#!/bin/bash # vars VAR_LIST="KRB5_REALM SRV_DOMAIN LDAP_MASTER_URI LDAP_REPLICATOR_PORT KRB5_SRV_MODE" LLX_GETVAR="$(which llxcfg-showvars)" KADMIN="$(which kadmin.local)" #format: service/hostname #where hostname is the relative name, NOT fqdn REGEXP_SYSTEMKT="^[[:blank:]]*[^[:blank:]#/@]\+\/[^[:blank:]#/@]\+" # format: keytab_path user group mode comma_list_principals REGEXP_CUSTOMKT="^[[:blank:]]*\([^[:blank:]#]\+[[:blank:]]\+\)\{3\}[01]\?[0-7]\{3\}[[:blank:]]\+\([^[:blank:],/@]\+\/[^[:blank:],/@]\+,\?\)\+" ENCRYPTION="des-cbc-crc:normal" SYSTEMKT_PATH="/etc/krb5.keytab" EXPORT_SYSTEMKT_DIR="/var/lib/lliurex/krb5/installdir" NUMKEYTAB=0 LISTKEYFILE="" do_keytab(){ NUMITER=0 KEYTABFILE="$1" KFILE="$(tempfile)" ESTIMATETIME=0 rm -f "$KFILE" sed -ne "/${REGEXP_SYSTEMKT}/p"|while read princ ; do NUMITER=$(( NUMITER + 1 )) D1=$(date +%s) logger -t "llxcfg-krb5[$$]:" "Add keytab $NUMITER of $NUMKEYTAB. Seconds estimate to finish $ESTIMATETIME" PRINCIPAL="${princ}@${KRB5_REALM}" # if principal doesn't exist in kerberos db, will create it if ! $KADMIN -q "listprincs ${PRINCIPAL}"|grep -q "${PRINCIPAL}"; then $KADMIN -q "addprinc -randkey ${PRINCIPAL}" &>/dev/null fi $KADMIN -q "ktadd -k $KFILE -e ${ENCRYPTION} ${PRINCIPAL}" &>/dev/null D2=$(date +%s) ESTIMATETIME=$(( ( D2 - D1 ) * ( NUMKEYTAB - NUMITER ) )) done llxcfg-install --mode=0600 "$KFILE" "${KEYTABFILE}" rm -f "$KFILE" } function generatefile() { LISTKEYFILE="$(tempfile)" get_dhcp_host_list |sed -e "s%^%nfs/%;s%,.*$%%;s%$%.${SRV_DOMAIN}%" > "$LISTKEYFILE" get_noreg_host_list |sed -e "s%^%nfs/%;s%,.*$%%;s%$%.${SRV_DOMAIN}%" >> "$LISTKEYFILE" AUXCOUNT=$(cat $LISTKEYFILE | wc -l) NUMKEYTAB=$(( ( AUXCOUNT * 2 ) + 2 )) return 0 } system_keytab(){ sed -e "s%^nfs/%host/%" "$LISTKEYFILE" echo "nfs/server.${SRV_DOMAIN}" cat "$LISTKEYFILE" echo "host/server.${SRV_DOMAIN}" rm -f "$LISTKEYFILE" return 0 } exists_db(){ ldapsearch -x cn=krbcontainer -LLL | grep -q "cn=krbcontainer" && return 0 return 1 } # main [ "$1" = "ADOY" ] || exit 0 LIB_FILE="/usr/share/lliurex/lliurex-srv-common/lliurex-netfuncs.sh" [ -e "$LIB_FILE" ] || exit 1 . $LIB_FILE [ -x ${LLX_GETVAR} ] && eval `${LLX_GETVAR} ${VAR_LIST}` # initial tests [ "$KRB5_REALM" -a "$SRV_DOMAIN" -a "$KADMIN" -a exists_db ] || exit 1 # test if there are changes in LliureX variables if llxcfg-archivevars KERBEROS show &>/dev/null; then llxcfg-archivevars KERBEROS test || error_message "Changes from previous configuration. Use $ADMIN_KRB_SCRIPT with --force init option" fi if [ "$KRB5_SRV_MODE" = "SLAVE" ] && [ "$LDAP_MASTER_URI" ] && [ "$LDAP_REPLICATOR_PORT" ] ; then KADMIN="$KADMIN -x host=$LDAP_MASTER_URI:$LDAP_REPLICATOR_PORT" fi #process principals for system keytabs generatefile system_keytab |do_keytab "${SYSTEMKT_PATH}" llxcfg-install --mode=0600 "${SYSTEMKT_PATH}" "${EXPORT_SYSTEMKT_DIR}/${SYSTEMKT_PATH}" exit 0