#!/bin/ksh93 -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
#
# have to use longer string because the end of security/kerberos5 matches
# 2 packages, old and new.
PACKAGES_NEEDED="$SASL_PACKAGES_NEEDED \
pkg://solaris/security/kerberos-5 \
security/kerberos-5/kdc "
pkg list $PACKAGES_NEEDED > /dev/null
if (( $? != 0 ))
then
pkg install $PACKAGES_NEEDED
fi
pkg list $PACKAGES_NEEDED > /dev/null
if (( $? != 0 ))
then
echo "One or more packages failed to install"
exit 1
fi
passwd="1234"
trap "echo 'A command failed, aborting.'; exit 1" ERR
if ! $force
then
ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
fi
trap - ERR # in kdcmgr destroy fails, run it again
yes | /usr/sbin/kdcmgr destroy > /dev/null
if (( $? != 0 ))
then
yes | /usr/sbin/kdcmgr destroy > /dev/null
fi
print "Existing KDC config destroyed."
trap "echo 'A command failed, aborting.'; exit 1" ERR
passwd_file=$(/usr/bin/mktemp /var/run/setup_kdc_passwd.XXXXXX)
print $passwd > $passwd_file
# create the master KDC
if [[ -n $master_kdc ]]
then
/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create -m $master_kdc slave
else
/usr/sbin/kdcmgr -a $admin_princ -r $realm -p $passwd_file create master
fi
rm -f $passwd_file
# Optional stuff follows...
# Note, this next section is adding various service principals local to
# this system. If you have servers running on other systems, edit this
# section to add the services using the FQDN hostnames of those systems
# and ouput the keytab to a non-default filename.
# You will then either copy the non-default filename created on the
# system you ran this script on or login to the other system and do a
# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
# located on that server.
# addprincs if not in slave mode
if [[ -z $master_kdc ]]
then
if [[ -n "$kt_config_file" ]]
then
if ! $force
then
ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
fi
while read host services
do
if [[ "$host" == "#*" ]]
then
# skip comments
continue
fi
if [[ "$host" != "localhost" ]]
then
hostkeytab="/var/run/${host}.keytab"
rm -f $hostkeytab
kt_transfer_command[num_keytabs]="scp $hostkeytab ${host}:/etc/krb5/krb5.keytab"
fi
for service in $services
do
if [[ "$host" == "localhost" ]]
then
# add service to KDC's keytab
kadmin.local -q "addprinc -randkey $service/$fqdn"
kadmin.local -q "ktadd $service/$fqdn"
print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
else
# add service to $host's keytab
kadmin.local -q "addprinc -randkey $service/$host"
kadmin.local -q "ktadd -k $hostkeytab $service/$host"
print "\nAdded $service/$host to $hostkeytab"
fi
done
((num_keytabs = num_keytabs + 1))
done < $kt_config_file
fi
if [[ -n "$crossrealm" ]]
then
# Setup Cross-realm auth.
kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
print "\n\nNote, /etc/krb5/krb5.conf will need to be modified to support crossrealm."
fi
# Optional, Add service principals on KDC
for srv in nfs ldap smtp imap cifs
do
# randomizes the key anyway so use the -randkey option for addprinc).
kadmin.local -q "addprinc -randkey $srv/$fqdn"
kadmin.local -q "ktadd $srv/$fqdn"
done
# "tester" needed for setup
kadmin.local -q "addprinc -pw $passwd tester"
# "ken" needed for test
echo "$passwd" | saslpasswd2 -c -p -f ./sasldb ken
kadmin.local -q "addprinc -pw $passwd ken"
fi # addprincs if not in slave mode
# turn off err trap because svcadm below may return an unimportant error
trap "" ERR
if ! egrep '^[ ]*krb5[ ]+390003' /etc/nfssec.conf > /dev/null
then
tmpnfssec=$(/usr/bin/mktemp /tmp/nfssec.conf_XXXXX)
[[ -n $tmpnfssec ]] || exit 1
sed -e 's/^ *# *krb5/krb5/g' /etc/nfssec.conf > $tmpnfssec
mv -f $tmpnfssec /etc/nfssec.conf
print 'Enabled krb5 sec in /etc/nfssec.conf.'
print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
print
fi
# get time and DNS running
if [[ ! -f /etc/inet/ntp.conf && -f /etc/inet/ntp.client ]]
then
cp /etc/inet/ntp.client /etc/inet/ntp.conf
fi
if [[ -f /etc/inet/ntp.conf ]]
then
svcadm enable -s svc:/network/ntp:default
fi
svcadm enable -s svc:/network/security/ktkt_warn:default
if ! svcadm enable -s svc:/network/rpc/gss:default
then
svcs -x svc:/network/rpc/gss:default
cat <<-EOF
Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
EOF
exit 1
fi
tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
[[ -n $tmpccache ]] || exit 1
if ! print "$passwd" | kinit -c $tmpccache tester
then
print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
exit 1
fi
integer i=0
while ((i < num_keytabs))
do
if ((i == 0))
then
print "\nRun the following commands to transfer generated keytabs:"
fi
print ${kt_transfer_command[i]}
((i = i + 1))
done