#! /bin/bash # # # # Copyright (c) Bull S.A. 2007 All Rights Reserved. # # This program is free software; you can redistribute it and/or modify it # under the terms of version 2 of the GNU General Public License as # published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Further, this software is distributed without any warranty that it is # free of the rightful claim of any third person regarding infringement # or the like. Any license provided herein, whether implied or # otherwise, applies only to this software file. Patent licenses, if # any, provided herein do not apply to combinations of this program with # other software, or any other product whatsoever. # # You should have received a copy of the GNU General Public License along # with this program; if not, write the Free Software Foundation, Inc., 59 # Temple Place - Suite 330, Boston MA 02111-1307, USA. # # History: # 5/14/07 : Created by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # 9/30/07 : Updated by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # 12/21/07: Updated by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # # # Purpose: # This shell command takes care of setting a Kerberos KDC # and a Kerberos administration Server # # Written to be run by root on the machine to be the Kerberos NFS Server and the KDC Server # # Usage : # krbkdcsv {start | status | reboot} # start : First KRB KDC Server initialisation # status: Check if the KRB KDC Server is still OK # reboot: Check needed daemons (krb5kdc,kadmind) have been well started # # krbkdcsv start { -h | {-a kerberos administrator principal} {-b } {-c } {-C } {-d } {-D } {-k } {-r } {-v}} # # krbkdcsv status { -h | {-a kerberos administrator principal} {-c } {-D } {-v}} # krbkdcsv reboot { -h | {-D } } # # Description : # The krbkdcsv command configures the KDC and Kerberos Server. # # This command creates the krb5.conf,the kdc.conf file,the Kerberos database # and the kadm5.acl file. Those files can be edited to modify the parameters # set by this initial configuration # # # The command does some controls: # start: # - checks Kerberos Server package # - checks REALM is UPPER CASE # - checks kerberos daemons are running (krb5kdc, kadmind) # - checks KDC and administration Server works # - synchronize time with ntp when possible # status: # - checks kerberos daemons are running (krb5kdc, kadmind) # - checks KDC and administration Server works # reboot: # - checks kerberos daemons are running (krb5kdc, kadmind) and restart them if not # # Flags: # -a : kerberos administrator principal # -b : kerberos administration Server name # -c : directory where is located the krb5.conf file # -C : directory where is located the kdc.conf file # -D : Linux Distribution among FEDORA, RHEL5.1 # -d : domain name for the Kerberos realm # -h : help to display the command syntax # -k : KDC Server name # -r : realm for which the Kerberos Server is to be configured # -v : verbose mode # # UsageStart="krbkdcsv start { -h | {-a kerberos administrator principal} {-b } {-c } {-C } {-d } {-k } {-r } {-v}}" UsageStatus="krbkdcsv status { -h | {-a admin name} {-c } {-v}}" UsageReboot="krbkdcsv reboot" # Defaults Environment HOSTNAME=`/bin/hostname` # Gets the hostname of the machine running this command KRB_CONF="" # Directory where to find the user kerberos configuration file KRB_ENV="/var/kerberos" # Directory where to find files used by Kerberos for the user # configuration KDC_ROOT="/var/kerberos/krb5kdc" # Directory where to find the KDC configuration file KRB_LOG="/var/kerberos/log" # Directory where to find the kerberos logging files REALM="" # Contains the real name DOMAIN="" # Domain name of the Kerberos realm KDC_SERVER="" # KDC Server name KRB_SERVER="" # Kerberos Server name KRB_ADMIN="root" # "root" must exit on Client and Server NFS machines to use kadmin # if not "root" but for example "admin" # admin must belong to the "root" group on the Client and Server NFS machines # to use kadmin in order to get the necessary rights to access kerberos modverbose=0 # verbose mode writes the differents reached configuration steps LINUXDISTRIBUTION="FEDORA" # Linux Distribution # # Functions # vm () { # verbose messages print if [ $modverbose != 0 ] then echo "$1" fi } FinalizeStartConfiguration () { # Finalize the configuration after the command line processing(option start) if [ -z "$KRB_CONF" ]; then KRB_CONF="/etc" fi if [ -z "$REALM" ]; then REALM=`grep default_realm $KRB_CONF/krb5.conf | awk '{ print $3}'` >/dev/null fi if [ -z "$REALM" ]; then REALM=`dnsdomainname | tr "[a-z]" "[A-Z]"` fi CheckREALM if [ -z "$KRB_SERVER" ]; then KRB_SERVER=`grep "admin_server" $KRB_CONF/krb5.conf | awk '{ print $3}' | grep 749 | cut -d: -f1 ` >/dev/null fi if [ -z "$KRB_SERVER" ]; then KRB_SERVER=$HOSTNAME fi if [ -z "$KDC_SERVER" ]; then KDC_SERVER=`grep "kdc =" $KRB_CONF/krb5.conf | awk '{ print $3}' | grep 88 | cut -d: -f1 ` >/dev/null fi if [ -z "$KDC_SERVER" ]; then KDC_SERVER=$HOSTNAME fi if [ -z "$DOMAIN" ]; then DOMAIN=`dnsdomainname` fi if [ -z "KDC_ROOT" ];then echo "Enter the directory where to put the KDC files:" read KDC_ROOT fi # list a summary echo "Here are the parameters from which the KDC and Kerberos administration" echo "Server configuration will be built: " echo "----------------------------------------------------------------------- " echo " Kerberos REALM: $REALM" echo " Domain Name: $DOMAIN" echo " KDC Server Name: $KDC_SERVER" echo " Kerberos Administration Server Name: $KRB_SERVER" echo " ............................" echo " Kerberos Configuration File: $KRB_CONF/krb5.conf" echo " KDC Configuration File: $KDC_ROOT/kdc.conf" echo " ............................" echo " Kerberos Administrator Name: $KRB_ADMIN" # do you agree echo "Do you agree with this KDC and Kerberos Administration configuration: yes/no[no]" ANSWER=" no" read ANSWER case $ANSWER in yes) ;; *) echo echo "You need to restart the command by specifying in the command the parameters you want to change: " echo echo "krbkdcsv start { -h | {-a kerberos administrator principal} {-b } {-c } {-C } {-d } {-k } {-r } {-v}}" exit 0 ;; esac } #Finalize the configuration after the command line processing (option status) FinalizeStatusConfiguration () { if [ -z "$KRB_CONF" ]; then KRB_CONF="/etc" fi REALM=`grep default_realm $KRB_CONF/krb5.conf | awk '{ print $3}'` CheckREALM KDC_SERVER=`grep "kdc =" $KRB_CONF/krb5.conf | awk '{ print $3}' | grep 88 | cut -d: -f1 ` KRB_SERVER=`grep "admin_server" $KRB_CONF/krb5.conf | awk '{ print $3}' | grep 749 | cut -d: -f1 ` # Domain name of the Kerberos realm DOMAIN=`grep "default_domain" $KRB_CONF/krb5.conf | awk '{ print $3}' ` # list a summary echo "Here are the parameters from which the Kerberos Server configuration is built: " echo echo " Kerberos REALM: $REALM" echo " Domain Name: $DOMAIN" echo " KDC Server Name: $KDC_SERVER" echo " Kerberos Administration Server Name: $KRB_SERVER" echo " ............................" echo " Kerberos Configuration File: $KRB_CONF/krb5.conf" echo } function TestKerberosInstall () { # Check Kerberos Server package type krb5kdc >/dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Kerberos Server Package not installed" exit 1 fi } function CheckREALM () { # Check REALM is UPPER CASE REALM_UPPERCASE=`echo $REALM | tr "[a-z]" "[A-Z]"` while test "$REALM_UPPERCASE" != "$REALM" do echo "REALM: $REALM not uppercase, enter it again:"; read REALM ; done } function ResetKDB () { # Delete Data Bases, configuration and temporary files from # the previous configuration # delete DataBase `type kdb5_util` destroy 2>/dev/null rm $KDC_ROOT/kdc.conf >/dev/null 2>&1 rm $KDC_ROOT/principal >/dev/null 2>&1 rm $KDC_ROOT/principal.kadm5 >/dev/null 2>&1 rm $KDC_ROOT/principal.kadm5.lock >/dev/null 2>&1 rm $KDC_ROOT/principal.ok >/dev/null 2>&1 rm $KDC_ROOT/kadm5.acl >/dev/null 2>&1 rm $KDC_ROOT/kadm5.keytab >/dev/null 2>&1 # delete Temporary and configuration files rm /tmp/krb5cc_* >/dev/null 2>&1 rm /var/tmp/krb5kdc_rcache >/dev/null 2>&1 rm /var/tmp/rc_kadmin_0 >/dev/null 2>&1 rm $KRB_CONF/krb5.keytab >/dev/null 2>&1 rm $KRB_CONF/krb5.conf >/dev/null 2>&1 # create repertories if not existing mkdir $KRB_ENV >/dev/null 2>&1 mkdir $KDC_ROOT >/dev/null 2>&1 mkdir $KRB_LOG >/dev/null 2>&1 # delete logging files rm $KRB_LOG/kadmind.log >/dev/null 2>&1 rm $KRB_LOG/krb5kdc.log >/dev/null 2>&1 } function StartNtp () { /etc/rc.d/init.d/ntpd restart } function CreateKRB5Conf () { # Creates the kerberos configuration file cat > $KRB_CONF/krb5.conf < $KDC_ROOT/kdc.conf < $KDC_ROOT/kadm5.keytab ln -s $KDC_ROOT/kadm5.keytab $KRB_CONF/krb5.keytab } function CreateKadm5Acl () { # Create the kadm5.acl file cat > $KDC_ROOT/kadm5.acl < /dev/null } function StopKRBAdmin () { # Stop kadmin when already running service kadmin stop 2> /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then # with SLES10 service is kadmind rather than kadmin with RHEL5 service kadmind stop 2> /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "kadmind not stopped" echo echo "Kerberos Server Setup not completed" exit 1 fi fi } function StartKDCServer () { # Start krb5kdc service krb5kdc start } function StartKRBAdmin () { # Start kadmind service kadmin start 2> /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then # with SLES10 service is kadmind rather than kadmin with RHEL5 service kadmind start 2> /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then `type kadmind | awk '{ print $3}'` # service script may conflict with selinux RETVAL=$? if [ $RETVAL -ne 0 ] then echo "kadmind not started" echo echo "Kerberos Server Setup not completed" exit 1 fi fi fi } function Check_KDC_KRB () { # Check kerberos daemons are running (krb5kdc, kadmind) # check krb5kdc is running echo "Let's check krb5kdc is running on the KDC and Administration Server: $KDC_SERVER" ps -e | grep krb5kdc > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "krb5kdc daemon not is running" echo "Do you want to have this command starting it: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) service krb5kdc start ;; *) echo echo "Kerberos Server Setup not completed" exit 1 ;; esac fi echo " krb5kdc is running" # check kadmind is running echo "Let's check kadmind is running on the KDC and Administration Server: $KDC_SERVER" ps -e | grep kadmind > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "kadmind daemon is not running" echo "Do you want to have this command starting it: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) StartKRBAdmin ;; *) echo echo "Kerberos Server Setup not completed" exit 1 ;; esac fi echo " kadmind is running" } function CheckStart_KDC_KRB () { # Check kerberos daemons are running (krb5kdc, kadmind) # check krb5kdc is running ps -e | grep krb5kdc > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Let's start krb5kdc daemon which is not running" service krb5kdc start fi # check kadmind is running ps -e | grep kadmind > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Let's start kadmind daemon which is not running" StartKRBAdmin fi } function TestKDC () { # A quick test of KDC echo "" echo "Let's do some tests to see if the KDC Server works:" echo " - by running kinit $KRB_ADMIN/admin without error" echo " - by checking the krbtgt can be obtained" kinit $KRB_ADMIN/admin # no messages should appear klist -5 | grep krbtgt >/dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)" exit 1 fi } function TestAdm () { # A quick test of kerberos admin ... echo "" echo "Let's do some tests to see if the Kerberos Administration Server works:" echo " - by listing principals without error" echo kadmin -p $KRB_ADMIN/admin -q listprincs RETVAL=$? if [ $RETVAL -ne 0 ] then exit 1 fi } start () { FinalizeStartConfiguration # Finalize the configuration after the command line processing TestKerberosInstall # Check Kerberos Server package StopKDCServer # Stop krb5kdc when already running StopKRBAdmin # Stop kadmind when already running ResetKDB # Delete Data Bases, configuration and temporary file from # the previous configuration StartNtp # Let's start NTP CreateKRB5Conf # Create the kerberos configuration file CreateKDCConf # Create the KDC configuration file CreateKDB # Create the Kerberos Data Base(KDB) CreateKeytabFiles CreateKadm5Acl # Create the kadm5.acl file CreateKRBAdministrator # Create Kerberos administrator StartKDCServer # Start krb5kdc daemon StartKRBAdmin # Start kadmin daemon TestKDC # Test KDC Server works TestAdm # Test Kerberos Administration works } status () { FinalizeStatusConfiguration # Finalize the configuration after the command line processing Check_KDC_KRB # Check kerberos daemons are running (krb5kdc, kadmind) TestKDC # Test KDC Server works TestAdm # Test Kerberos Administration Server works } reboot () { CheckStart_KDC_KRB # Check kerberos daemons are running (krb5kdc, kadmind) } # # Main section # case "$1" in start) # Command Line Processing OPTIND=2 while getopts :hva:b:c:C:d:D:k:r: PARAMS do case $PARAMS in a) # Get the Kerberos administrator principal name KRB_ADMIN=$OPTARG ;; b) # Get the Kerberos administration Server name KRB_SERVER=$OPTARG ;; c) # Get the directory where is located the krb5.conf file KRB_CONF=$OPTARG ;; C) # Get the directory where is located thekdc.conf file KDC_ROOT=$OPTARG ;; d) # Get the domain name for the Kerberos realm DOMAIN=$OPTARG ;; D) # Get Linux Distribution name LINUXDISTRIBUTION=$OPTARG ;; h) # help echo "$UsageStart" exit 0 ;; k) # Get the KDC Server name KDC_SERVER=$OPTARG ;; r) # Get the REALM name REALM=$OPTARG ;; v) # Set verbose mode echo "Verbose mode set" modverbose=1 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageStart" exit 1 ;; esac done start ;; status) # Command Line Processing OPTIND=2 while getopts :hva:c:D: PARAMS do case $PARAMS in a) # Get the kerberos administrator principal KRB_ADMIN=$OPTARG ;; c) # Get the directory where is located the krb5.conf file KRB_CONF=$OPTARG ;; D) # Get Linux Distribution name LINUXDISTRIBUTION=$OPTARG ;; h) # help echo "$UsageStatus" exit 0 ;; v) # Set verbose mode echo "Verbose mode set" modverbose=1 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageStatus" exit 1 ;; esac done status ;; reboot) # Command Line Processing OPTIND=2 while getopts :h:D: PARAMS do case $PARAMS in D) # Get Linux Distribution name LINUXDISTRIBUTION=$OPTARG ;; h) # help echo "$UsageReboot" exit 0 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageReboot" exit 1 ;; esac done reboot ;; *) echo "Usage: $0 {start|status|reboot} -h" exit 1 ;; esac