upstream/oracle/userland-gate: components/cyrus-sasl/test/setup-for-mit@683c5c035a79 (annotated)

5866 683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	1	#!/bin/ksh93 -p
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	2	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	3	# CDDL HEADER START
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	4	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	5	# The contents of this file are subject to the terms of the
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	6	# Common Development and Distribution License (the "License").
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	7	# You may not use this file except in compliance with the License.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	8	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	10	# or http://www.opensolaris.org/os/licensing.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	11	# See the License for the specific language governing permissions
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	12	# and limitations under the License.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	13	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	14	# When distributing Covered Code, include this CDDL HEADER in each
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	16	# If applicable, add the following below this CDDL HEADER, with the
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	17	# fields enclosed by brackets "[]" replaced with your own identifying
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	18	# information: Portions Copyright [yyyy] [name of copyright owner]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	19	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	20	# CDDL HEADER END
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	21	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	22
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	23	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	24	# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	25	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	26
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	27	# have to use longer string because the end of security/kerberos5 matches
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	28	# 2 packages, old and new.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	29	PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	30	pkg://solaris/security/kerberos-5 \
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	31	security/kerberos-5/kdc "
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	32
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	33	pkg list $PACKAGES_NEEDED > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	34	if (( $? != 0 ))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	35	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	36	pkg install $PACKAGES_NEEDED
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	37	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	38
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	39	pkg list $PACKAGES_NEEDED > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	40	if (( $? != 0 ))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	41	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	42	echo "One or more packages failed to install"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	43	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	44	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	45
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	46	passwd="1234"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	47
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	48	trap "echo 'A command failed, aborting.'; exit 1" ERR
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	49
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	50	if ! $force
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	51	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	52	ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	53	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	54
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	55	trap - ERR # in kdcmgr destroy fails, run it again
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	56	yes \| /usr/sbin/kdcmgr destroy > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	57	if (( $? != 0 ))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	58	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	59	yes \| /usr/sbin/kdcmgr destroy > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	60	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	61	print "Existing KDC config destroyed."
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	62	trap "echo 'A command failed, aborting.'; exit 1" ERR
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	63
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	64	passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	65
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	66	print $passwd > $passwd_file
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	67
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	68	# create the master KDC
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	69	if [[ -n $master_kdc ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	70	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	71	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	72	else
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	73	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	74	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	75
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	76	rm -f $passwd_file
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	77
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	78	# Optional stuff follows...
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	79
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	80	# Note, this next section is adding various service principals local to
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	81	# this system. If you have servers running on other systems, edit this
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	82	# section to add the services using the FQDN hostnames of those systems
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	83	# and ouput the keytab to a non-default filename.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	84	# You will then either copy the non-default filename created on the
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	85	# system you ran this script on or login to the other system and do a
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	86	# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	87	# located on that server.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	88
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	89	# addprincs if not in slave mode
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	90	if [[ -z $master_kdc ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	91	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	92	if [[ -n "$kt_config_file" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	93	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	94	if ! $force
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	95	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	96	ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	97	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	98	while read host services
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	99	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	100	if [[ "$host" == "#*" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	101	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	102	# skip comments
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	103	continue
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	104	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	105	if [[ "$host" != "localhost" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	106	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	107	hostkeytab="/var/run/${host}.keytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	108	rm -f $hostkeytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	109	kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	110	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	111	for service in $services
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	112	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	113	if [[ "$host" == "localhost" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	114	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	115	# add service to KDC's keytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	116	kadmin.local -q "addprinc -randkey $service/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	117	kadmin.local -q "ktadd $service/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	118	print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	119	else
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	120	# add service to $host's keytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	121	kadmin.local -q "addprinc -randkey $service/$host"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	122	kadmin.local -q "ktadd -k $hostkeytab $service/$host"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	123	print "\nAdded $service/$host to $hostkeytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	124	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	125	done
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	126	((num_keytabs = num_keytabs + 1))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	127	done < $kt_config_file
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	128	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	129
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	130	if [[ -n "$crossrealm" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	131	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	132	# Setup Cross-realm auth.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	133	kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	134	kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	135	print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	136	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	137
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	138	# Optional, Add service principals on KDC
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	139	for srv in nfs ldap smtp imap cifs
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	140	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	141	# randomizes the key anyway so use the -randkey option for addprinc).
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	142	kadmin.local -q "addprinc -randkey $srv/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	143	kadmin.local -q "ktadd $srv/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	144	done
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	145
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	146
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	147	# "tester" needed for setup
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	148	kadmin.local -q "addprinc -pw $passwd tester"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	149
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	150	# "ken" needed for test
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	151	echo "$passwd" \| saslpasswd2 -c -p -f ./sasldb ken
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	152	kadmin.local -q "addprinc -pw $passwd ken"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	153
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	154	fi # addprincs if not in slave mode
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	155
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	156	# turn off err trap because svcadm below may return an unimportant error
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	157	trap "" ERR
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	158
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	159	if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	160	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	161	tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	162	[[ -n $tmpnfssec ]] \|\| exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	163	sed -e 's/^ # krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	164	mv -f $tmpnfssec /etc/nfssec.conf
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	165	print 'Enabled krb5 sec in /etc/nfssec.conf.'
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	166	print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	167	print
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	168	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	169
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	170	# get time and DNS running
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	171
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	172	if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	173	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	174	cp /etc/inet/ntp.client /etc/inet/ntp.conf
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	175	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	176	if [[ -f /etc/inet/ntp.conf ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	177	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	178	svcadm enable -s svc:/network/ntp:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	179	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	180
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	181	svcadm enable -s svc:/network/security/ktkt_warn:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	182
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	183	if ! svcadm enable -s svc:/network/rpc/gss:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	184	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	185	svcs -x svc:/network/rpc/gss:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	186	cat <<-EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	187
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	188	Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	189
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	190	EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	191	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	192	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	193
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	194	tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	195	[[ -n $tmpccache ]] \|\| exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	196	if ! print "$passwd" \| kinit -c $tmpccache tester
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	197	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	198	print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	199	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	200	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	201
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	202	integer i=0
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	203	while ((i < num_keytabs))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	204	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	205	if ((i == 0))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	206	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	207	print "\nRun the following commands to transfer generated keytabs:"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	208	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	209	print ${kt_transfer_command[i]}
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	210	((i = i + 1))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	211	done
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	212

author	Jan Parcel <jan.parcel@oracle.com>
	Wed, 27 Apr 2016 16:55:22 -0700
changeset 5866	683c5c035a79
permissions	-rw-r--r--