#! /bin/bash # # # # Copyright (c) Bull S.A. 2007 All Rights Reserved. # # This program is free software; you can redistribute it and/or modify it # under the terms of version 2 of the GNU General Public License as # published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Further, this software is distributed without any warranty that it is # free of the rightful claim of any third person regarding infringement # or the like. Any license provided herein, whether implied or # otherwise, applies only to this software file. Patent licenses, if # any, provided herein do not apply to combinations of this program with # other software, or any other product whatsoever. # # You should have received a copy of the GNU General Public License along # with this program; if not, write the Free Software Foundation, Inc., 59 # Temple Place - Suite 330, Boston MA 02111-1307, USA. # # History: # 5/14/07: Created by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # # # Purpose: # This shell command takes care of setting a Kerberos KDC # and a Kerberos administration Server # # Written to be run by root on the machine to be the Kerberos NFS Server and the KDC Server # # Usage : # krbkdcsv {start | status } # start: First KRB KDC server initialisation # status: Check if the KRB KDC Server is still OK # # krbkdcsv start { -h | {-a kerberos administrator principal} {-b } {-c } {-C } {-d } {-k } {-r } {-v}} # # krbkdcsv status { -h | {-a kerberos administrator principal} {-v}} # # Description : # The krbkdcsv command configures the KDC and Kerberos server. # # This command creates the krb5.conf, the kdc.conf file,the Kerberos database # and the kadm5.acl file. Those files can be edited to modify the parameters # set by this initial configuration # # # The command does some controls: # start: # - checks Kerberos Server package # - checks REALM is UPPER CASE # - checks kerberos daemons running (krb5kdc, kadmind) # - checks KDC and administration server works # status: # - checks kerberos daemons running (krb5kdc, kadmind) # - checks KDC and administration server works # # Flags: # -a : kerberos administrator principal # -b : kerberos server name # -c : directory where is located the krb5.conf file # -C : directory where is located the kdc.conf file # -d : domain name for the Kerberos realm # -h : help to display the command syntax # -k : KDC server name # -r : realm for which the Kerberos server is to be configured # -v : verbose mode # # UsageStart="krbkdcsv start { -h | {-a kerberos administrator principal} {-b } {-c } {-C } {-d } {-k } {-r } {-v}}" UsageStatus="krbkdcsv status { -h | {-a admin name} {-v}}" # Defaults Environment HOSTNAME=`/bin/hostname` # Gets the hostname of the machine running this command KRB_CONF="/etc" # Directory where to find the kerberos configuration file KDC_ROOT="/var/kerberos/krb5kdc" # Directory where to find the KDC configuration file KRB_LOG="/var/krb5/log" # Directory where to find the kerberos logging files REALM="" # Contains the real name DOMAIN="" # Domain name of the Kerberos realm KDC_SERVER=$HOSTNAME # Kdc server name KRB_SERVER=$HOSTNAME # Kerberos server name KRB_ADMIN="root" # "root" must exit on client and server NFS machines to use kadmin # if not "root" but for example "admin" # admin must belong to the "root" group on the client and server NFS machines # to use kadmin in order to get the necessary rights to access kerberos modverbose=0 # verbose mode writes the differents reached configuration steps # # Functions # vm () { # verbose messages print if [ $modverbose != 0 ] then echo "$1" fi } FinalizeStartConfiguration () { # Finalize the configuration after the command line processing(option start) if [ -z "$REALM" ]; then echo "Enter the REALM name:" read REALM fi CheckREALM if [ -z "$KDC_SERVER" ]; then echo "Enter the KDC Server Name:" read KDC_SERVER fi if [ -z "$DOMAIN" ]; then echo "Enter the Domain Name" read DOMAIN fi if [ -z "$KRB_SERVER" ]; then echo "Enter the Kerberos Administration Server Name:" read KRB_SERVER fi if [ -z "$KRB_CONF" ]; then echo "Enter the directory where to put the Kerberos krb5.conf file:" read KRB_CONF fi if [ -z "KDC_ROOT" ];then echo "Enter the directory where to put the KDC files:" read KDC_ROOT fi # list a summary echo "Here are the parameters from which the KDC and Kerberos administration" echo "Server configuration will be build: " echo "----------------------------------------------------------------------- " echo " Kerberos REALM: $REALM" echo " Domain Name: $DOMAIN" echo " KDC Server Name: $KDC_SERVER" echo " Kerberos Administration Server Name: $KRB_SERVER" echo " ............................" echo " Kerberos Configuration File: $KRB_CONF/krb5.conf" echo " KDC Configuration File: $KDC_ROOT/kdc.conf" echo " ............................" echo " Kerberos Administrator Name: $KRB_ADMIN" # do you agree echo "Do you agree with this KDC and Kerberos Administration configuration: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) ;; *) echo " You need to restart the command to change it" exit 0 ;; esac } function TestKerberosInstall () { # Check Kerberos Server package type krb5kdc >/dev/null 2>&1 if [ "$?" != 0 ] then echo "Kerberos Server Package not installed" exit 1 fi } function CheckREALM () { # Check REALM is UPPER CASE REALM_UPPERCASE=`echo $REALM | tr "[a-z]" "[A-Z]"` while test "$REALM_UPPERCASE" != "$REALM" do echo "REALM: $REALM not uppercase, enter it again:"; read REALM ; done } function ResetKDB () { # Delete Data Bases, configuration and temporary files from # the previous configuration # delete DataBase /usr/kerberos/sbin/kdb5_util destroy rm $KDC_ROOT/* >/dev/null 2>&1 # delete Temporary and configuration files rm /tmp/krb5cc_* >/dev/null 2>&1 rm /var/tmp/krb5kdc_rcache >/dev/null 2>&1 rm /var/tmp/rc_kadmin_0 >/dev/null 2>&1 rm $KRB_CONF/krb5.keytab >/dev/null 2>&1 rm $KRB_CONF/krb5.conf >/dev/null 2>&1 # delete logging files rm /var/krb5/log/* >/dev/null 2>&1 } function CreateKRB5Conf () { # Creates the kerberos configuration file cat > $KRB_CONF/krb5.conf < $KDC_ROOT/kdc.conf < $KDC_ROOT/kadm5.acl < /dev/null } function StopKRBAdmin () { # Stop kadmin when already running service kadmin stop >/dev/null } function StartKDCServer () { # Start krb5kdc service krb5kdc start } function StartKRBAdmin () { # Start kadmind service kadmin start } function Check_KDC_KRB () { # Check kerberos daemons are running (krb5kdc, kadmind) # check krb5kdc running echo "Let's check krb5kdc is running on the KDC and Administration Server: $KDC_SERVER" ps -e | grep krb5kdc > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "krb5kdc daemon not running" echo "Do you want to have this command loading it: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) service krb5kdc start ;; *) exit 1 ;; esac fi echo " krb5kdc is running" # check kadmind running echo "Let's check krb5kdc is running on the KDC and Administration Server: $KDC_SERVER" ps -e | grep kadmind > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "kadmind daemon not running" echo "Do you want to have this command loading it: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) service kadmin start ;; *) exit 1 ;; esac fi echo " kadmind is running" } function TestKDC () { # A quick test of KDC echo "" echo "Let's do some tests to see if the KDC Server works:" echo " - by running kinit $KRB_ADMIN/admin without error" echo " - by checking the krbtgt can be obtained" kinit $KRB_ADMIN/admin # no messages should appear klist | grep krbtgt >/dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)" exit 1 fi } function TestAdm () { # A quick test of kerberos admin ... echo "" echo "Let's do some tests to see if the Kerberos Server works:" echo " - by listing principals without error" kadmin -p $KRB_ADMIN/admin -q listprincs } start () { FinalizeStartConfiguration # Finalize the configuration after the command line processing TestKerberosInstall # Check Kerberos Server package StopKDCServer # Stop krb5kdc when already running StopKRBAdmin # Stop kadmind when already running ResetKDB # Delete Data Bases, configuration and temporary file from # the previous configuration CreateKRB5Conf # Create the kerberos configuration file CreateKDCConf # Create the KDC configuration file CreateKDB # Create the Kerberos Data Base(KDB) ln -s /var/kerberos/krb5kdc/kadm5.keytab $KRB_CONF/krb5.keytab CreateKadm5Acl # Create the kadm5.acl file CreateKRBAdministrator # Create Kerberos administrator StartKDCServer # Start krb5kdc daemon StartKRBAdmin # Start kadmin daemon TestKDC # Test KDC server works TestAdm # Test Kerberos Administration works } status () { Check_KDC_KRB # Check kerberos daemons are running (krb5kdc, kadmind) TestKDC # Test KDC server works TestAdm # Test Kerberos Administration server works } # # Main section # case "$1" in start) # Command Line Processing OPTIND=2 while getopts :hva:b:c:C:d:k:r: PARAMS do case $PARAMS in a) # Get the kerberos administrator principal name KRB_ADMIN=$OPTARG ;; b) # Get the kerberos server name KRB_SERVER=$OPTARG ;; c) # Get the directory where is located the krb5.conf file KRB_CONF=$OPTARG ;; C) # Get the directory where is located thekdc.conf file KDC_ROOT=$OPTARG ;; d) # Get the domain name for the Kerberos realm DOMAIN=$OPTARG ;; h) # help echo "$UsageStart" exit 0 ;; k) # Get the KDC server name KDC_SERVER=$OPTARG ;; r) # Get the REALM name REALM=$OPTARG ;; v) # Set verbose mode echo "Verbose mode set" modverbose=1 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageStart" exit 1 ;; esac done start ;; status) # Command Line Processing OPTIND=2 while getopts :hva: PARAMS do case $PARAMS in a) # Get the kerberos administrator principal KRB_ADMIN=$OPTARG ;; h) # help echo "$UsageStatus" exit 0 ;; v) # Set verbose mode echo "Verbose mode set" modverbose=1 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageStatus" exit 1 ;; esac done status ;; *) echo "Usage: $0 {start|status} -h" exit 1 ;; esac