On 12/02/2013 03:42 PM, Simo Sorce wrote:
On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote:
On 12/02/2013 02:01 PM, Martin Kosek wrote:
On 12/02/2013 01:58 PM, Petr Viktorin wrote:
On 11/29/2013 01:48 PM, Martin Kosek wrote:
On 11/19/2013 12:35 PM, Petr Viktorin wrote:
On 11/05/2013 07:22 PM, Martin Kosek wrote:
Server and client installer should allow kernel keyring ccache when
supported.



How do I enable the kernel keyring? On f20 I get this:

2013-11-19T11:28:07Z DEBUG Starting external process
2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0
2013-11-19T11:28:07Z DEBUG Process finished, return code=1
2013-11-19T11:28:07Z DEBUG stdout=
2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked

It should be enabled out of the box. But there were some initial issues with
persistent keyring in the first versions of kernel with a support, hopefully
this was just a fluke which disappeared.

This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64:

# keyctl get_persistent @s 0
637466038

With kernel-3.11.10-300.fc20.x86_64, I get an error again:
$ keyctl get_persistent @s 0
keyctl_get_persistent: Key has been revoked

Not sure if it is a typo, but you won't surely get a root's keyring as a
non-root user...

It is just a typo, but it looks like you got me on the right track.
keyctl apparently needs a real root login:

$ sudo keyctl get_persistent @s 0
keyctl_get_persistent: Key has been revoked

$ sudo su
# keyctl get_persistent @s 0
keyctl_get_persistent: Key has been revoked
# exit

$ sudo su -
Last login: Mon Dec  2 14:09:36 CET 2013 on pts/1
# keyctl get_persistent @s 0
968622527
# logout


Please use "sudo -i" to get an interactive 'login' shell.

Unsurprisingly, when ipa-server-install is run from sudo, it complains
that the key is unsupported. From a root login all is OK.

Is that expected?

You should run ipa-server-install using a login shell I think.
Should we open a bug to detect this and fail ?

It's always worked with just sudo for me. So yes, if it's required I think we should enforce it.

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to