#!/bin/bash # vars SYSTEMKT_DIR="krb5-server/system-keytab" CLIENTKT_DIR="krb5-server/client-keytab" CUSTOMKT_DIR="krb5-server/custom-keytabs" VAR_LIST="KRB5_REALM SRV_DOMAIN KRB5_DB_NAME" LLX_GETVAR="$(which llxcfg-showvars)" KADMIN="$(which kadmin.local)" #format: service/hostname #where hostname is the relative name, NOT fqdn REGEXP_SYSTEMKT="^[[:blank:]]*[^[:blank:]#/@]\+\/[^[:blank:]#/@]\+" # format: keytab_path user group mode comma_list_principals REGEXP_CUSTOMKT="^[[:blank:]]*\([^[:blank:]#]\+[[:blank:]]\+\)\{3\}[01]\?[0-7]\{3\}[[:blank:]]\+\([^[:blank:],/@]\+\/[^[:blank:],/@]\+,\?\)\+" ENCRYPTION="des-cbc-crc:normal" SYSTEMKT_PATH="/etc/krb5.keytab" TEMPKTFILE="temp.keytab" LAST_CONFIG_STATUS_FILE="/var/lib/krb5kdc/previous.vars" ADMIN_KRB_SCRIPT="llxcfg-krb5" EXPORT_SYSTEMKT_DIR="/var/lib/lliurex/krb5/installdir" CONFIGDIR_LIST="krb5-server/templates" error_message(){ echo -e $1 >&2 exit 1 } list_keytab(){ echo -e "rkt $1\nlist\nquit" |ktutil } test_keytab(){ [ -r "$1" ] || return 1 [ -r "$2" ] || return 1 list_keytab "$1" |sed -ne "3,\${s%^.*[[:blank:]]%%;p}" |sort > temp1 list_keytab "$2" |sed -ne "3,\${s%^.*[[:blank:]]%%;p}" |sort > temp2 diff -q temp1 temp2 &>/dev/null || return 1 return 0 } do_keytab(){ CONFDIRNAME="$1" KEYTABFILE="$2" rm -f keytab if [ -f "${KEYTABFILE}" ] ; then list_keytab "$KEYTABFILE" |sed -ne "3,\${s%^.*[[:blank:]]%%;s%@.*$%%;p}" |sort > temp1 llxcfg-config --unique dump $CONFDIRNAME |sed -ne "/${REGEXP_SYSTEMKT}/p" > temp2 if diff -q temp1 temp2 &>/dev/null ; then return 0 fi fi llxcfg-config dump $CONFDIRNAME |sed -ne "/${REGEXP_SYSTEMKT}/p"|while read princ ; do PRINCIPAL="${princ}@${KRB5_REALM}" # if principal doesn't exist in kerberos db, will create it if ! $KADMIN -q "listprincs ${PRINCIPAL}"|grep -q "${PRINCIPAL}"; then $KADMIN -q "addprinc -randkey ${PRINCIPAL}" &>/dev/null fi $KADMIN -q "ktadd -k keytab -e ${ENCRYPTION} ${PRINCIPAL}" &>/dev/null done skel-install --mode=0600 keytab "${KEYTABFILE}" } # main [ -x ${LLX_GETVAR} ] && eval `${LLX_GETVAR} ${VAR_LIST}` # initial tests [ "$KRB5_REALM" -a "$SRV_DOMAIN" ] || exit 1 # test if there are changes in LliureX variables if llxcfg-archivevars KERBEROS show &>/dev/null; then llxcfg-archivevars KERBEROS test || error_message "Changes from previous configuration. Use $ADMIN_KRB_SCRIPT with --force init option" fi for confdir in $CONFIGDIR_LIST; do llxcfg-config list $confdir |while read rname ; do llxcfg-config read "$confdir/$rname" |skel-install -t "/etc/$rname" done done # more tests (kerberos db must exist) # [ "$KADMIN" -a -r "$KRB5_DB_NAME" ] || exit 1 # export KRB5 vars to clients via netconfig llxcfg-template ./client-netconfig-vars | llxcfg-config write netconfig/varfiles/krb5-vars # do nothing more ... exit 0 #process principals for system keytabs do_keytab "$SYSTEMKT_DIR" "${SYSTEMKT_PATH}" do_keytab "$CLIENTKT_DIR" "${EXPORT_SYSTEMKT_DIR}/${SYSTEMKT_PATH}" #process custom keytabs # TODO: rewrite this code ... llxcfg-config list $CUSTOMKT_DIR |while read rname ; do CURFILE="${CUSTOMKT_DIR}/${rname}" llxcfg-config read "${CURFILE}"|sed -ne "/${REGEXP_CUSTOMKT}/p"|while read KT_PATH KT_USER KT_GROUP KT_MODE KT_PRINC_LIST ; do if [ "$KT_PATH" -a "$KT_USER" -a "$KT_GROUP" -a "$KT_MODE" -a "$KT_PRINC_LIST" ]; then rm -f $TEMPKTFILE # for all principals for princ in $(echo $KT_PRINC_LIST|tr "," " "); do PRINCIPAL="${princ}@${KRB5_REALM}" if ! $KADMIN -q "listprincs $PRINCIPAL"|grep -q "$PRINCIPAL"; then $KADMIN -q "addprinc -randkey ${PRINCIPAL}" &>/dev/null fi $KADMIN -q "ktadd -k $TEMPKTFILE -e $ENCRYPTION $PRINCIPAL" &>/dev/null done skel-install --mode=$KT_MODE --owner=$KT_USER --group=$KT_GROUP $TEMPKTFILE $KT_PATH fi done done # export KRB5 vars to clients via netconfig llxcfg-template ./client-netconfig-vars | llxcfg-config write netconfig/varfiles/krb5-vars exit 0