From 0def2ec653ac29210414aa09499b309dd1c3ac7d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Jun 07 2017 13:36:26 +0000
Subject: Add code to be able to set default kinit lifetime


This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 5279b64..ab466ba 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -155,6 +155,7 @@ DEFAULT_CONFIG = (
     ('session_auth_duration', '20 minutes'),
     # How a session expiration is computed, see SessionManager.set_session_expiration_time()
     ('session_duration_type', 'inactivity_timeout'),
+    ('kinit_lifetime', None),
 
     # Debugging:
     ('verbose', 0),
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 73471f1..91ea513 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
 
 def kinit_password(principal, password, ccache_name, config=None,
                    armor_ccache_name=None, canonicalize=False,
-                   enterprise=False):
+                   enterprise=False, lifetime=None):
     """
     perform interactive kinit as principal using password. If using FAST for
     web-based authentication, use armor_ccache_path to specify http service
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
                           % armor_ccache_name)
         args.extend(['-T', armor_ccache_name])
 
+    if lifetime:
+        args.extend(['-l', lifetime])
+
     if canonicalize:
         root_logger.debug("Requesting principal canonicalization")
         args.append('-C')
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 32f2861..2990df2 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -969,7 +969,8 @@ class login_password(Backend, KerberosSession):
                 password,
                 ccache_name,
                 armor_ccache_name=armor_path,
-                enterprise=True)
+                enterprise=True,
+                lifetime=self.api.env.kinit_lifetime)
 
             if armor_path:
                 self.debug('Cleanup the armor ccache')
diff --git a/pylint_plugins.py b/pylint_plugins.py
index 472328c..545ac05 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -69,6 +69,7 @@ fake_api_env = {'env': [
     'realm',
     'session_auth_duration',
     'session_duration_type',
+    'kinit_lifetime',
 ]}
 
 # this is due ipaserver.rpcserver.KerberosSession where api is undefined