Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 12/06/2013 03:00 PM, Simo Sorce wrote: On Fri, 2013-12-06 at 13:42 +0100, Martin Kosek wrote: On 12/02/2013 05:20 PM, Alexander Bokovoy wrote: On Mon, 02 Dec 2013, Martin Kosek wrote: On 12/02/2013 04:05 PM, Petr Viktorin wrote: On 12/02/2013 03:42 PM, Simo Sorce wrote: On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: On 12/02/2013 02:01 PM, Martin Kosek wrote: On 12/02/2013 01:58 PM, Petr Viktorin wrote: On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 With kernel-3.11.10-300.fc20.x86_64, I get an error again: $ keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... It is just a typo, but it looks like you got me on the right track. keyctl apparently needs a real root login: $ sudo keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked $ sudo su # keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked # exit $ sudo su - Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 # keyctl get_persistent @s 0 968622527 # logout Please use "sudo -i" to get an interactive 'login' shell. Unsurprisingly, when ipa-server-install is run from sudo, it complains that the key is unsupported. From a root login all is OK. Is that expected? You should run ipa-server-install using a login shell I think. Should we open a bug to detect this and fail ? It's always worked with just sudo for me. So yes, if it's required I think we should enforce it. Simo or Alexander, is there some way to find that out in a clean way? I mean if we are in an interactive login shell. Ideally, please also file a bug with this information :) Interactive or login? These two are different a bit. There is no general way because not all shells implement common approach to detect this. For example, echo $- | grep -q i would work in a Bourne-style shell for interactive shell shopt -q login_shell would give you a login shell detector in bash but test $options[LOGIN] = on would work for login shell in zsh, similarly INTERACTIVE index would give you state of interactive shell. I meant login shell - so that we do not have problems with checking the get_persistent keyctl command. I still do not fully understand the keyctl behavior, it is working on my kernel-3.11.9-300.fc20.x86_64 even with plain "sudo": $ sudo keyctl get_persistent @s 0 I think the previous behavior was cause by the improper selinux handling in the kernel, and is fixed in the latest kernel. There is indeed no reason why get_persistent shouldn't work for non-login shell unless selinux policy explicitly disallows it for sudo like programs. Anyway, any opinions on this particular patch? I'd prefer to get it in soon and file enhancement ticket for the login terminal detection, if needed. I do not have any objections. Simo. ACK, pushed to * master: 9677308caa78ed722570aea32f21334b8c27bad3 * ipa-3-3: 5b2ce3c5a57e8193ee1c6d23c4e79c3b2b62cb05 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On Fri, 2013-12-06 at 13:42 +0100, Martin Kosek wrote: > On 12/02/2013 05:20 PM, Alexander Bokovoy wrote: > > On Mon, 02 Dec 2013, Martin Kosek wrote: > >> On 12/02/2013 04:05 PM, Petr Viktorin wrote: > >>> On 12/02/2013 03:42 PM, Simo Sorce wrote: > On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: > > On 12/02/2013 02:01 PM, Martin Kosek wrote: > >> On 12/02/2013 01:58 PM, Petr Viktorin wrote: > >>> On 11/29/2013 01:48 PM, Martin Kosek wrote: > On 11/19/2013 12:35 PM, Petr Viktorin wrote: > > On 11/05/2013 07:22 PM, Martin Kosek wrote: > >> Server and client installer should allow kernel keyring ccache when > >> supported. > >>> > > > > How do I enable the kernel keyring? On f20 I get this: > > > > 2013-11-19T11:28:07Z DEBUG Starting external process > > 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 > > 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 > > 2013-11-19T11:28:07Z DEBUG stdout= > > 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has > > been > > revoked > > It should be enabled out of the box. But there were some initial > issues > with > persistent keyring in the first versions of kernel with a support, > hopefully > this was just a fluke which disappeared. > > This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: > > # keyctl get_persistent @s 0 > 637466038 > >>> > >>> With kernel-3.11.10-300.fc20.x86_64, I get an error again: > >>> $ keyctl get_persistent @s 0 > >>> keyctl_get_persistent: Key has been revoked > >> > >> Not sure if it is a typo, but you won't surely get a root's keyring as > >> a > >> non-root user... > > > > It is just a typo, but it looks like you got me on the right track. > > keyctl apparently needs a real root login: > > > > $ sudo keyctl get_persistent @s 0 > > keyctl_get_persistent: Key has been revoked > > > > $ sudo su > > # keyctl get_persistent @s 0 > > keyctl_get_persistent: Key has been revoked > > # exit > > > > $ sudo su - > > Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 > > # keyctl get_persistent @s 0 > > 968622527 > > # logout > > > > Please use "sudo -i" to get an interactive 'login' shell. > > > Unsurprisingly, when ipa-server-install is run from sudo, it complains > > that the key is unsupported. From a root login all is OK. > > > > Is that expected? > > You should run ipa-server-install using a login shell I think. > Should we open a bug to detect this and fail ? > >>> > >>> It's always worked with just sudo for me. So yes, if it's required I > >>> think we > >>> should enforce it. > >>> > >> > >> Simo or Alexander, is there some way to find that out in a clean way? I > >> mean if > >> we are in an interactive login shell. Ideally, please also file a bug with > >> this > >> information :) > > Interactive or login? These two are different a bit. > > > > There is no general way because not all shells implement common approach > > to detect this. For example, > > echo $- | grep -q i > > > > would work in a Bourne-style shell for interactive shell > > > > shopt -q login_shell > > > > would give you a login shell detector in bash but > > > > test $options[LOGIN] = on > > > > would work for login shell in zsh, similarly INTERACTIVE index would > > give you state of interactive shell. > > > > > > I meant login shell - so that we do not have problems with checking the > get_persistent keyctl command. > > I still do not fully understand the keyctl behavior, it is working on my > kernel-3.11.9-300.fc20.x86_64 even with plain "sudo": > > $ sudo keyctl get_persistent @s 0 I think the previous behavior was cause by the improper selinux handling in the kernel, and is fixed in the latest kernel. There is indeed no reason why get_persistent shouldn't work for non-login shell unless selinux policy explicitly disallows it for sudo like programs. > Anyway, any opinions on this particular patch? I'd prefer to get it in soon > and > file enhancement ticket for the login terminal detection, if needed. I do not have any objections. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 12/02/2013 05:20 PM, Alexander Bokovoy wrote: > On Mon, 02 Dec 2013, Martin Kosek wrote: >> On 12/02/2013 04:05 PM, Petr Viktorin wrote: >>> On 12/02/2013 03:42 PM, Simo Sorce wrote: On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: > On 12/02/2013 02:01 PM, Martin Kosek wrote: >> On 12/02/2013 01:58 PM, Petr Viktorin wrote: >>> On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: > On 11/05/2013 07:22 PM, Martin Kosek wrote: >> Server and client installer should allow kernel keyring ccache when >> supported. >>> > > How do I enable the kernel keyring? On f20 I get this: > > 2013-11-19T11:28:07Z DEBUG Starting external process > 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 > 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 > 2013-11-19T11:28:07Z DEBUG stdout= > 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been > revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 >>> >>> With kernel-3.11.10-300.fc20.x86_64, I get an error again: >>> $ keyctl get_persistent @s 0 >>> keyctl_get_persistent: Key has been revoked >> >> Not sure if it is a typo, but you won't surely get a root's keyring as a >> non-root user... > > It is just a typo, but it looks like you got me on the right track. > keyctl apparently needs a real root login: > > $ sudo keyctl get_persistent @s 0 > keyctl_get_persistent: Key has been revoked > > $ sudo su > # keyctl get_persistent @s 0 > keyctl_get_persistent: Key has been revoked > # exit > > $ sudo su - > Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 > # keyctl get_persistent @s 0 > 968622527 > # logout > Please use "sudo -i" to get an interactive 'login' shell. > Unsurprisingly, when ipa-server-install is run from sudo, it complains > that the key is unsupported. From a root login all is OK. > > Is that expected? You should run ipa-server-install using a login shell I think. Should we open a bug to detect this and fail ? >>> >>> It's always worked with just sudo for me. So yes, if it's required I think >>> we >>> should enforce it. >>> >> >> Simo or Alexander, is there some way to find that out in a clean way? I mean >> if >> we are in an interactive login shell. Ideally, please also file a bug with >> this >> information :) > Interactive or login? These two are different a bit. > > There is no general way because not all shells implement common approach > to detect this. For example, > echo $- | grep -q i > > would work in a Bourne-style shell for interactive shell > > shopt -q login_shell > > would give you a login shell detector in bash but > > test $options[LOGIN] = on > > would work for login shell in zsh, similarly INTERACTIVE index would > give you state of interactive shell. > > I meant login shell - so that we do not have problems with checking the get_persistent keyctl command. I still do not fully understand the keyctl behavior, it is working on my kernel-3.11.9-300.fc20.x86_64 even with plain "sudo": $ sudo keyctl get_persistent @s 0 Anyway, any opinions on this particular patch? I'd prefer to get it in soon and file enhancement ticket for the login terminal detection, if needed. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On Mon, 02 Dec 2013, Martin Kosek wrote: On 12/02/2013 04:05 PM, Petr Viktorin wrote: On 12/02/2013 03:42 PM, Simo Sorce wrote: On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: On 12/02/2013 02:01 PM, Martin Kosek wrote: On 12/02/2013 01:58 PM, Petr Viktorin wrote: On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 With kernel-3.11.10-300.fc20.x86_64, I get an error again: $ keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... It is just a typo, but it looks like you got me on the right track. keyctl apparently needs a real root login: $ sudo keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked $ sudo su # keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked # exit $ sudo su - Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 # keyctl get_persistent @s 0 968622527 # logout Please use "sudo -i" to get an interactive 'login' shell. Unsurprisingly, when ipa-server-install is run from sudo, it complains that the key is unsupported. From a root login all is OK. Is that expected? You should run ipa-server-install using a login shell I think. Should we open a bug to detect this and fail ? It's always worked with just sudo for me. So yes, if it's required I think we should enforce it. Simo or Alexander, is there some way to find that out in a clean way? I mean if we are in an interactive login shell. Ideally, please also file a bug with this information :) Interactive or login? These two are different a bit. There is no general way because not all shells implement common approach to detect this. For example, echo $- | grep -q i would work in a Bourne-style shell for interactive shell shopt -q login_shell would give you a login shell detector in bash but test $options[LOGIN] = on would work for login shell in zsh, similarly INTERACTIVE index would give you state of interactive shell. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 12/02/2013 04:05 PM, Petr Viktorin wrote: > On 12/02/2013 03:42 PM, Simo Sorce wrote: >> On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: >>> On 12/02/2013 02:01 PM, Martin Kosek wrote: On 12/02/2013 01:58 PM, Petr Viktorin wrote: > On 11/29/2013 01:48 PM, Martin Kosek wrote: >> On 11/19/2013 12:35 PM, Petr Viktorin wrote: >>> On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. > >>> >>> How do I enable the kernel keyring? On f20 I get this: >>> >>> 2013-11-19T11:28:07Z DEBUG Starting external process >>> 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 >>> 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 >>> 2013-11-19T11:28:07Z DEBUG stdout= >>> 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been >>> revoked >> >> It should be enabled out of the box. But there were some initial issues >> with >> persistent keyring in the first versions of kernel with a support, >> hopefully >> this was just a fluke which disappeared. >> >> This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: >> >> # keyctl get_persistent @s 0 >> 637466038 > > With kernel-3.11.10-300.fc20.x86_64, I get an error again: > $ keyctl get_persistent @s 0 > keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... >>> >>> It is just a typo, but it looks like you got me on the right track. >>> keyctl apparently needs a real root login: >>> >>> $ sudo keyctl get_persistent @s 0 >>> keyctl_get_persistent: Key has been revoked >>> >>> $ sudo su >>> # keyctl get_persistent @s 0 >>> keyctl_get_persistent: Key has been revoked >>> # exit >>> >>> $ sudo su - >>> Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 >>> # keyctl get_persistent @s 0 >>> 968622527 >>> # logout >>> >> >> Please use "sudo -i" to get an interactive 'login' shell. >> >>> Unsurprisingly, when ipa-server-install is run from sudo, it complains >>> that the key is unsupported. From a root login all is OK. >>> >>> Is that expected? >> >> You should run ipa-server-install using a login shell I think. >> Should we open a bug to detect this and fail ? > > It's always worked with just sudo for me. So yes, if it's required I think we > should enforce it. > Simo or Alexander, is there some way to find that out in a clean way? I mean if we are in an interactive login shell. Ideally, please also file a bug with this information :) Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 12/02/2013 03:42 PM, Simo Sorce wrote: On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: On 12/02/2013 02:01 PM, Martin Kosek wrote: On 12/02/2013 01:58 PM, Petr Viktorin wrote: On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 With kernel-3.11.10-300.fc20.x86_64, I get an error again: $ keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... It is just a typo, but it looks like you got me on the right track. keyctl apparently needs a real root login: $ sudo keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked $ sudo su # keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked # exit $ sudo su - Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 # keyctl get_persistent @s 0 968622527 # logout Please use "sudo -i" to get an interactive 'login' shell. Unsurprisingly, when ipa-server-install is run from sudo, it complains that the key is unsupported. From a root login all is OK. Is that expected? You should run ipa-server-install using a login shell I think. Should we open a bug to detect this and fail ? It's always worked with just sudo for me. So yes, if it's required I think we should enforce it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote: > On 12/02/2013 02:01 PM, Martin Kosek wrote: > > On 12/02/2013 01:58 PM, Petr Viktorin wrote: > >> On 11/29/2013 01:48 PM, Martin Kosek wrote: > >>> On 11/19/2013 12:35 PM, Petr Viktorin wrote: > On 11/05/2013 07:22 PM, Martin Kosek wrote: > > Server and client installer should allow kernel keyring ccache when > > supported. > >> > > How do I enable the kernel keyring? On f20 I get this: > > 2013-11-19T11:28:07Z DEBUG Starting external process > 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 > 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 > 2013-11-19T11:28:07Z DEBUG stdout= > 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been > revoked > >>> > >>> It should be enabled out of the box. But there were some initial issues > >>> with > >>> persistent keyring in the first versions of kernel with a support, > >>> hopefully > >>> this was just a fluke which disappeared. > >>> > >>> This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: > >>> > >>> # keyctl get_persistent @s 0 > >>> 637466038 > >> > >> With kernel-3.11.10-300.fc20.x86_64, I get an error again: > >> $ keyctl get_persistent @s 0 > >> keyctl_get_persistent: Key has been revoked > > > > Not sure if it is a typo, but you won't surely get a root's keyring as a > > non-root user... > > It is just a typo, but it looks like you got me on the right track. > keyctl apparently needs a real root login: > > $ sudo keyctl get_persistent @s 0 > keyctl_get_persistent: Key has been revoked > > $ sudo su > # keyctl get_persistent @s 0 > keyctl_get_persistent: Key has been revoked > # exit > > $ sudo su - > Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 > # keyctl get_persistent @s 0 > 968622527 > # logout > Please use "sudo -i" to get an interactive 'login' shell. > Unsurprisingly, when ipa-server-install is run from sudo, it complains > that the key is unsupported. From a root login all is OK. > > Is that expected? You should run ipa-server-install using a login shell I think. Should we open a bug to detect this and fail ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On Mon, 02 Dec 2013, Petr Viktorin wrote: On 12/02/2013 02:01 PM, Martin Kosek wrote: On 12/02/2013 01:58 PM, Petr Viktorin wrote: On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 With kernel-3.11.10-300.fc20.x86_64, I get an error again: $ keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... It is just a typo, but it looks like you got me on the right track. keyctl apparently needs a real root login: $ sudo keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked $ sudo su # keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked # exit $ sudo su - Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 # keyctl get_persistent @s 0 968622527 # logout Unsurprisingly, when ipa-server-install is run from sudo, it complains that the key is unsupported. From a root login all is OK. Is that expected? Yes. Unless you are using 'sudo -i', sudo is not equal to 'su -'. Look to sudoers(5), section 'Command environment'. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 12/02/2013 02:01 PM, Martin Kosek wrote: On 12/02/2013 01:58 PM, Petr Viktorin wrote: On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 With kernel-3.11.10-300.fc20.x86_64, I get an error again: $ keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... It is just a typo, but it looks like you got me on the right track. keyctl apparently needs a real root login: $ sudo keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked $ sudo su # keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked # exit $ sudo su - Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1 # keyctl get_persistent @s 0 968622527 # logout Unsurprisingly, when ipa-server-install is run from sudo, it complains that the key is unsupported. From a root login all is OK. Is that expected? -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 12/02/2013 01:58 PM, Petr Viktorin wrote: > On 11/29/2013 01:48 PM, Martin Kosek wrote: >> On 11/19/2013 12:35 PM, Petr Viktorin wrote: >>> On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. > >>> >>> How do I enable the kernel keyring? On f20 I get this: >>> >>> 2013-11-19T11:28:07Z DEBUG Starting external process >>> 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 >>> 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 >>> 2013-11-19T11:28:07Z DEBUG stdout= >>> 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been >>> revoked >> >> It should be enabled out of the box. But there were some initial issues with >> persistent keyring in the first versions of kernel with a support, hopefully >> this was just a fluke which disappeared. >> >> This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: >> >> # keyctl get_persistent @s 0 >> 637466038 > > With kernel-3.11.10-300.fc20.x86_64, I get an error again: > $ keyctl get_persistent @s 0 > keyctl_get_persistent: Key has been revoked Not sure if it is a typo, but you won't surely get a root's keyring as a non-root user... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 11/29/2013 01:48 PM, Martin Kosek wrote: On 11/19/2013 12:35 PM, Petr Viktorin wrote: On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked It should be enabled out of the box. But there were some initial issues with persistent keyring in the first versions of kernel with a support, hopefully this was just a fluke which disappeared. This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64: # keyctl get_persistent @s 0 637466038 With kernel-3.11.10-300.fc20.x86_64, I get an error again: $ keyctl get_persistent @s 0 keyctl_get_persistent: Key has been revoked I don't know much about the kernel keyring, so I'm lost as to what the message is trying to tell me. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 11/19/2013 12:35 PM, Petr Viktorin wrote:
> On 11/05/2013 07:22 PM, Martin Kosek wrote:
>> Server and client installer should allow kernel keyring ccache when
>> supported.
>
> The patch needs a rebase.
Rebased.
>
> Can you add a function to check if persistent key is supported? It would
> remove
> some code duplication.
Makes sense, this will make the code prettier. Fixed.
>
> How do I enable the kernel keyring? On f20 I get this:
>
> 2013-11-19T11:28:07Z DEBUG Starting external process
> 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0
> 2013-11-19T11:28:07Z DEBUG Process finished, return code=1
> 2013-11-19T11:28:07Z DEBUG stdout=
> 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked
It should be enabled out of the box. But there were some initial issues with
persistent keyring in the first versions of kernel with a support, hopefully
this was just a fluke which disappeared.
This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64:
# keyctl get_persistent @s 0
637466038
Martin
From 6315b801ba39ba9687fe748b8d85ab98ced5c16b Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Fri, 29 Nov 2013 13:29:20 +0100
Subject: [PATCH] Allow kernel keyring CCACHE when supported
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
---
install/share/krb5.conf.template | 2 +-
ipa-client/ipa-install/ipa-client-install | 7 +++
ipapython/kernel_keyring.py | 17 +
ipaserver/install/krbinstance.py | 10 ++
4 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfa1995cd9dfa6ddd88edd1f 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
rdns = false
ticket_lifetime = 24h
forwardable = yes
-
+$OTHER_LIBDEFAULTS
[realms]
$REALM = {
kdc = $FQDN:88
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 8e4695b42e9178725353dee2a4797a8da9b635b3..a898d388ee039752044008f8525424370098580a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -43,6 +43,7 @@ try:
run, user_input, CalledProcessError, file_exists, realm_to_suffix)
import ipapython.services as ipaservices
from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
+from ipapython import kernel_keyring
from ipapython.config import IPAOptionParser
from ipalib import api, errors
from ipalib import x509
@@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+# Configure KEYRING CCACHE if supported
+if kernel_keyring.is_persistent_keyring_supported():
+root_logger.debug("Enabling persistent keyring CCACHE")
+libopts.append({'name':'default_ccache_name', 'type':'option',
+'value':'KEYRING:persistent:%{uid}'})
+
opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
opts.append({'name':'empty', 'type':'empty'})
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
index 547dd3de6b45295910b66982e99886135c06335b..d30531cabaee5c12376f0821a21a6f63cd60397c 100644
--- a/ipapython/kernel_keyring.py
+++ b/ipapython/kernel_keyring.py
@@ -17,6 +17,8 @@
# along with this program. If not, see
Re: [Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
On 11/05/2013 07:22 PM, Martin Kosek wrote: Server and client installer should allow kernel keyring ccache when supported. The patch needs a rebase. Can you add a function to check if persistent key is supported? It would remove some code duplication. How do I enable the kernel keyring? On f20 I get this: 2013-11-19T11:28:07Z DEBUG Starting external process 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0 2013-11-19T11:28:07Z DEBUG Process finished, return code=1 2013-11-19T11:28:07Z DEBUG stdout= 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
--
Martin Kosek
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.
From beeb02b37f96f932948d469b8a425324da81bf4b Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Tue, 5 Nov 2013 19:04:13 +0100
Subject: [PATCH] Allow kernel keyring CCACHE when supported
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
---
install/share/krb5.conf.template | 2 +-
ipa-client/ipa-install/ipa-client-install | 11 +++
ipapython/kernel_keyring.py | 6 ++
ipaserver/install/krbinstance.py | 17 +
4 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfa1995cd9dfa6ddd88edd1f 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
rdns = false
ticket_lifetime = 24h
forwardable = yes
-
+$OTHER_LIBDEFAULTS
[realms]
$REALM = {
kdc = $FQDN:88
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a49ba0e087 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -43,6 +43,7 @@ try:
run, user_input, CalledProcessError, file_exists, realm_to_suffix)
import ipapython.services as ipaservices
from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
+from ipapython import kernel_keyring
from ipapython.config import IPAOptionParser
from ipalib import api, errors
from ipalib import x509
@@ -926,6 +927,16 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+# Configure KEYRING CCACHE if supported
+uid = os.geteuid()
+try:
+kernel_keyring.get_persistent_key(str(uid))
+except ValueError:
+pass
+else:
+libopts.append({'name':'default_ccache_name', 'type':'option',
+'value':'KEYRING:persistent:%{uid}'})
+
opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
opts.append({'name':'empty', 'type':'empty'})
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead143f19fc 100644
--- a/ipapython/kernel_keyring.py
+++ b/ipapython/kernel_keyring.py
@@ -47,6 +47,12 @@ def get_real_key(key):
raise ValueError('key %s not found' % key)
return stdout.rstrip()
+def get_persistent_key(key):
+(stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False)
+if rc:
+raise ValueError('persistent key %s not found' % key)
+return stdout.rstrip()
+
def has_key(key):
"""
Returns True/False whether the key exists in the keyring.
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index a16e4d5f0cb3b70c6c69aac3251785ef3e8fa7f2..5cc7e0f172e5d0178f713fb4a305bef2dc930a84 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -30,6 +30,7 @@
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import services as ipaservices
+from ipapython import kernel_keyring
from ipalib import errors
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
@@ -246,8 +247,24 @@ def __setup_sub_dict(self):
% server_domain)
dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \
% dict(domain=server_domain, realm=self.realm)
+
self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
+# Configure KEYRING CCACHE if supported
+uid = os.geteuid()
+try:
+kernel_keyring.get_persistent_key(str(uid))
+except ValueError:
+keyring_ccache_supported = False
+else:
+keyring_ccache_supported = True
+
+if keyring_ccache_supported:
+self.sub_dict['OTHER_LIBDEFAULTS'] = \
+" default_ccache_name = KEYRING:persistent:%{uid}\n"
+else:
+self.sub_dict['OTHER_LIBDEFAULTS'] = ''
+
def __configure_sasl_mappings(self):
# we need to remove any existing SASL mappings in the directory as otherwise they
# they may conflict.
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
