Allow kernel keyring CCACHE when supported

Server and client installer should allow kernel keyring ccache when
supported.

https://fedorahosted.org/freeipa/ticket/4013

4 files changed, 35 insertions, 1 deletions

diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 01e66881..7c82083e 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
-
+$OTHER_LIBDEFAULTS
 [realms]
  $REALM = {
   kdc = $FQDN:88
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 8e4695b4..a898d388 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -43,6 +43,7 @@ try:
         run, user_input, CalledProcessError, file_exists, realm_to_suffix)
     import ipapython.services as ipaservices
     from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
+    from ipapython import kernel_keyring
     from ipapython.config import IPAOptionParser
     from ipalib import api, errors
     from ipalib import x509
@@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
     libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
     libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
 
+    # Configure KEYRING CCACHE if supported
+    if kernel_keyring.is_persistent_keyring_supported():
+        root_logger.debug("Enabling persistent keyring CCACHE")
+        libopts.append({'name':'default_ccache_name', 'type':'option',
+            'value':'KEYRING:persistent:%{uid}'})
+
     opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
     opts.append({'name':'empty', 'type':'empty'})
 
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
index 547dd3de..d30531ca 100644
--- a/ipapython/kernel_keyring.py
+++ b/ipapython/kernel_keyring.py
@@ -17,6 +17,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
+
 from ipapython.ipautil import run
 
 # NOTE: Absolute path not required for keyctl since we reset the environment
@@ -47,6 +49,21 @@ def get_real_key(key):
         raise ValueError('key %s not found' % key)
     return stdout.rstrip()
 
+def get_persistent_key(key):
+    (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False)
+    if rc:
+        raise ValueError('persistent key %s not found' % key)
+    return stdout.rstrip()
+
+def is_persistent_keyring_supported():
+    uid = os.geteuid()
+    try:
+        get_persistent_key(str(uid))
+    except ValueError:
+        return False
+
+    return True
+
 def has_key(key):
     """
     Returns True/False whether the key exists in the keyring.
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 98687a40..f1fa827d 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -31,6 +31,7 @@ import installutils
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import services as ipaservices
+from ipapython import kernel_keyring
 from ipalib import errors
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
@@ -252,6 +253,15 @@ class KrbInstance(service.Service):
             dr_map = ""
         self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
 
+        # Configure KEYRING CCACHE if supported
+        if kernel_keyring.is_persistent_keyring_supported():
+            root_logger.debug("Enabling persistent keyring CCACHE")
+            self.sub_dict['OTHER_LIBDEFAULTS'] = \
+                " default_ccache_name = KEYRING:persistent:%{uid}\n"
+        else:
+            root_logger.debug("Persistent keyring CCACHE is not enabled")
+            self.sub_dict['OTHER_LIBDEFAULTS'] = ''
+
     def __configure_sasl_mappings(self):
         # we need to remove any existing SASL mappings in the directory as otherwise they
         # they may conflict.