upstream/oracle/userland-gate: components/cyrus-sasl/test/setup-for-seam@b01185225eaa (annotated)

5866 683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	1	#!/bin/ksh93 -p
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	2	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	3	# CDDL HEADER START
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	4	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	5	# The contents of this file are subject to the terms of the
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	6	# Common Development and Distribution License (the "License").
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	7	# You may not use this file except in compliance with the License.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	8	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	10	# or http://www.opensolaris.org/os/licensing.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	11	# See the License for the specific language governing permissions
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	12	# and limitations under the License.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	13	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	14	# When distributing Covered Code, include this CDDL HEADER in each
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	16	# If applicable, add the following below this CDDL HEADER, with the
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	17	# fields enclosed by brackets "[]" replaced with your own identifying
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	18	# information: Portions Copyright [yyyy] [name of copyright owner]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	19	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	20	# CDDL HEADER END
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	21	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	22
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	23	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	24	# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	25	#
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	26
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	27	PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	28	service/security/kerberos-5 \
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	29	system/security/kerberos-5 "
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	30
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	31	pkg list $PACKAGES_NEEDED > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	32	if (( $? != 0 ))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	33	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	34	pkg install $PACKAGES_NEEDED
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	35	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	36
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	37	pkg list $PACKAGES_NEEDED > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	38	if (( $? != 0 ))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	39	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	40	echo "One or more packages failed to install"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	41	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	42	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	43
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	44
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	45	passwd="1234"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	46
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	47	trap "echo 'A command failed, aborting.'; exit 1" ERR
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	48
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	49	svcadm disable -s svc:/network/security/krb5kdc:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	50	svcadm disable -s svc:/network/security/kadmin:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	51	svcadm disable -s svc:/network/security/krb5_prop:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	52
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	53	if ! $force
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	54	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	55	ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	56	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	57
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	58	trap - ERR # in kdcmgr destroy fails, run it again
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	59	yes \| /usr/sbin/kdcmgr destroy > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	60	if (( $? != 0 ))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	61	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	62	yes \| /usr/sbin/kdcmgr destroy > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	63	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	64	print "Existing KDC config destroyed."
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	65	trap "echo 'A command failed, aborting.'; exit 1" ERR
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	66
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	67	passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	68
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	69	print $passwd > $passwd_file
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	70
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	71	# create the master KDC
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	72	if [[ -n $master_kdc ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	73	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	74	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	75	else
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	76	/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	77	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	78
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	79	rm -f $passwd_file
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	80
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	81	# Optional stuff follows...
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	82
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	83	# Note, this next section is adding various service principals local to
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	84	# this system. If you have servers running on other systems, edit this
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	85	# section to add the services using the FQDN hostnames of those systems
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	86	# and ouput the keytab to a non-default filename.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	87	# You will then either copy the non-default filename created on the
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	88	# system you ran this script on or login to the other system and do a
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	89	# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	90	# located on that server.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	91
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	92	# addprincs if not in slave mode
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	93	if [[ -z $master_kdc ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	94	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	95	if [[ -n "$kt_config_file" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	96	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	97	if ! $force
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	98	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	99	ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	100	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	101	while read host services
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	102	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	103	if [[ "$host" == "#*" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	104	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	105	# skip comments
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	106	continue
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	107	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	108	if [[ "$host" != "localhost" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	109	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	110	hostkeytab="/var/run/${host}.keytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	111	rm -f $hostkeytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	112	kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	113	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	114	for service in $services
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	115	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	116	if [[ "$host" == "localhost" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	117	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	118	# add service to KDC's keytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	119	kadmin.local -q "addprinc -randkey $service/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	120	kadmin.local -q "ktadd $service/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	121	print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	122	else
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	123	# add service to $host's keytab
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	124	kadmin.local -q "addprinc -randkey $service/$host"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	125	kadmin.local -q "ktadd -k $hostkeytab $service/$host"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	126	print "\nAdded $service/$host to $hostkeytab"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	127	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	128	done
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	129	((num_keytabs = num_keytabs + 1))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	130	done < $kt_config_file
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	131	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	132
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	133	if [[ -n "$crossrealm" ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	134	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	135	# Setup Cross-realm auth.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	136	kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	137	kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	138	print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	139	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	140
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	141	# Optional, Add service principals on KDC
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	142	for srv in nfs ldap smtp imap cifs
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	143	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	144	# randomizes the key anyway so use the -randkey option for addprinc).
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	145	kadmin.local -q "addprinc -randkey $srv/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	146	kadmin.local -q "ktadd $srv/$fqdn"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	147	done
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	148
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	149
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	150	# "tester" needed for setup
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	151	kadmin.local -q "addprinc -pw $passwd tester"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	152
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	153	# "ken" needed for test
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	154	echo "$passwd" \| saslpasswd2 -c -p -f ./sasldb ken
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	155	kadmin.local -q "addprinc -pw $passwd ken"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	156
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	157	fi # addprincs if not in slave mode
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	158
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	159	# turn off err trap because svcadm below may return an unimportant error
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	160	trap "" ERR
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	161
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	162	if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	163	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	164	tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	165	[[ -n $tmpnfssec ]] \|\| exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	166	sed -e 's/^ # krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	167	mv -f $tmpnfssec /etc/nfssec.conf
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	168	print 'Enabled krb5 sec in /etc/nfssec.conf.'
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	169	print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	170	print
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	171	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	172
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	173	# get time and DNS running
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	174
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	175	if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	176	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	177	cp /etc/inet/ntp.client /etc/inet/ntp.conf
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	178	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	179	if [[ -f /etc/inet/ntp.conf ]]
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	180	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	181	svcadm enable -s svc:/network/ntp:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	182	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	183
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	184
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	185	svcadm enable svc:/network/security/ktkt_warn:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	186
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	187	if ! svcadm enable -s svc:/network/security/krb5kdc:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	188	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	189	svcs -x svc:/network/security/krb5kdc:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	190	cat <<-EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	191
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	192	Error, the krb5kdc daemon did not start. You will not be able to do Kerberos
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	193	authentication. Check your kerberos config and rerun this script.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	194
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	195	EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	196	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	197	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	198
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	199	if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	200	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	201	svcs -x svc:/network/security/kadmin:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	202	cat <<-EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	203
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	204	Error, the kadmind daemon did not start. You will not be able to change
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	205	passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	206	configured properly and rerun this script.
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	207
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	208	EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	209	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	210	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	211
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	212	if ! svcadm enable -s svc:/network/rpc/gss:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	213	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	214	svcs -x svc:/network/rpc/gss:default
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	215	cat <<-EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	216
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	217	Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	218
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	219	EOF
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	220	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	221	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	222
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	223	tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	224	[[ -n $tmpccache ]] \|\| exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	225	if ! print "$passwd" \| kinit -c $tmpccache tester
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	226	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	227	print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	228	exit 1
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	229	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	230
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	231	integer i=0
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	232	while ((i < num_keytabs))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	233	do
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	234	if ((i == 0))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	235	then
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	236	print "\nRun the following commands to transfer generated keytabs:"
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	237	fi
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	238	print ${kt_transfer_command[i]}
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	239	((i = i + 1))
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	240	done
683c5c035a79 23116175 Get the cyrus-sasl component ready for MIT-default Kerberos Jan Parcel <jan.parcel@oracle.com> parents: diff changeset	241

author	sreynata <sreyas.natarajan@oracle.com>
	Mon, 17 Oct 2016 23:20:28 -0700
changeset 7120	b01185225eaa
parent 5866	683c5c035a79
permissions	-rw-r--r--