-11-19T11:28:07Z DEBUG stdout= > 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 Martin
From 6315b801ba39ba9687fe748b8d85ab98ced5c16b Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Fri, 29 Nov 2013 13:29:20 +0100 Subject: [PATCH] Allow kernel keyring CCACHE when supported Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013 --- install/share/krb5.conf.template | 2 +- ipa-client/ipa-install/ipa-client-install | 7 +++++++ ipapython/kernel_keyring.py | 17 +++++++++++++++++ ipaserver/install/krbinstance.py | 10 ++++++++++ 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ rdns = false ticket_lifetime = 24h forwardable = yes - +$OTHER_LIBDEFAULTS [realms] $REALM = { kdc = $FQDN:88 diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 8e4695b42e9178725353dee2a4797a8da9b635b3..a898d388ee039752044008f8525424370098580a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -43,6 +43,7 @@ try: run, user_input, CalledProcessError, file_exists, realm_to_suffix) import ipapython.services as ipaservices from ipapython import ipautil, sysrestore, version, certmonger, ipaldap + from ipapython import kernel_keyring from ipapython.config import IPAOptionParser from ipalib import api, errors from ipalib import x509 @@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + # Configure KEYRING CCACHE if supported + if kernel_keyring.is_persistent_keyring_supported(): + root_logger.debug("Enabling persistent keyring CCACHE") + libopts.append({'name':'default_ccache_name', 'type':'option', + 'value':'KEYRING:persistent:%{uid}'}) + opts.append({'name':'libdefaults', 'type':'section', 'value':libopts}) opts.append({'name':'empty', 'type':'empty'}) diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py index 547dd3de6b45295910b66982e99886135c06335b..d30531cabaee5c12376f0821a21a6f63cd60397c 100644 --- a/ipapython/kernel_keyring.py +++ b/ipapython/kernel_keyring.py @@ -17,6 +17,8 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import os + from ipapython.ipautil import run # NOTE: Absolute path not required for keyctl since we reset the environment @@ -47,6 +49,21 @@ def get_real_key(key): raise ValueError('key %s not found' % key) return stdout.rstrip() +def get_persistent_key(key): + (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False) + if rc: + raise ValueError('persistent key %s not found' % key) + return stdout.rstrip() + +def is_persistent_keyring_supported(): + uid = os.geteuid() + try: + get_persistent_key(str(uid)) + except ValueError: + return False + + return True + def has_key(key): """ Returns True/False whether the key exists in the keyring. diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 98687a4002cd7b19faea03acc552759e962d8832..f1fa827d89a31f9d6d4cb7f7a78a2680f983565a 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -31,6 +31,7 @@ from ipapython import sysrestore from ipapython import ipautil from ipapython import services as ipaservices +from ipapython import kernel_keyring from ipalib import errors from ipapython.ipa_log_manager import * from ipapython.dn import DN @@ -252,6 +253,15 @@ def __setup_sub_dict(self): dr_map = "" self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map + # Configure KEYRING CCACHE if supported + if kernel_keyring.is_persistent_keyring_supported(): + root_logger.debug("Enabling persistent keyring CCACHE") + self.sub_dict['OTHER_LIBDEFAULTS'] = \ + " default_ccache_name = KEYRING:persistent:%{uid}\n" + else: + root_logger.debug("Persistent keyring CCACHE is not enabled") + self.sub_dict['OTHER_LIBDEFAULTS'] = '' + def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they # they may conflict. -- 1.8.3.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel