#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#
if (( $? != 0 ))
then
fi
if (( $? != 0 ))
then
echo "One or more packages failed to install"
exit 1
fi
passwd="1234"
trap "echo 'A command failed, aborting.'; exit 1" ERR
if ! $force
then
ok_to_proceed "Existing KDC config will be destroyed, okay to proceed?"
fi
trap - ERR # in kdcmgr destroy fails, run it again
if (( $? != 0 ))
then
fi
print "Existing KDC config destroyed."
trap "echo 'A command failed, aborting.'; exit 1" ERR
print $passwd > $passwd_file
# create the master KDC
if [[ -n $master_kdc ]]
then
else
fi
rm -f $passwd_file
# Optional stuff follows...
# Note, this next section is adding various service principals local to
# this system. If you have servers running on other systems, edit this
# section to add the services using the FQDN hostnames of those systems
# and ouput the keytab to a non-default filename.
# You will then either copy the non-default filename created on the
# system you ran this script on or login to the other system and do a
# kadmin/ktadd to add the service principal to the /etc/krb5/krb5.keytab
# located on that server.
# addprincs if not in slave mode
if [[ -z $master_kdc ]]
then
if [[ -n "$kt_config_file" ]]
then
if ! $force
then
ok_to_proceed "Existing keytab files will be modified, okay to proceed?"
fi
do
if [[ "$host" == "#*" ]]
then
# skip comments
continue
fi
if [[ "$host" != "localhost" ]]
then
hostkeytab="/var/run/${host}.keytab"
rm -f $hostkeytab
fi
do
if [[ "$host" == "localhost" ]]
then
# add service to KDC's keytab
kadmin.local -q "addprinc -randkey $service/$fqdn"
kadmin.local -q "ktadd $service/$fqdn"
print "Added $service/$fqdn to /etc/krb5/krb5.keytab"
else
# add service to $host's keytab
kadmin.local -q "addprinc -randkey $service/$host"
kadmin.local -q "ktadd -k $hostkeytab $service/$host"
print "\nAdded $service/$host to $hostkeytab"
fi
done
done < $kt_config_file
fi
if [[ -n "$crossrealm" ]]
then
# Setup Cross-realm auth.
kadmin.local -q "addprinc -pw $passwd krbtgt/$realm@$crossrealm"
kadmin.local -q "addprinc -pw $passwd krbtgt/$crossrealm@$realm"
fi
# Optional, Add service principals on KDC
do
# randomizes the key anyway so use the -randkey option for addprinc).
kadmin.local -q "addprinc -randkey $srv/$fqdn"
kadmin.local -q "ktadd $srv/$fqdn"
done
# "tester" needed for setup
kadmin.local -q "addprinc -pw $passwd tester"
# "ken" needed for test
kadmin.local -q "addprinc -pw $passwd ken"
fi # addprincs if not in slave mode
# turn off err trap because svcadm below may return an unimportant error
trap "" ERR
then
[[ -n $tmpnfssec ]] || exit 1
print 'Enabled krb5 sec in /etc/nfssec.conf.'
print 'Copy /etc/nfssec.conf to all systems doing NFS sec=krb5*.'
print
fi
# get time and DNS running
then
fi
then
fi
then
cat <<-EOF
Error, the krb5kdc daemon did not start. You will not be able to do Kerberos
authentication. Check your kerberos config and rerun this script.
EOF
exit 1
fi
if [[ -z $master_kdc ]] && ! svcadm enable -s svc:/network/security/kadmin:default
then
svcs -x svc:/network/security/kadmin:default
cat <<-EOF
Error, the kadmind daemon did not start. You will not be able to change
passwords or run the kadmin command. Make sure /etc/krb5/kadm5.acl is
configured properly and rerun this script.
EOF
exit 1
fi
if ! svcadm enable -s svc:/network/rpc/gss:default
then
svcs -x svc:/network/rpc/gss:default
cat <<-EOF
Error, the gss service did not start. You will not be able to do nfssec with sec=krb5*
EOF
exit 1
fi
tmpccache=$(/usr/bin/mktemp /tmp/ccache_XXXXXX)
[[ -n $tmpccache ]] || exit 1
if ! print "$passwd" | kinit -c $tmpccache tester
then
print -u2 "Warning, kinit for tester princ failed, kdc setup is not working!"
exit 1
fi
integer i=0
while ((i < num_keytabs))
do
if ((i == 0))
then
print "\nRun the following commands to transfer generated keytabs:"
fi
print ${kt_transfer_command[i]}
((i = i + 1))
done