48 ;; |
44 ;; |
49 esac |
45 esac |
50 |
46 |
51 |
47 |
52 # realm used as default, edit if a different realm is desired. |
48 # realm used as default, edit if a different realm is desired. |
53 realm="SASLTEST.NET" |
49 export realm="SASLTEST.NET" |
54 # realm for cross-realm auth. |
50 # realm for cross-realm auth. |
55 crossrealm= |
51 crossrealm= |
56 |
52 |
57 # password for all principals not added to keytab |
53 # password for all principals not added to keytab |
58 export passwd="1234" |
54 export passwd="1234" |
59 |
55 |
60 # Set this to the ID that is allowed to run kadmin |
56 # Set this to the ID that is allowed to run kadmin |
61 # Be default you would do: "kadmin -p kdc/admin" and use the passwd above. |
57 # Be default you would do: "kadmin -p kdc/admin" and use the passwd above. |
62 admin_princ="kdc/admin" |
58 admin_princ="kdc/admin" |
63 |
59 |
64 # used to determine if in batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode |
60 # used to determine if in |
|
61 # batch/non-intera/home/willf/app_support/etc/krb5/templates/db2ctive mode |
65 force='false' |
62 force='false' |
66 check_leaks='false' |
63 check_leaks='false' |
67 |
64 |
68 # keytab config file |
65 # keytab config file |
69 kt_config_file= |
66 kt_config_file= |
70 num_keytabs=0 |
67 num_keytabs=0 |
71 set -A kt_transfer_command |
68 set -A kt_transfer_command |
72 |
|
73 ldap_ds= |
|
74 |
69 |
75 # should be null if seting up master kdc |
70 # should be null if seting up master kdc |
76 master_kdc= |
71 master_kdc= |
77 |
72 |
78 # get the base script name |
73 # get the base script name |
222 then |
203 then |
223 print -u2 "Error: ping full hostname ${fqdn} failed. Aborting..." |
204 print -u2 "Error: ping full hostname ${fqdn} failed. Aborting..." |
224 exit 1 |
205 exit 1 |
225 fi |
206 fi |
226 |
207 |
227 passwd="1234" |
208 # get time and DNS running |
228 |
209 |
229 trap "echo 'A command failed, aborting.'; exit 1" ERR |
210 if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]] |
230 |
211 then |
231 svcadm disable -s svc:/network/security/krb5kdc:default |
212 cp /etc/inet/ntp.client /etc/inet/ntp.conf |
232 svcadm disable -s svc:/network/security/kadmin:default |
213 fi |
233 svcadm disable -s svc:/network/security/krb5_prop:default |
214 if [[ -f /etc/inet/ntp.conf ]] |
234 |
215 then |
235 if ! $force |
216 svcadm enable -s svc:/network/ntp:default |
236 then |
217 fi |
237 ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?" |
218 |
238 fi |
219 export KMODE="mit" |
239 |
220 set -A MEDIATOR `pkg mediator -H kerberos5` |
240 trap - ERR # in kdcmgr destroy fails, run it again |
221 |
241 yes | /usr/sbin/kdcmgr destroy > /dev/null |
222 case ${MEDIATOR[3]} in |
|
223 |
|
224 "solaris" ) # old kerberos configured |
|
225 KMODE="seam" |
|
226 ;; |
|
227 |
|
228 *) # "MIT" or mediator does not exist |
|
229 KMODE="mit" |
|
230 ;; |
|
231 esac |
|
232 |
|
233 . ./setup-for-$KMODE |
242 if (( $? != 0 )) |
234 if (( $? != 0 )) |
243 then |
235 then |
244 yes | /usr/sbin/kdcmgr destroy > /dev/null |
236 print -u2 "Setup failed" |
245 fi |
237 exit 1 |
246 print "Existing KDC config destroyed." |
238 fi |
247 trap "echo 'A command failed, aborting.'; exit 1" ERR |
239 |
248 |
240 |
249 passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX) |
241 print "$passwd" | kinit ken |
250 |
|
251 print $passwd > $passwd_file |
|
252 |
|
253 # create the master KDC |
|
254 if [[ -n $master_kdc ]] |
|
255 then |
|
256 /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave |
|
257 else |
|
258 /usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master |
|
259 fi |
|
260 |
|
261 rm -f $passwd_file |
|
262 |
|
263 # Optional stuff follows... |
|
264 |
|
265 # Note, this next section is adding various service principals local to |
|
266 # this system. If you have servers running on other systems, edit this |
|
267 # section to add the services using the FQDN hostnames of those systems |
|
268 # and ouput the keytab to a non-default filename. |
|
269 # You will then either copy the non-default filename created on the |
|
270 # system you ran this script on or login to the other system and do a |
|
271 # kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab |
|
272 # located on that server. |
|
273 |
|
274 # addprincs if not in slave mode |
|
275 if [[ -z $master_kdc ]] |
|
276 then |
|
277 if [[ -n "$kt_config_file" ]] |
|
278 then |
|
279 if ! $force |
|
280 then |
|
281 ok_to_proceed "Existing keytab files will be modified, okay to proceed?" |
|
282 fi |
|
283 while read host services |
|
284 do |
|
285 if [[ "$host" == "#*" ]] |
|
286 then |
|
287 # skip comments |
|
288 continue |
|
289 fi |
|
290 if [[ "$host" != "localhost" ]] |
|
291 then |
|
292 hostkeytab="/var/run/${host}.keytab" |
|
293 rm -f $hostkeytab |
|
294 kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab" |
|
295 fi |
|
296 for service in $services |
|
297 do |
|
298 if [[ "$host" == "localhost" ]] |
|
299 then |
|
300 # add service to KDC's keytab |
|
301 kadmin.local -q "addprinc -randkey $service/$fqdn" |
|
302 kadmin.local -q "ktadd $service/$fqdn" |
|
303 print "Added $service/$fqdn to /etc/krb5/krb5.keytab" |
|
304 else |
|
305 # add service to $host's keytab |
|
306 kadmin.local -q "addprinc -randkey $service/$host" |
|
307 kadmin.local -q "ktadd -k $hostkeytab $service/$host" |
|
308 print "\nAdded $service/$host to $hostkeytab" |
|
309 fi |
|
310 done |
|
311 ((num_keytabs = num_keytabs + 1)) |
|
312 done < $kt_config_file |
|
313 fi |
|
314 |
|
315 if [[ -n "$crossrealm" ]] |
|
316 then |
|
317 # Setup Cross-realm auth. |
|
318 kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm" |
|
319 kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm" |
|
320 print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm." |
|
321 fi |
|
322 |
|
323 # Optional, Add service principals on KDC |
|
324 for srv in nfs ldap smtp imap cifs |
|
325 do |
|
326 # randomizes the key anyway so use the -randkey option for addprinc). |
|
327 kadmin.local -q "addprinc -randkey $srv/$fqdn" |
|
328 kadmin.local -q "ktadd $srv/$fqdn" |
|
329 done |
|
330 |
|
331 |
|
332 # "tester" needed for setup |
|
333 kadmin.local -q "addprinc -pw $passwd tester" |
|
334 |
|
335 # "ken" needed for test |
|
336 echo "1234" | saslpasswd2 -c -p -f ./sasldb ken |
|
337 kadmin.local -q "addprinc -pw $passwd ken" |
|
338 |
|
339 fi # addprincs if not in slave mode |
|
340 |
|
341 # turn off err trap because svcadm below may return an unimportant error |
|
342 trap "" ERR |
|
343 |
|
344 if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null |
|
345 then |
|
346 tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX) |
|
347 [[ -n $tmpnfssec ]] || exit 1 |
|
348 sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec |
|
349 mv -f $tmpnfssec /etc/nfssec.conf |
|
350 print 'Enabled krb5 sec in /etc/nfssec.conf.' |
|
351 print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.' |
|
352 print |
|
353 fi |
|
354 |
|
355 # get time and DNS running |
|
356 |
|
357 if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]] |
|
358 then |
|
359 cp /etc/inet/ntp.client /etc/inet/ntp.conf |
|
360 fi |
|
361 if [[ -f /etc/inet/ntp.conf ]] |
|
362 then |
|
363 svcadm enable -s svc:/network/ntp:default |
|
364 fi |
|
365 |
|
366 |
|
367 svcadm enable svc:/network/security/ktkt_warn:default |
|
368 |
|
369 if ! svcadm enable -s svc:/network/security/krb5kdc:default |
|
370 then |
|
371 svcs -x svc:/network/security/krb5kdc:default |
|
372 cat <<-EOF |
|
373 |
|
374 Error, the krb5kdc daemon did not start. You will not be able to do Kerberos |
|
375 authentication. Check your kerberos config and rerun this script. |
|
376 |
|
377 EOF |
|
378 exit 1 |
|
379 fi |
|
380 |
|
381 if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default |
|
382 then |
|
383 svcs -x svc:/network/security/kadmin:default |
|
384 cat <<-EOF |
|
385 |
|
386 Error, the kadmind daemon did not start. You will not be able to change |
|
387 passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is |
|
388 configured properly and rerun this script. |
|
389 |
|
390 EOF |
|
391 exit 1 |
|
392 fi |
|
393 |
|
394 if ! svcadm enable -s svc:/network/rpc/gss:default |
|
395 then |
|
396 svcs -x svc:/network/rpc/gss:default |
|
397 cat <<-EOF |
|
398 |
|
399 Error, the gss service did not start. You will not be able to do nfssec with sec=krb5* |
|
400 |
|
401 EOF |
|
402 exit 1 |
|
403 fi |
|
404 |
|
405 tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX) |
|
406 [[ -n $tmpccache ]] || exit 1 |
|
407 if ! print "$passwd" | kinit -c $tmpccache tester |
|
408 then |
|
409 print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!" |
|
410 exit 1 |
|
411 fi |
|
412 |
|
413 integer i=0 |
|
414 while ((i < num_keytabs)) |
|
415 do |
|
416 if ((i == 0)) |
|
417 then |
|
418 print "\nRun the following commands to transfer generated keytabs:" |
|
419 fi |
|
420 print ${kt_transfer_command[i]} |
|
421 ((i = i + 1)) |
|
422 done |
|
423 |
|
424 print 1234 | kinit ken |
|
425 touch .setup |
242 touch .setup |