2707a226168717ec0ca29abd7fef59989493d3d4semery# CDDL HEADER START
2707a226168717ec0ca29abd7fef59989493d3d4semery# The contents of this file are subject to the terms of the
2707a226168717ec0ca29abd7fef59989493d3d4semery# Common Development and Distribution License (the "License").
2707a226168717ec0ca29abd7fef59989493d3d4semery# You may not use this file except in compliance with the License.
2707a226168717ec0ca29abd7fef59989493d3d4semery# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2707a226168717ec0ca29abd7fef59989493d3d4semery# See the License for the specific language governing permissions
2707a226168717ec0ca29abd7fef59989493d3d4semery# and limitations under the License.
2707a226168717ec0ca29abd7fef59989493d3d4semery# When distributing Covered Code, include this CDDL HEADER in each
2707a226168717ec0ca29abd7fef59989493d3d4semery# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2707a226168717ec0ca29abd7fef59989493d3d4semery# If applicable, add the following below this CDDL HEADER, with the
2707a226168717ec0ca29abd7fef59989493d3d4semery# fields enclosed by brackets "[]" replaced with your own identifying
2707a226168717ec0ca29abd7fef59989493d3d4semery# information: Portions Copyright [yyyy] [name of copyright owner]
1fceb383a3f0b59711832b9dc4e8329d7f216604semery# CDDL HEADER END
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
1fceb383a3f0b59711832b9dc4e8329d7f216604semery# Use is subject to license terms.
1fceb383a3f0b59711832b9dc4e8329d7f216604semery# This command provides an simple interface to configure, destroy, and to obtain
1fceb383a3f0b59711832b9dc4e8329d7f216604semery# the status of a master or slave Kerberos KDC server.
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Usage: %s [ -a admprincipal ] [ -e enctype ] [ -h ]")\n" $app
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "[ -p pwfile ] [ -r realm ] subcommand")\n\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "-a: Create non-default admin principal.")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "-e: Encryption type used to encrypt the master key")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "-p: File that contains the admin principal and master key password.")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "-r: Set the default realm for this server.")\n\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "where 'subcommand' is one of the following:")\n\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t$(gettext "create [ -m masterkdc ] slave")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $default_answer ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery while [[ -z $answer ]]; do
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $answer = no ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "---------------------------------------------------\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ ! -x $bin ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Could not access/execute %s").\n" $bin
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $ret -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "%s failed with return value %d, exiting").\n\n" $prog $ret
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $answer = no ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Exiting, no action performed")\n\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $arg ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "No input obtained for %s, exiting").\n" $checkval
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Invalid input obtained for %s, exiting").\n" $checkval
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Setting up %s").\n" $KRB5_KDC_CONF
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -r $KRB5_KDC_CONF ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Cannot write to %s, exiting").\n" $KRB5_KDC_CONF
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n[kdcdefaults]\n\tkdc_ports = 88,750\n\n" 1>&3
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t\tdefault_principal_flags = +preauth\n" 1>&3
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $master = yes ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\t\tsunw_dbprop_master_ulogsize = 1000\n" 1>&3
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $slave = yes ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Setting up %s").\n" $KRB5_KRB_CONF
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -r $KRB5_KRB_CONF ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Cannot write to %s, exiting").\n" $KRB5_KRB_CONF
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $slave = yes ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $master = yes ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\tkdc_rotate = {\n\t\tperiod = 1d\n\t\tversions = 10\n\t}\n\n" 1>&3
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\tkinit = {\n\t\trenewable = true\n\t\tforwardable = true\n" 1>&3
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $stat -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Cannot create/edit %s, exiting").\n" $filename
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $ADMIN_PRINC ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Improper entry for krb5 admin principal, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "%s %s is unreachable, exiting").\n" $string $machine
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Improper format of host name: '%s'").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Expecting the following format: 'somehost.example.com' or 'somehost', exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # Attach fqdn to host, to get the Fully Qualified Domain
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # Kill daemons so they won't go into maintenance mode
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Error in disabling krb5kdc, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Error in disabling kadmind, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Error in disabling kpropd, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # Make sure that none of the daemons outside of SMF are running either
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -gt 1 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Error in killing kadmind, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -gt 1 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Error in killing krb5kdc, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -gt 1 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Error in killing kpropd, exiting").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery check_admin "\n$(gettext "Enter the krb5 administrative principal to be created"): \c"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $PWFILE ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery cat $PWFILE $PWFILE | $KADMINL -q "ank $ADMIN_PRINC" > /dev/null 2>&1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery $KADMINL -q "ank -randkey host/$fqhn" 1>$TMP_FILE 2>&1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery check_admin "\n$(gettext "Enter the krb5 administrative principal to be used"): \c"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Obtaining TGT for %s") ...\n" $ADMIN_PRINC
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $PWFILE ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery kinit -c $TMP_CCACHE -S kadmin/$master_hn $ADMIN_PRINC
1fceb383a3f0b59711832b9dc4e8329d7f216604semery cat $PWFILE | kinit -c $TMP_CCACHE -S kadmin/$master_hn \
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if egrep -s "$(gettext "Valid starting")" $TMP_FILE && \
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "kinit of %s failed, exiting").\n" $ADMIN_PRINC
1fceb383a3f0b59711832b9dc4e8329d7f216604semery $KADMIN -c $TMP_CCACHE -q "ank -randkey kiprop/$fqhn" 1>$TMP_FILE 2>&1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery $KADMIN -c $TMP_CCACHE -q "ktadd kiprop/$fqhn" 1>$TMP_FILE 2>&1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery $KADMIN -c $TMP_CCACHE -q "ank -randkey host/$fqhn" 1>$TMP_FILE 2>&1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery $KADMIN -c $TMP_CCACHE -q "ktadd host/$fqhn" 1>$TMP_FILE 2>&1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -r $KADM5ACL ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Cannot write to %s, exiting").\n" $KADM5ACL
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $master = yes ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -r $KPROPACL ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -ne 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Cannot write to %s, exiting").\n" $KPROPACL
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $PWFILE ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # Clear the kadm5acl, since the start methods look at this file
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # to see if the server has been configured as a master server
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # Wait for full propagation of the database, in some environments
1fceb383a3f0b59711832b9dc4e8329d7f216604semery while [[ ! -f /var/krb5/principal ]]; do
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ count -gt $LOOPCNT ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Could not receive updates from the master").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Waiting for database from master")...\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # The database is propagated now we need to create the stash file
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $PWFILE ]]; then
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery printf "$(gettext "yes")\n" | kdb5_util $arg destroy > /dev/null 2>&1
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery [[ $status -eq 0 ]] && return $status
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery # Could mean that the admin could have already removed part of the
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery # configuration. Better to check to see if anything else should be
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery # destroyed. We check by looking at any other stash files in /var/krb5
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery [[ -z $realm ]] && continue
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery printf "$(gettext "Found non-default realm: %s")\n" $realm
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery query "$(gettext "Do you wish to destroy realm"): $realm ?"
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery if [[ $answer == yes ]]; then
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery printf "$(gettext "yes")\n" | kdb5_util -r $realm destroy > /dev/null 2>&1
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery if [[ $status -ne 0 ]]; then
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery printf "$(gettext "Could not destroy realm: %s")\n" $realm
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery printf "$(gettext "%s will not be destroyed").\n" $realm
1fceb383a3f0b59711832b9dc4e8329d7f216604semery # Check first to see if this is an existing KDC or server
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan if [[ -f $KRB5KT || -f $PRINCDB || -f $OLDPRINCDB ]]
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $PWFILE ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Some of the following files are present on this system"):\n"
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan echo "\t$KRB5KT\n\t$PRINCDB\n\t$OLDPRINCDB\n\t$STASH\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -z $d_option ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "You must first run 'kdcmgr destroy' to remove all of these files before creating a KDC server").\n\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery ok_to_proceed "$(gettext "All of these files will be removed, okay to proceed?")"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -n $d_option ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "No KDC related files exist, exiting").\n\n"
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery [[ $status -ne 0 ]] && cleanup 1
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ -s $KADM5ACL ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $? -gt 0 ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "KDC Master Status Information")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "KDC Slave Status Information")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Transaction Log Information")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Kerberos Related File Information")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "(will display any missing files below)")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery FILELIST="$KRB5_KDC_CONF $KRB5_KRB_CONF $KADM5ACL $KRB5KT $PRINCDB "
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ ! -s $file ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ $is_master -eq 0 && ! -s $KPROPACL ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery test ! -s $STASH &&
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Stash file not found") (/var/krb5/.k5.*).\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery# Start of Main script
1fceb383a3f0b59711832b9dc4e8329d7f216604semery TMP_FILE=$(/usr/bin/mktemp /etc/krb5/krb5tmpfile.XXXXXX)
1fceb383a3f0b59711832b9dc4e8329d7f216604semery TMP_CCACHE=$(/usr/bin/mktemp /etc/krb5/krb5tmpccache.XXXXXX)
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Error: need to configure /etc/resolv.conf").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semeryif [[ -n "$fqhn" ]]; then
b793cf1f804f52789df526036d96d1be7d3efc9dShawn Emery fqhn=$(hostname|cut -f1 -d'.').$(domainname|cut -f2- -d'.')
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Error: can not determine full hostname (FQHN). Aborting")\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "Note, trying to use hostname and domainname to get FQHN").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semerytrap "echo $exitmsg; rm -f $TMP_FILE $TMP_CCACHE; exit 1" HUP INT QUIT TERM
1fceb383a3f0b59711832b9dc4e8329d7f216604semery if [[ ! -r $PWFILE ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Password file %s does not exist, exiting").\n\n" $PWFILE
1fceb383a3f0b59711832b9dc4e8329d7f216604semeryprintf "---------------------------------------------------\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery# Checks for existing kdb and destroys if desired
1fceb383a3f0b59711832b9dc4e8329d7f216604semeryif [[ -z $REALM ]]; then
1fceb383a3f0b59711832b9dc4e8329d7f216604semery query "$(gettext "Is this machine to be configured as a master?"): \c"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery query "$(gettext "Is this machine to be configured as a slave?"): \c"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "\n$(gettext "Machine must either be a master or a slave KDC server").\n"
1fceb383a3f0b59711832b9dc4e8329d7f216604semery printf "$(gettext "What is the master KDC's host name?"): \c"
1fceb383a3f0b59711832b9dc4e8329d7f216604semeryprintf "\n---------------------------------------------------\n"