|
|
9991ea |
From 7726ddeb7506b9b68720f55c410d7c53b7098d91 Mon Sep 17 00:00:00 2001
|
|
|
99b6f7 |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
9991ea |
Date: Fri, 29 Nov 2013 13:29:20 +0100
|
|
|
9991ea |
Subject: [PATCH 03/10] Allow kernel keyring CCACHE when supported
|
|
|
99b6f7 |
|
|
|
9991ea |
Server and client installer should allow kernel keyring ccache when
|
|
|
9991ea |
supported.
|
|
|
99b6f7 |
|
|
|
99b6f7 |
https://fedorahosted.org/freeipa/ticket/4013
|
|
|
99b6f7 |
---
|
|
|
99b6f7 |
install/share/krb5.conf.template | 2 +-
|
|
|
9991ea |
ipa-client/ipa-install/ipa-client-install | 7 +++++++
|
|
|
9991ea |
ipapython/kernel_keyring.py | 17 +++++++++++++++++
|
|
|
9991ea |
ipaserver/install/krbinstance.py | 10 ++++++++++
|
|
|
9991ea |
4 files changed, 35 insertions(+), 1 deletion(-)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
|
|
|
99b6f7 |
index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644
|
|
|
99b6f7 |
--- a/install/share/krb5.conf.template
|
|
|
99b6f7 |
+++ b/install/share/krb5.conf.template
|
|
|
99b6f7 |
@@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
|
|
|
99b6f7 |
rdns = false
|
|
|
99b6f7 |
ticket_lifetime = 24h
|
|
|
99b6f7 |
forwardable = yes
|
|
|
99b6f7 |
-
|
|
|
99b6f7 |
+$OTHER_LIBDEFAULTS
|
|
|
99b6f7 |
[realms]
|
|
|
99b6f7 |
$REALM = {
|
|
|
99b6f7 |
kdc = $FQDN:88
|
|
|
99b6f7 |
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
|
|
9991ea |
index 8e4695b42e9178725353dee2a4797a8da9b635b3..a898d388ee039752044008f8525424370098580a 100755
|
|
|
99b6f7 |
--- a/ipa-client/ipa-install/ipa-client-install
|
|
|
99b6f7 |
+++ b/ipa-client/ipa-install/ipa-client-install
|
|
|
99b6f7 |
@@ -43,6 +43,7 @@ try:
|
|
|
99b6f7 |
run, user_input, CalledProcessError, file_exists, realm_to_suffix)
|
|
|
99b6f7 |
import ipapython.services as ipaservices
|
|
|
99b6f7 |
from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
|
|
|
99b6f7 |
+ from ipapython import kernel_keyring
|
|
|
99b6f7 |
from ipapython.config import IPAOptionParser
|
|
|
99b6f7 |
from ipalib import api, errors
|
|
|
99b6f7 |
from ipalib import x509
|
|
|
9991ea |
@@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
|
|
|
99b6f7 |
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
|
|
|
99b6f7 |
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+ # Configure KEYRING CCACHE if supported
|
|
|
9991ea |
+ if kernel_keyring.is_persistent_keyring_supported():
|
|
|
9991ea |
+ root_logger.debug("Enabling persistent keyring CCACHE")
|
|
|
99b6f7 |
+ libopts.append({'name':'default_ccache_name', 'type':'option',
|
|
|
99b6f7 |
+ 'value':'KEYRING:persistent:%{uid}'})
|
|
|
99b6f7 |
+
|
|
|
99b6f7 |
opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
|
|
|
99b6f7 |
opts.append({'name':'empty', 'type':'empty'})
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
|
|
|
9991ea |
index 547dd3de6b45295910b66982e99886135c06335b..d30531cabaee5c12376f0821a21a6f63cd60397c 100644
|
|
|
99b6f7 |
--- a/ipapython/kernel_keyring.py
|
|
|
99b6f7 |
+++ b/ipapython/kernel_keyring.py
|
|
|
9991ea |
@@ -17,6 +17,8 @@
|
|
|
9991ea |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
9991ea |
#
|
|
|
9991ea |
|
|
|
9991ea |
+import os
|
|
|
9991ea |
+
|
|
|
9991ea |
from ipapython.ipautil import run
|
|
|
9991ea |
|
|
|
9991ea |
# NOTE: Absolute path not required for keyctl since we reset the environment
|
|
|
9991ea |
@@ -47,6 +49,21 @@ def get_real_key(key):
|
|
|
99b6f7 |
raise ValueError('key %s not found' % key)
|
|
|
99b6f7 |
return stdout.rstrip()
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+def get_persistent_key(key):
|
|
|
99b6f7 |
+ (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False)
|
|
|
99b6f7 |
+ if rc:
|
|
|
99b6f7 |
+ raise ValueError('persistent key %s not found' % key)
|
|
|
99b6f7 |
+ return stdout.rstrip()
|
|
|
99b6f7 |
+
|
|
|
9991ea |
+def is_persistent_keyring_supported():
|
|
|
9991ea |
+ uid = os.geteuid()
|
|
|
9991ea |
+ try:
|
|
|
9991ea |
+ get_persistent_key(str(uid))
|
|
|
9991ea |
+ except ValueError:
|
|
|
9991ea |
+ return False
|
|
|
9991ea |
+
|
|
|
9991ea |
+ return True
|
|
|
9991ea |
+
|
|
|
99b6f7 |
def has_key(key):
|
|
|
99b6f7 |
"""
|
|
|
99b6f7 |
Returns True/False whether the key exists in the keyring.
|
|
|
99b6f7 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
9991ea |
index 98687a4002cd7b19faea03acc552759e962d8832..f1fa827d89a31f9d6d4cb7f7a78a2680f983565a 100644
|
|
|
99b6f7 |
--- a/ipaserver/install/krbinstance.py
|
|
|
99b6f7 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
99b6f7 |
@@ -31,6 +31,7 @@
|
|
|
99b6f7 |
from ipapython import sysrestore
|
|
|
99b6f7 |
from ipapython import ipautil
|
|
|
99b6f7 |
from ipapython import services as ipaservices
|
|
|
99b6f7 |
+from ipapython import kernel_keyring
|
|
|
99b6f7 |
from ipalib import errors
|
|
|
99b6f7 |
from ipapython.ipa_log_manager import *
|
|
|
99b6f7 |
from ipapython.dn import DN
|
|
|
9991ea |
@@ -252,6 +253,15 @@ def __setup_sub_dict(self):
|
|
|
99b6f7 |
dr_map = ""
|
|
|
99b6f7 |
self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
|
|
|
99b6f7 |
|
|
|
99b6f7 |
+ # Configure KEYRING CCACHE if supported
|
|
|
9991ea |
+ if kernel_keyring.is_persistent_keyring_supported():
|
|
|
9991ea |
+ root_logger.debug("Enabling persistent keyring CCACHE")
|
|
|
99b6f7 |
+ self.sub_dict['OTHER_LIBDEFAULTS'] = \
|
|
|
99b6f7 |
+ " default_ccache_name = KEYRING:persistent:%{uid}\n"
|
|
|
99b6f7 |
+ else:
|
|
|
9991ea |
+ root_logger.debug("Persistent keyring CCACHE is not enabled")
|
|
|
99b6f7 |
+ self.sub_dict['OTHER_LIBDEFAULTS'] = ''
|
|
|
99b6f7 |
+
|
|
|
99b6f7 |
def __configure_sasl_mappings(self):
|
|
|
99b6f7 |
# we need to remove any existing SASL mappings in the directory as otherwise they
|
|
|
99b6f7 |
# they may conflict.
|
|
|
99b6f7 |
--
|
|
|
99b6f7 |
1.8.3.1
|
|
|
99b6f7 |
|