kclient.sh revision ae5b046d8f8cec187d40041c4b74b43f561d5ac7
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "%Z%%M% %I% %E% SMI"
#
# This script is used to setup the Kerberos client by
# supplying information about the Kerberos realm and kdc.
#
# be generated and local host's keytab file setup. The script
# can also optionally setup the system to do kerberized nfs and
# bringover a master krb5.conf copy from a specified location.
function cleanup {
integer ret=$1
exit $ret
}
function exiting {
cleanup $1
}
function error_message {
printf -- "---------------------------------------------------\n"
cleanup 1
}
function check_bin {
typeset bin=$1
if [[ ! -x $bin ]]; then
fi
}
function cannot_create {
typeset filename="$1"
typeset stat="$2"
fi
}
function update_pam_conf {
TPAM=$(mktemp -q -t kclient-pamconf.XXXXXX)
if [[ -z $TPAM ]]; then
fi
printf "$(gettext "The %s service is already configured for pam_krb5, please merge this service in %s").\n\n" $svc $PAM >&2
continue
else
exec 3>>$TPAM
fi
done
}
function modify_nfssec_conf {
typeset NFSSEC_FILE="/etc/nfssec.conf"
if [[ -r $NFSSEC_FILE ]]; then
fi
fi
}
function call_kadmin {
typeset svc="$1"
typeset ktremsubcommand
# Reset conditional vars to 1
getprincsubcommand="getprinc $service_princ"
anksubcommand="addprinc -randkey $service_princ"
ktaddsubcommand="ktadd $service_princ"
ktremsubcommand="ktrem $service_princ all"
bool1=$?
bool2=$?
egrep -s "$(gettext "add_principal: Principal or policy already exists while creating \"$service_princ@$realm\".")" $TMP_FILE
bool3=$?
bool4=$?
else
fi
else
fi
if [[ $? -eq 0 ]]; then
# Don't care is this succeeds or not, just need to replace old
# entries as it is assummed that the client is reinitialized
fi
if [[ $? -ne 0 ]]; then
else
fi
done
}
function writeup_krb5_conf {
typeset dh
exec 3>$KRB5_CONFIG
if [[ $? -ne 0 ]]; then
fi
if [[ $no_keytab == yes ]]; then
fi
if [[ $dns_lookup == yes ]]; then
if [[ $dnsarg == dns_lookup_kdc ]]; then
if [[ -n $fkdc_list ]]; then
for kdc in $fkdc_list; do
done
fi
if [[ -z $short_fqdn ]]; then
else
fi
if [[ -n $domain_list ]]; then
for dh in $domain_list; do
done
fi
else
if [[ $dnsarg = dns_lookup_realm ]]; then
if [[ -n $kdc_list ]]; then
done
else
fi
if [[ $non_solaris == yes ]]; then
fi
else
fi
fi
else
if [[ -n $kdc_list ]]; then
done
else
fi
if [[ $non_solaris == yes ]]; then
fi
if [[ -n $fkdc_list ]]; then
for kdc in $fkdc_list; do
done
fi
if [[ -z $short_fqdn ]]; then
else
fi
if [[ -n $domain_list ]]; then
for dh in $domain_list; do
done
fi
fi
if [[ $no_keytab == yes ]]; then
fi
}
function ask {
typeset question=$1
typeset default_answer=$2
if [[ -z $default_answer ]]; then
else
printf "$question [$default_answer]: "
fi
read answer
}
function yesno {
typeset question="$1"
while [[ -z $answer ]]; do
*) answer=;;
esac
done
}
function query {
yesno "$*"
fi
}
function read_profile {
typeset file="$1"
do
fi
;;
fi
;;
ADMIN) if [[ -z $ADMIN_PRINC ]]; then
checkval="ADMIN_PRINC"
fi
;;
fi
;;
if [[ $value == 1 ]]; then
else
fi
fi
;;
NOKEY) if [[ -z $no_keytab ]]; then
if [[ $value == 1 ]]; then
else
fi
fi
;;
NOSOL) if [[ -z $non_solaris ]]; then
if [[ $value == 1 ]]; then
else
fi
fi
;;
LHN) if [[ -z $logical_hn ]]; then
checkval="LOGICAL_HOSTNAME"
fi
;;
checkval="DNS_OPTIONS"
fi
;;
checkval="FQDN"
fi
;;
if [[ $value == 1 ]]; then
else
fi
fi
;;
esac
done <$file
else
fi
}
function ping_check {
typeset machine="$1"
typeset string="$2"
:
else
fi
# Output timesync warning if not using a profile, i.e. in
# interactive mode.
# It's difficult to sync up time with KDC esp. if in a
# zone so just print a warning about KDC time sync.
printf "\n$(gettext "Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function").\n" >&2
printf "$(gettext "Both systems should run some form of time synchronization system like Network Time Protocol (NTP)").\n" >&2
break
fi
}
function check_value {
typeset arg="$1"
if [[ -z $arg ]]; then
else
fi
fi
}
function set_dns_value {
typeset -l arg="$1"
if [[ $arg == dns_lookup_kdc || $arg == dns_lookup_realm || $arg == dns_fallback ]]; then
else
else
fi
fi
}
function verify_kdcs {
typeset k_list="$1"
typeset -l kdc
if [[ -z $k_list ]]; then
fi
:
else
fi
fi
done
}
function parse_service {
typeset service_list=$1
service_list=${service_list//,/ }
for service in $service_list; do
[[ -z $svc || -z $auth_type ]] && return
print -- $svc $auth_type
done
}
function verify_fqdnlist {
typeset list="$1"
typeset -l hostname
typeset -i count=1
if [[ -z $eachfqdn ]]; then
else
while [[ ! -z $eachfqdn ]]; do
if [[ -z $tmpvar ]]; then
else
fi
if [[ $fullhost == $client_machine ]]; then
:
else
fi
if [[ $list == *,* ]]; then
else
break
fi
done
fi
}
function setup_keytab {
typeset cname ask_fqdns current_release
#
# 1. kinit with ADMIN_PRINC
#
if [[ -z $ADMIN_PRINC ]]; then
read ADMIN_PRINC
fi
[[ -n $msad ]] && return
# Already in "/admin" format, do nothing
:
else
else
fi
fi
if [[ -n $cname ]]; then
else
fi
if egrep -s "$(gettext "Valid starting")" $TMP_FILE && egrep -s "kadmin/$FKDC@$realm" $TMP_FILE; then
:
else
fi
#
# other than the one listed in resolv.conf(4) ?
#
if [[ -z $options ]]; then
if [[ $ask_fqdns == yes ]]; then
read fqdnlist
else
fi
else
if [[ -z $fqdnlist ]]; then
fi
fi
echo; call_kadmin nfs
fi
# Add the host entry to the keytab
echo; call_kadmin host
}
function setup_lhn {
typeset -l logical_hn
# do nothing, logical_hn is in fqdn format
:
else
else
# Attach fqdn to logical_hn, to get the Fully Qualified
# Host Name of the client requested
fi
fi
}
function usage {
printf "\t$(gettext "[ -c filepath ] specifies the krb5.conf path used to configure this client")\n" >&2
printf "\t$(gettext "[ -d dnsarg ] specifies which information should be looked up in DNS (dns_lookup_kdc, dns_lookup_realm, and dns_fallback)")\n" >&2
printf "\t$(gettext "[ -f fqdn_list ] specifies which domains to configure host keys for this client")\n" >&2
printf "\t$(gettext "[ -h logicalhostname ] configure the logical host name for a client that is in a cluster")\n" >&2
printf "\t$(gettext "[ -k kdc_list ] specify multiple KDCs, if -m is not used the first KDC in the list is assumed to be the master. KDC host names are used verbatim.")\n" >&2
printf "\t$(gettext "[ -p profile ] specifies which profile file to use to configure this client")\n" >&2
}
function discover_domain {
if [[ -z $realm ]]; then
set -A DOMs -- `$KLOOKUP _ldap._tcp.dc._msdcs S`
else
set -A DOMs -- `$KLOOKUP _ldap._tcp.dc._msdcs.$realm S`
fi
[[ -z ${DOMs[0]} ]] && return 1
return 0
}
function check_nss_hosts_or_ipnodes_config {
typeset backend
do
done
return 1
}
function check_nss_conf {
typeset i j hosts_config
do
done
return 0
}
function canon_resolve {
[[ -z $name ]] && return
[[ -z $ip ]] && return
do
break
else
i=
fi
done
[[ -z $cname ]] && return
print -- "$cname"
}
function rev_resolve {
[[ -z $ip ]] && return
[[ -z $name ]] && return
print -- $name
}
# Convert an AD-style domain DN to a DNS domainname
function dn2dns {
typeset OIFS dname dn comp components
dn=$1
IFS=,
set -A components -- $1
do
done
print ${dname#.}
}
# Form a base DN from a DNS domainname and container
function getBaseDN {
if [[ -n "$2" ]]
then
else
fi
}
# Convert a DNS domainname to an AD-style DN for that domain
function dns2dn {
IFS=.
set -A labels -- $1
dn=
do
done
print -- "${dn#,}"
}
function getSRVs {
do
fi
done
}
function getKDC {
typeset j
if [[ -n $siteName ]]
then
[[ -n $kdc ]] && return
fi
# No site name
[[ -n $kdc ]] && return
# Default
set -A KDCs -- $DomainDnsZones 88
}
function getDC {
typeset j
if [[ -n $siteName ]]
then
[[ -n $dc ]] && return
fi
# No site name
set -A DCs -- $(getSRVs _ldap._tcp.dc._msdcs.$dom.)
[[ -n $dc ]] && return
# Default
set -A DCs -- $DomainDnsZones 389
}
function write_ads_krb5conf {
exec 3>$KRB5_CONFIG
if [[ $? -ne 0 ]]; then
fi
do
[[ $i == +([0-9]) ]] && continue
done
# Defining the same as admin_server. This would cause auth failures
# if this was different.
}
function getForestName {
ldapsearch -R -T -h $dc $ldap_args \
if [[ $? -ne 0 ]]; then
fi
schemaNamingContext=${schemaNamingContext#CN=Schema,CN=Configuration,}
[[ -z $schemaNamingContext ]] && return 1
while [[ -n $schemaNamingContext ]]
do
forest=${forest}.${schemaNamingContext%%,*}
done
}
function getGC {
typeset j
[[ -n $gc ]] && return 0
if [[ -n $siteName ]]
then
[[ -n $gc ]] && return
fi
# No site name
set -A GCs -- $(getSRVs _ldap._tcp.gc._msdcs.$forest.)
[[ -n $gc ]] && return
# Default
set -A GCs -- $ForestDnsZones 3268
}
function ipAddr2num {
typeset OIFS
if [[ "$1" != +([0-9]).+([0-9]).+([0-9]).+([0-9]) ]]
then
print 0
return 0
fi
IFS=.
set -- $1
print -- $num
}
function num2ipAddr {
typeset -i10 a b c d
num=$1
print -- $a.$b.$c.$d
}
function netmask2length {
typeset -i len
netmask=$1
len=32
do
done
print $len
}
function getSubnets {
do
addr=0
netmask=0
set -- $line
[[ $1 == inet ]] || continue
while [[ $# -gt 0 ]]
do
*) :;
esac
shift
done
done
}
function getSite {
typeset subnet siteDN j ldapsrv subnet_dom
eval "[[ -n \"\$siteName\" ]]" && return
for subnet in $(getSubnets)
do
ldapsearch -R -T -h $dc $ldap_args \
[[ -z $subnetDN ]] && continue
[[ -z $ldapsrv ]] && continue
ldapsearch -R -T -h $ldapsrv $ldap_args \
|grep ^siteObject|read j siteDN
[[ -z $siteDN ]] && continue
return
done
}
function doKRB5config {
[[ -f $KRB5_CONFIG_FILE ]] && \
[[ -f $KRB5_KEYTAB_FILE ]] && \
[[ -s $KRB5_CONFIG ]] && cp $KRB5_CONFIG $KRB5_CONFIG_FILE
[[ -s $KRB5_CONFIG_FILE ]] && chmod 0644 $KRB5_CONFIG_FILE
[[ -s $new_keytab ]] && cp $new_keytab $KRB5_KEYTAB_FILE
[[ -s $KRB5_KEYTAB_FILE ]] && chmod 0600 $KRB5_KEYTAB_FILE
}
function addDNSRR {
if [[ $enabled == true && $ddns_enable != true ]]; then
return
fi
# Destroy any existing ccache as GSS_C_NO_CREDENTIAL will pick up any
# residual default credential in the cache.
if [[ $? -ne 0 ]]; then
#
# Non-fatal, we should carry-on as clients may resolve to
# different servers and the client could already exist there.
#
printf "$(gettext "This could mean that '%s' is not included as a 'nameserver' in the /etc/resolv.conf file or some other type of error").\n" $dc
fi
}
function setSMB {
typeset domain=$1
typeset server=$2
if [[ $? -ne 0 ]]; then
printf "$(gettext "Warning: wasn't able to set %s domain, server, and password information").\n" $smbFMRI
return
fi
if [[ $? -ne 0 ]]; then
printf "$(gettext "Warning: wasn't able to set refresh %s domain, server, and password information").\n" $smbFMRI
fi
}
function compareDomains {
# If the client has been previously configured in a different
# switch domains.
[[ -z $hspn ]] && return
printf "$(gettext "Currently in the '%s' domain, trying to join the '%s' domain").\n" $oldDom $newDom
printf "\n"
fi
fi
}
function getKDCDC {
if [[ -n $kdc ]]; then
else
if [[ -n $dc ]]; then
else
fi
fi
}
function join_domain {
typeset -u upcase_nodename
typeset netbios_nodename fqdn
ldap_args="-o authzid= -o mech=gssapi"
if [[ -z $ADMIN_PRINC ]]; then
else
fi
if ! discover_domain; then
fi
netbios_nodename="${upcase_nodename}\$"
object=$(mktemp -q -t kclient-computer-object.XXXXXX)
if [[ -z $object ]]; then
" >&2
fi
modify_existing=false
recreate=false
getBaseDN "$container" "$dom"
if [[ -n $KDC ]]; then
else
fi
if [[ $? -ne 0 ]]; then
fi
then
else
fi
if [[ -z $siteName ]]
then
else
fi
if [[ ${#GCs} -eq 0 ]]; then
fi
# Check to see if the client is transitioning between domains.
# Here we check domainFunctionality to see which release:
# 0, 1, 2: Windows 2000, 2003 Interim, 2003 respecitively
# 3: Windows 2008
level=0
read j level
if [[ $? -ne 0 ]]; then
fi
# Longhorn and above can't perform an init auth from service
# keys if the realm is included in the UPN. w2k3 and below
# can't perform an init auth when the realm is excluded.
then
:
else
fi
if [[ -z $dn ]]; then
: # modify_existing is already false, which is what we want.
else
printf "$(gettext "Computer account '%s' already exists in the '%s' domain").\n" $upcase_nodename $realm
printf "\n"
recreate=true
else
modify_existing=true
fi
fi
if [[ $modify_existing == false && -n $dn ]]; then
do
if $recreate; then
if [[ $? -ne 0 ]]; then
fi
else
fi
done
fi
if $recreate; then
if [[ $? -ne 0 ]]; then
fi
elif $modify_existing; then
: # Nothing to delete
else
fi
fi
if $modify_existing; then
dn: CN=$upcase_nodename,$baseDN
changetype: modify
replace: userPrincipalName
userPrincipalName: $upn
-
replace: servicePrincipalName
servicePrincipalName: host/${fqdn}
-
replace: userAccountControl
userAccountControl: $((userAccountControlBASE + 32 + 2))
-
replace: dNSHostname
dNSHostname: ${fqdn}
EOF
if [[ $? -ne 0 ]]; then
fi
else
dn: CN=$upcase_nodename,$baseDN
objectClass: computer
cn: $upcase_nodename
sAMAccountName: ${netbios_nodename}
userPrincipalName: $upn
servicePrincipalName: host/${fqdn}
userAccountControl: $((userAccountControlBASE + 32 + 2))
dNSHostname: ${fqdn}
EOF
if [[ $? -ne 0 ]]; then
fi
fi
# Generate a new password for the new account
MAX_PASS=32
i=0
while :
do
do
# 94 elements in the printable character set starting
# at decimal 33, contiguous.
p=$p$c
((i+=1))
done
# Ensure that we have four character classes.
d=${p%[[:digit:]]*}
a=${p%[[:lower:]]*}
A=${p%[[:upper:]]*}
x=${p%[[:punct:]]*}
# Just compare the number of characters from what was previously
# matched. If there is a difference then we found a match.
n=${#p}
[[ ${#d} -ne $n && ${#a} -ne $n && \
${#A} -ne $n && ${#x} -ne $n ]] && break
i=0
p=
done
newpw=$p
# Set the new password
if [[ $? -ne 0 ]]
then
fi
# Lookup the new principal's kvno:
-s sub cn=$upcase_nodename msDS-KeyVersionNumber| \
# ignore errors here.
set -A enctypes --
# Do we have local support for AES?
encrypt -l|grep ^aes|read j minkeysize maxkeysize
val=
if [[ $maxkeysize -eq 256 ]]; then
val=16
enctypes[${#enctypes[@]}]=aes256-cts-hmac-sha1-96
fi
if [[ $minkeysize -eq 128 ]]; then
enctypes[${#enctypes[@]}]=aes128-cts-hmac-sha1-96
fi
# RC4 comes next (whether it's better than 1DES or not -- AD prefers it)
then
enctypes[${#enctypes[@]}]=arcfour-hmac-md5
else
# Use 1DES ONLY if we don't have arcfour
fi
then
enctypes[${#enctypes[@]}]=des-cbc-crc
enctypes[${#enctypes[@]}]=des-cbc-md5
fi
if [[ ${#enctypes[@]} -eq 0 ]]
then
fi
# If domain crontroller is Longhorn or above then set new supported
# encryption type attributes.
dn: CN=$upcase_nodename,$baseDN
changetype: modify
replace: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: $val
EOF
if [[ $? -ne 0 ]]; then
fi
fi
# We should probably check whether arcfour is available, and if not,
# then set the 1DES only flag, but whatever, it's not likely NOT to be
# Reset userAccountControl
#
# NORMAL_ACCOUNT (512) | DONT_EXPIRE_PASSWORD (65536) |
# TRUSTED_FOR_DELEGATION (524288)
#
# and possibly UseDesOnly (2097152) (see above)
#
dn: CN=$upcase_nodename,$baseDN
changetype: modify
replace: userAccountControl
userAccountControl: $userAccountControl
EOF
if [[ $? -ne 0 ]]; then
fi
# Setup a keytab file
set -A args --
do
args[${#args[@]}]=-e
args[${#args[@]}]=$enctype
done
rm $new_keytab > /dev/null 2>&1
dn: CN=$upcase_nodename,$baseDN
changetype: modify
add: servicePrincipalName
servicePrincipalName: nfs/${fqdn}
servicePrincipalName: HTTP/${fqdn}
servicePrincipalName: root/${fqdn}
EOF
if [[ $? -ne 0 ]]; then
fi
printf "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" host/${fqdn}@${realm} > /dev/null 2>&1
if [[ $? -ne 0 ]]
then
fi
# Could be setting ${netbios_nodename}@${realm}, but for now no one
# is requesting this.
print "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" nfs/${fqdn}@${realm} > /dev/null 2>&1
if [[ $? -ne 0 ]]
then
fi
print "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" HTTP/${fqdn}@${realm} > /dev/null 2>&1
if [[ $? -ne 0 ]]
then
fi
print "%s" $newpw | $KSETPW -n -v $kvno -k "$new_keytab" "${args[@]}" root/${fqdn}@${realm} > /dev/null 2>&1
if [[ $? -ne 0 ]]
then
fi
printf -- "\n---------------------------------------------------\n"
exit 0
}
###########################
# Main section #
###########################
#
#
checkval=""
profile=""
typeset -u realm
TMP_FILE=$(mktemp -q -t kclient-tmpfile.XXXXXX)
export KRB5_CONFIG=$(mktemp -q -t kclient-krb5conf.XXXXXX)
if [[ -z $TMP_FILE || -z $KRB5_CONFIG || -z $KRB5CCNAME || -z $new_keytab ]]
then
fi
#
# If we are interrupted, cleanup after ourselves
#
export PATH
else
exit 1
fi
else
exit 1
fi
printf -- "---------------------------------------------------\n"
#
# Check for uid 0, disallow otherwise
#
if [[ $? -eq 0 ]]; then
# uid is 0, go ahead ...
:
else
fi
else
fi
#
# Process the command-line arguments (if any)
#
OPTIND=1
do
;;
;;
;;
type="$OPTARG"
else
fi
;;
;;
;;
;;
;;
;;
;;
;;
;;
;;
;;
\?) usage
;;
*) usage
;;
esac
done
#correct argument count after options
if [[ -z $options ]]; then
:
else
if [[ $# -ne 0 ]]; then
fi
fi
#
# Check to see if we will be a client of a MIT, Heimdal, Shishi, etc.
#
if [[ -z $options ]]; then
if [[ $non_solaris == yes ]]; then
read kdctype
else
printf "\n$(gettext "Invalid KDC type option, valid types are ms_ad, mit, heimdal, or shishi, exiting").\n" >&2
fi
fi
fi
[[ $msad == yes ]] && join_domain
#
# Check for /etc/resolv.conf
#
if [[ -r $RESOLV_CONF_FILE ]]; then
if [[ $? -ne 0 ]]; then
printf "\n$(gettext "%s does not have a DNS record and is required for Kerberos setup")\n" $hostname >&2
fi
else
#
# If client entry already exists then do not recreate it
#
hostname=${client_machine%%.*}
domain=${client_machine#*.}
fi
short_fqdn=${domain#*.*}
else
#
# /etc/resolv.conf not present, exit ...
#
printf "\n$(gettext "%s does not exist and is required for Kerberos setup")\n" $RESOLV_CONF_FILE >&2
fi
check_nss_conf || printf "$(gettext "/etc/nsswitch.conf does not make use of DNS for hosts and/or ipnodes").\n"
[[ -n $fqdnlist ]] && verify_fqdnlist "$fqdnlist"
printf "\n$(gettext "Valid DNS lookup options are dns_lookup_kdc, dns_lookup_realm,\nand dns_fallback. Refer krb5.conf(4) for further details").\n"
read dnsarg
fi
else
fi
if [[ -n $kdc_list ]]; then
if [[ -z $KDC ]]; then
break
done
fi
fi
if [[ -z $realm ]]; then
read realm
fi
if [[ -z $KDC ]]; then
read KDC
fi
#
# Ping to see if the kdc is alive !
#
ping_check $FKDC "KDC"
read kdc_list
fi
fi
[[ -n $kdc_list ]] && verify_kdcs "$kdc_list"
#
# Check to see if we will have a dynamic presence in the realm
#
if [[ -z $options ]]; then
fi
fi
#
# Check to see if we are configuring the client to use a logical host name
# of a cluster environment
#
if [[ -z $options ]]; then
read logical_hn
fi
fi
to map to the default realm"): "
read domain_list
fi
fi
[[ -n domain_list ]] && domain_list=${domain_list//,/ }
#
# Start writing up the krb5.conf file, save the existing one
# if already present
#
#
# Is this client going to use krb-nfs? If so then we need to at least
# uncomment the krb5* sec flavors in nfssec.conf.
#
if [[ -z $options ]]; then
fi
#
# We also want to enable gss as we now live in a SBD world
#
fi
if [[ -z $options ]]; then
printf "$(gettext "Enter a list of PAM service names in the following format: service:{first|only|optional}[,..]"): "
read svc_list
fi
fi
[[ -n $svc_list ]] && update_pam_conf
#
# Copy over krb5.conf master copy from filepath
#
read filepath
fi
fi
if [[ $? -eq 0 ]]; then
else
fi
elif [[ -n $filepath ]]; then
fi
#
# Populate any service keys needed for the client in the keytab file
#
if [[ $no_keytab != yes ]]; then
else
printf "\n$(gettext "Note: %s file not created, please refer to verify_ap_req_nofail in krb5.conf(4) for the implications").\n" $KRB5_KEYTAB_FILE
fi
printf -- "\n---------------------------------------------------\n"
#
# If we have configured the client in a cluster we need to remind the user
# to propagate the keytab and configuration files to the other members.
#
if [[ -n $logical_hn ]]; then
printf "\n$(gettext "Note, you will need to securely transfer the /etc/krb5/krb5.keytab and /etc/krb5/krb5.conf files to all the other members of your cluster").\n"
fi
#
# Cleanup.
#
exit 0