[Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported

Alexander Bokovoy abokovoy at redhat.com
Mon Dec 2 14:00:16 UTC 2013 

On Mon, 02 Dec 2013, Petr Viktorin wrote:
>On 12/02/2013 02:01 PM, Martin Kosek wrote:
>>On 12/02/2013 01:58 PM, Petr Viktorin wrote:
>>>On 11/29/2013 01:48 PM, Martin Kosek wrote:
>>>>On 11/19/2013 12:35 PM, Petr Viktorin wrote:
>>>>>On 11/05/2013 07:22 PM, Martin Kosek wrote:
>>>>>>Server and client installer should allow kernel keyring ccache when
>>>>>>supported.
>>>
>>>>>
>>>>>How do I enable the kernel keyring? On f20 I get this:
>>>>>
>>>>>2013-11-19T11:28:07Z DEBUG Starting external process
>>>>>2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0
>>>>>2013-11-19T11:28:07Z DEBUG Process finished, return code=1
>>>>>2013-11-19T11:28:07Z DEBUG stdout=
>>>>>2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked
>>>>
>>>>It should be enabled out of the box. But there were some initial issues with
>>>>persistent keyring in the first versions of kernel with a support, hopefully
>>>>this was just a fluke which disappeared.
>>>>
>>>>This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64:
>>>>
>>>># keyctl get_persistent @s 0
>>>>637466038
>>>
>>>With kernel-3.11.10-300.fc20.x86_64, I get an error again:
>>>$ keyctl get_persistent @s 0
>>>keyctl_get_persistent: Key has been revoked
>>
>>Not sure if it is a typo, but you won't surely get a root's keyring as a
>>non-root user...
>
>It is just a typo, but it looks like you got me on the right track. 
>keyctl apparently needs a real root login:
>
>$ sudo keyctl get_persistent @s 0
>keyctl_get_persistent: Key has been revoked
>
>$ sudo su
># keyctl get_persistent @s 0
>keyctl_get_persistent: Key has been revoked
># exit
>
>$ sudo su -
>Last login: Mon Dec  2 14:09:36 CET 2013 on pts/1
># keyctl get_persistent @s 0
>968622527
># logout
>
>
>Unsurprisingly, when ipa-server-install is run from sudo, it 
>complains that the key is unsupported. From a root login all is OK.
>
>Is that expected?
Yes.

Unless you are using 'sudo -i', sudo is not equal to 'su -'.

Look to sudoers(5), section 'Command environment'.
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list