|
1 #!/bin/ksh93 -p |
|
2 # |
|
3 # CDDL HEADER START |
|
4 # |
|
5 # The contents of this file are subject to the terms of the |
|
6 # Common Development and Distribution License (the "License"). |
|
7 # You may not use this file except in compliance with the License. |
|
8 # |
|
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
10 # or http://www.opensolaris.org/os/licensing. |
|
11 # See the License for the specific language governing permissions |
|
12 # and limitations under the License. |
|
13 # |
|
14 # When distributing Covered Code, include this CDDL HEADER in each |
|
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
16 # If applicable, add the following below this CDDL HEADER, with the |
|
17 # fields enclosed by brackets "[]" replaced with your own identifying |
|
18 # information: Portions Copyright [yyyy] [name of copyright owner] |
|
19 # |
|
20 # CDDL HEADER END |
|
21 # |
|
22 |
|
23 # |
|
24 # Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. |
|
25 # |
|
26 |
|
27 PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \ |
|
28 service/security/kerberos-5 \ |
|
29 system/security/kerberos-5 " |
|
30 |
|
31 pkg list $PACKAGES_NEEDED > /dev/null |
|
32 if (( $? != 0 )) |
|
33 then |
|
34 pkg install $PACKAGES_NEEDED |
|
35 fi |
|
36 |
|
37 pkg list $PACKAGES_NEEDED > /dev/null |
|
38 if (( $? != 0 )) |
|
39 then |
|
40 echo "One or more packages failed to install" |
|
41 exit 1 |
|
42 fi |
|
43 |
|
44 |
|
45 passwd="1234" |
|
46 |
|
47 trap "echo 'A command failed, aborting.'; exit 1" ERR |
|
48 |
|
49 svcadm disable -s svc:/network/security/krb5kdc:default |
|
50 svcadm disable -s svc:/network/security/kadmin:default |
|
51 svcadm disable -s svc:/network/security/krb5_prop:default |
|
52 |
|
53 if ! $force |
|
54 then |
|
55 ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?" |
|
56 fi |
|
57 |
|
58 trap - ERR # in kdcmgr destroy fails, run it again |
|
59 yes | /usr/sbin/kdcmgr destroy > /dev/null |
|
60 if (( $? != 0 )) |
|
61 then |
|
62 yes | /usr/sbin/kdcmgr destroy > /dev/null |
|
63 fi |
|
64 print "Existing KDC config destroyed." |
|
65 trap "echo 'A command failed, aborting.'; exit 1" ERR |
|
66 |
|
67 passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX) |
|
68 |
|
69 print $passwd > $passwd_file |
|
70 |
|
71 # create the master KDC |
|
72 if [[ -n $master_kdc ]] |
|
73 then |
|
74 /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave |
|
75 else |
|
76 /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master |
|
77 fi |
|
78 |
|
79 rm -f $passwd_file |
|
80 |
|
81 # Optional stuff follows... |
|
82 |
|
83 # Note, this next section is adding various service principals local to |
|
84 # this system. If you have servers running on other systems, edit this |
|
85 # section to add the services using the FQDN hostnames of those systems |
|
86 # and ouput the keytab to a non-default filename. |
|
87 # You will then either copy the non-default filename created on the |
|
88 # system you ran this script on or login to the other system and do a |
|
89 # kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab |
|
90 # located on that server. |
|
91 |
|
92 # addprincs if not in slave mode |
|
93 if [[ -z $master_kdc ]] |
|
94 then |
|
95 if [[ -n "$kt_config_file" ]] |
|
96 then |
|
97 if ! $force |
|
98 then |
|
99 ok_to_proceed "Existing keytab files will be modified, okay to proceed?" |
|
100 fi |
|
101 while read host services |
|
102 do |
|
103 if [[ "$host" == "#*" ]] |
|
104 then |
|
105 # skip comments |
|
106 continue |
|
107 fi |
|
108 if [[ "$host" != "localhost" ]] |
|
109 then |
|
110 hostkeytab="/var/run/${host}.keytab" |
|
111 rm -f $hostkeytab |
|
112 kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab" |
|
113 fi |
|
114 for service in $services |
|
115 do |
|
116 if [[ "$host" == "localhost" ]] |
|
117 then |
|
118 # add service to KDC's keytab |
|
119 kadmin.local -q "addprinc -randkey $service/$fqdn" |
|
120 kadmin.local -q "ktadd $service/$fqdn" |
|
121 print "Added $service/$fqdn to /etc/krb5/krb5.keytab" |
|
122 else |
|
123 # add service to $host's keytab |
|
124 kadmin.local -q "addprinc -randkey $service/$host" |
|
125 kadmin.local -q "ktadd -k $hostkeytab $service/$host" |
|
126 print "\nAdded $service/$host to $hostkeytab" |
|
127 fi |
|
128 done |
|
129 ((num_keytabs = num_keytabs + 1)) |
|
130 done < $kt_config_file |
|
131 fi |
|
132 |
|
133 if [[ -n "$crossrealm" ]] |
|
134 then |
|
135 # Setup Cross-realm auth. |
|
136 kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm" |
|
137 kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm" |
|
138 print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm." |
|
139 fi |
|
140 |
|
141 # Optional, Add service principals on KDC |
|
142 for srv in nfs ldap smtp imap cifs |
|
143 do |
|
144 # randomizes the key anyway so use the -randkey option for addprinc). |
|
145 kadmin.local -q "addprinc -randkey $srv/$fqdn" |
|
146 kadmin.local -q "ktadd $srv/$fqdn" |
|
147 done |
|
148 |
|
149 |
|
150 # "tester" needed for setup |
|
151 kadmin.local -q "addprinc -pw $passwd tester" |
|
152 |
|
153 # "ken" needed for test |
|
154 echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken |
|
155 kadmin.local -q "addprinc -pw $passwd ken" |
|
156 |
|
157 fi # addprincs if not in slave mode |
|
158 |
|
159 # turn off err trap because svcadm below may return an unimportant error |
|
160 trap "" ERR |
|
161 |
|
162 if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null |
|
163 then |
|
164 tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX) |
|
165 [[ -n $tmpnfssec ]] || exit 1 |
|
166 sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec |
|
167 mv -f $tmpnfssec /etc/nfssec.conf |
|
168 print 'Enabled krb5 sec in /etc/nfssec.conf.' |
|
169 print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.' |
|
170 print |
|
171 fi |
|
172 |
|
173 # get time and DNS running |
|
174 |
|
175 if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]] |
|
176 then |
|
177 cp /etc/inet/ntp.client /etc/inet/ntp.conf |
|
178 fi |
|
179 if [[ -f /etc/inet/ntp.conf ]] |
|
180 then |
|
181 svcadm enable -s svc:/network/ntp:default |
|
182 fi |
|
183 |
|
184 |
|
185 svcadm enable svc:/network/security/ktkt_warn:default |
|
186 |
|
187 if ! svcadm enable -s svc:/network/security/krb5kdc:default |
|
188 then |
|
189 svcs -x svc:/network/security/krb5kdc:default |
|
190 cat <<-EOF |
|
191 |
|
192 Error, the krb5kdc daemon did not start. You will not be able to do Kerberos |
|
193 authentication. Check your kerberos config and rerun this script. |
|
194 |
|
195 EOF |
|
196 exit 1 |
|
197 fi |
|
198 |
|
199 if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default |
|
200 then |
|
201 svcs -x svc:/network/security/kadmin:default |
|
202 cat <<-EOF |
|
203 |
|
204 Error, the kadmind daemon did not start. You will not be able to change |
|
205 passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is |
|
206 configured properly and rerun this script. |
|
207 |
|
208 EOF |
|
209 exit 1 |
|
210 fi |
|
211 |
|
212 if ! svcadm enable -s svc:/network/rpc/gss:default |
|
213 then |
|
214 svcs -x svc:/network/rpc/gss:default |
|
215 cat <<-EOF |
|
216 |
|
217 Error, the gss service did not start. You will not be able to do nfssec with sec=krb5* |
|
218 |
|
219 EOF |
|
220 exit 1 |
|
221 fi |
|
222 |
|
223 tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX) |
|
224 [[ -n $tmpccache ]] || exit 1 |
|
225 if ! print "$passwd" | kinit -c $tmpccache tester |
|
226 then |
|
227 print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!" |
|
228 exit 1 |
|
229 fi |
|
230 |
|
231 integer i=0 |
|
232 while ((i < num_keytabs)) |
|
233 do |
|
234 if ((i == 0)) |
|
235 then |
|
236 print "\nRun the following commands to transfer generated keytabs:" |
|
237 fi |
|
238 print ${kt_transfer_command[i]} |
|
239 ((i = i + 1)) |
|
240 done |
|
241 |