diff options
author | Martin Kosek <mkosek@redhat.com> | 2013-11-29 13:29:20 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-12-09 12:21:22 +0100 |
commit | 9677308caa78ed722570aea32f21334b8c27bad3 (patch) | |
tree | c0725324e5347b7f00cae94528932211f9fba39c | |
parent | b6540e88d88470f6566507e442f521214c5a74dc (diff) | |
download | freeipa-9677308caa78ed722570aea32f21334b8c27bad3.tar.gz freeipa-9677308caa78ed722570aea32f21334b8c27bad3.tar.xz freeipa-9677308caa78ed722570aea32f21334b8c27bad3.zip |
Allow kernel keyring CCACHE when supported
Server and client installer should allow kernel keyring ccache when
supported.
https://fedorahosted.org/freeipa/ticket/4013
-rw-r--r-- | install/share/krb5.conf.template | 2 | ||||
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 7 | ||||
-rw-r--r-- | ipapython/kernel_keyring.py | 17 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 10 |
4 files changed, 35 insertions, 1 deletions
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 01e66881b..7c82083e3 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ rdns = false ticket_lifetime = 24h forwardable = yes - +$OTHER_LIBDEFAULTS [realms] $REALM = { kdc = $FQDN:88 diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index c74e6840c..0b9c6e98e 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -44,6 +44,7 @@ try: realm_to_suffix) import ipapython.services as ipaservices from ipapython import ipautil, sysrestore, version, certmonger, ipaldap + from ipapython import kernel_keyring from ipapython.config import IPAOptionParser from ipalib import api, errors from ipalib import x509 @@ -952,6 +953,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + # Configure KEYRING CCACHE if supported + if kernel_keyring.is_persistent_keyring_supported(): + root_logger.debug("Enabling persistent keyring CCACHE") + libopts.append({'name':'default_ccache_name', 'type':'option', + 'value':'KEYRING:persistent:%{uid}'}) + opts.append({'name':'libdefaults', 'type':'section', 'value':libopts}) opts.append({'name':'empty', 'type':'empty'}) diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py index 547dd3de6..d30531cab 100644 --- a/ipapython/kernel_keyring.py +++ b/ipapython/kernel_keyring.py @@ -17,6 +17,8 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import os + from ipapython.ipautil import run # NOTE: Absolute path not required for keyctl since we reset the environment @@ -47,6 +49,21 @@ def get_real_key(key): raise ValueError('key %s not found' % key) return stdout.rstrip() +def get_persistent_key(key): + (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False) + if rc: + raise ValueError('persistent key %s not found' % key) + return stdout.rstrip() + +def is_persistent_keyring_supported(): + uid = os.geteuid() + try: + get_persistent_key(str(uid)) + except ValueError: + return False + + return True + def has_key(key): """ Returns True/False whether the key exists in the keyring. diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 2ab97a4d1..80d1addb4 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -31,6 +31,7 @@ import installutils from ipapython import sysrestore from ipapython import ipautil from ipapython import services as ipaservices +from ipapython import kernel_keyring from ipalib import errors from ipapython.ipa_log_manager import * from ipapython.dn import DN @@ -252,6 +253,15 @@ class KrbInstance(service.Service): dr_map = "" self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map + # Configure KEYRING CCACHE if supported + if kernel_keyring.is_persistent_keyring_supported(): + root_logger.debug("Enabling persistent keyring CCACHE") + self.sub_dict['OTHER_LIBDEFAULTS'] = \ + " default_ccache_name = KEYRING:persistent:%{uid}\n" + else: + root_logger.debug("Persistent keyring CCACHE is not enabled") + self.sub_dict['OTHER_LIBDEFAULTS'] = '' + def __configure_sasl_mappings(self): # we need to remove any existing SASL mappings in the directory as otherwise they # they may conflict. |