Allow kernel keyring CCACHE when supported

Server and client installer should allow kernel keyring ccache when supported. https://fedorahosted.org/freeipa/ticket/4013
2025-01-11 08:41:55 -06:00 · 2013-11-29 13:29:20 +01:00 · 2013-11-29 13:29:20 +01:00 · 9677308caa
commit 9677308caa
parent b6540e88d8
4 changed files with 35 additions and 1 deletions
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@ -12,7 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
-
+$OTHER_LIBDEFAULTS
 [realms]
 $REALM = {
  kdc = $FQDN:88
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -44,6 +44,7 @@ try:
        realm_to_suffix)
    import ipapython.services as ipaservices
    from ipapython import ipautil, sysrestore, version, certmonger, ipaldap
+    from ipapython import kernel_keyring
    from ipapython.config import IPAOptionParser
    from ipalib import api, errors
    from ipalib import x509
@ -952,6 +953,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
    libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
    libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})

+    # Configure KEYRING CCACHE if supported
+    if kernel_keyring.is_persistent_keyring_supported():
+        root_logger.debug("Enabling persistent keyring CCACHE")
+        libopts.append({'name':'default_ccache_name', 'type':'option',
+            'value':'KEYRING:persistent:%{uid}'})
+
    opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
    opts.append({'name':'empty', 'type':'empty'})

--- a/ipapython/kernel_keyring.py
+++ b/ipapython/kernel_keyring.py
@ -17,6 +17,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #

+import os
+
 from ipapython.ipautil import run

 # NOTE: Absolute path not required for keyctl since we reset the environment
@ -47,6 +49,21 @@ def get_real_key(key):
        raise ValueError('key %s not found' % key)
    return stdout.rstrip()

+def get_persistent_key(key):
+    (stdout, stderr, rc) = run(['keyctl', 'get_persistent', KEYRING, key], raiseonerr=False)
+    if rc:
+        raise ValueError('persistent key %s not found' % key)
+    return stdout.rstrip()
+
+def is_persistent_keyring_supported():
+    uid = os.geteuid()
+    try:
+        get_persistent_key(str(uid))
+    except ValueError:
+        return False
+
+    return True
+
 def has_key(key):
    """
    Returns True/False whether the key exists in the keyring.
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -31,6 +31,7 @@ import installutils
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import services as ipaservices
+from ipapython import kernel_keyring
 from ipalib import errors
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
@ -252,6 +253,15 @@ class KrbInstance(service.Service):
            dr_map = ""
        self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map

+        # Configure KEYRING CCACHE if supported
+        if kernel_keyring.is_persistent_keyring_supported():
+            root_logger.debug("Enabling persistent keyring CCACHE")
+            self.sub_dict['OTHER_LIBDEFAULTS'] = \
+                " default_ccache_name = KEYRING:persistent:%{uid}\n"
+        else:
+            root_logger.debug("Persistent keyring CCACHE is not enabled")
+            self.sub_dict['OTHER_LIBDEFAULTS'] = ''
+
    def __configure_sasl_mappings(self):
        # we need to remove any existing SASL mappings in the directory as otherwise they
        # they may conflict.