#! /bin/bash # # Copyright (c) Bull S.A. 2007 All Rights Reserved. # # This program is free software; you can redistribute it and/or modify it # under the terms of version 2 of the GNU General Public License as # published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Further, this software is distributed without any warranty that it is # free of the rightful claim of any third person regarding infringement # or the like. Any license provided herein, whether implied or # otherwise, applies only to this software file. Patent licenses, if # any, provided herein do not apply to combinations of this program with # other software, or any other product whatsoever. # # You should have received a copy of the GNU General Public License along # with this program; if not, write the Free Software Foundation, Inc., 59 # Temple Place - Suite 330, Boston MA 02111-1307, USA. # # History: # 5/14/07 : Created by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # 9/30/07 : Updated by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # 12/21/07: Updated by Aime Le Rouzic (Aime.Le-Rouzic@bull.net) # # Purpose: # # This shell command takes care of setting a Kerberos NFS Client # # Written to be run by root on the machine to be the Kerberos NFS Client # # # Usage : # # krbnfscl {start | status | reboot} # start: First Kerberized NFS Server initialisation # status: Checks the kerberised NFS Client configuration is still OK # reboot: Start needed daemons (rpc.gssd,rpc.idmapd) if not started # # krbnfscl start { -h | {-a kerberos administrator principal} {-b } {-c } {-d } {-D } {-k } {-n } {-r } {-s } { -u } {-v}} # krbnfscl status { -h | {-b } {-c } {-D } {-k } {-n } {-r } {-s } { -u } {-v}} # krbnfscl reboot { -h | {-D } } # # Description: # The krbnfscl command configures a kerberized NFS Client # It proposes a configuration directly from the existing krb5.conf # # The command does some controls: # start: # - checks Kerberos Client package # - checks REALM is UPPER CASE # - checks host has a fully-qualified domain name # - checks the /etc/services file lists the NFS service (port 2049) # - checks KDC,Kerberos Server and NFS Server are reachable # - checks the kerberos daemons are running (krb5kdc, kadmind) on the Kerberos Server # - checks the nfsd,rpc.mountd,rpc.svcgssd and rpc.idmapd daemons are running on the NFS Server # - checks the rpc.idmapd daemon is running on the NFS Client # - synchronize time with ntp when possible # - checks times is synchronised (<300s) with the KDC Server machine time # - checks the /etc/hosts file lists the fully-qualified domain name # as the first entry on the line with the machine's IP address, # - checks in /etc/resolv.conf the name server is the same as in /etc/resolv.conf # of the KDC Server # - starts rpc.gssd with or without -n option # # status: # - checks REALM is UPPER CASE # - checks the /etc/services file lists the NFS service (port 2049) # - checks KDC and Kerberos Server and NFS Server are reachable # - checks kerberos daemons are running (krb5kdc,kadmind) on the Kerberos Server # - checks the nfsd,rpc.mountd,rpc.svcgssd and rpc.idmapd daemons are running on the NFS Server # - checks the rpc.idmapd daemon is running on the NFS Client # - checks rpc.gssd is running on the NFS Client # - checks rpc.svcgssd is running on the NFS server # - synchronize time with ntp when possible # - checks time is synchronised (<300s) with the KDC Server machine time # - checks host has a fully-qualified domain name # - checks the /etc/hosts file lists the fully-qualified domain name # as the first entry on the line with the machine's IP address, # - checks in /etc/resolv.conf name server is the same as in /etc/resolv.conf # of the KDC Server # # reboot: # - checks and starts the rpc.idmapd daemon on the NFS Client # - checks and starts the rpc.gssd daemon on the NFS Client # # Flags: # -a : kerberos administrator principal # -b : kerberos administration server name # -c : directory where is located the krb5.conf file # -d : domain name for the Kerberos realm # -D : Linux Distribution among FEDORA, RHEL5.1 # -h : help to display the command syntax # -k : KDC Server name # -n : NTP Server name # -r : realm for which the Kerberos Server is to be configured # -s : NFS Server name # -u : user name # -v : verbose mode # - display more messages # - start rpc.svcgssd with verbose mode ( rpc.gssd -vvvv -rrrr) # UsageStart="krbnfscl start { -h | {-a kerberos administrator principal} {-b } {-c } {-d } {-D } {-k } {-n } {-r } {-s /dev/null fi if [ -z "$KRB_SERVER" ]; then echo "You need to give the Kerberos Server Name:" read KRB_SERVER fi CreateKRB5Conf if [ -z "$REALM" ]; then REALM=`grep default_realm $KRB_CONF/krb5.conf | awk '{ print $3}'` fi CheckREALM if [ -z "$DOMAIN" ]; then DOMAIN=`dnsdomainname` fi if [ -z "$KDC_SERVER" ]; then KDC_SERVER=`grep "kdc =" /etc/krb5.conf | awk '{ print $3}' | grep 88 | cut -d: -f1 ` fi if [ -z "$NTP_SERVER" ]; then NTP_SERVER=$KDC_SERVER fi if [ -z "$NFS_SERVER" ]; then echo "Enter the NFS Server Name" read NFS_SERVER fi # list a summary echo "Here are the parameters from which the Kerberos NFS Client configuration will be built: " echo echo " Kerberos REALM: $REALM" echo " Domain Name: $DOMAIN" echo " KDC Server Name: $KDC_SERVER" echo " Kerberos Administraton Server Name: $KRB_SERVER" echo " NFS Server Name: $NFS_SERVER" echo " NTP Server Name: $NTP_SERVER" echo " User Name: $NFSCLIENTUSER" echo " ............................" echo " Kerberos Configuration File: $KRB_CONF/krb5.conf" echo " Kerberos Administrator Name: $KRB_ADMIN" echo # do you agree echo "Do you agree with those Kerberos configuration: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) ;; *) echo echo "You need to restart the command by specifying in the command the parameters you want to change: " echo echo "krbnfscl start { -h | {-b } {-c } {-d } {-k } {-n } {-r } {-s } { -u } {-v}}" exit 1 ;; esac } FinalizeStatusConfiguration () { #Finalize the configuration after the command line processing (option status) if [ -z "$KRB_CONF" ]; then KRB_CONF="/etc" fi if [ -z "$REALM" ]; then REALM=`grep default_realm $KRB_CONF/krb5.conf | awk '{ print $3}'` fi CheckREALM if [ -z "$KDC_SERVER" ]; then KDC_SERVER=`grep "kdc =" $KRB_CONF/krb5.conf | awk '{ print $3}' | grep 88 | cut -d: -f1 ` fi if [ -z "$KRB_SERVER" ]; then KRB_SERVER=`grep "admin_server" $KRB_CONF/krb5.conf | awk '{ print $3}' | grep 749 | cut -d: -f1 ` fi if [ -z "$NTP_SERVER" ]; then NTP_SERVER=$KDC_SERVER fi if [ -z "$NFS_SERVER" ]; then echo "Enter the NFS Server Name" read NFS_SERVER fi # Domain name of the Kerberos realm DOMAIN=`dnsdomainname` # list a summary echo "Here are the parameters from which the Kerberos NFS Server configuration is built: " echo " Kerberos REALM: $REALM" echo " Domain Name: $DOMAIN" echo " KDC Server Name: $KDC_SERVER" echo " Kerberos Administration Server Name: $KRB_SERVER" echo " NFS Server Name: $NFS_SERVER" echo " NTP Server Name: $NTP_SERVER" echo " User Name: $NFSCLIENTUSER" echo " ............................" echo " Kerberos Configuration File: $KRB_CONF/krb5.conf" echo # do you want to check this configuration is operational echo "Do you want to check this configuration is operational: yes/no[yes]" ANSWER="yes" read ANSWER case $ANSWER in no) echo echo "You need to restart the command by specifying in the command the parameters you want to change:" echo echo "krbnfscl start { -h | {-b } {-c } {-d } {-k } {-n } {-r } {-s } { -u } {-v}}" exit 1 ;; *) ;; esac } function TestKerberosInstall () { # Check Kerberos Client package type kinit >/dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Kerberos Client Package not installed" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi } CheckRPCGSSMod () { # Ask to load rpcsec_gss_krb5 module if necessary lsmod | grep rpcsec_gss_krb5 > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then case $LINUXDISTRIBUTION in RHEL5.1) echo echo "You need to load the rpcsec_gss_krb5 module if not already in the kernel" echo "Do you want to have this command loading it: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) modprobe rpcsec_gss_krb5 RETVAL=$? if [ $RETVAL -ne 0 ] then echo echo "kerberos NFS Client Setup not completed" exit 1 fi ;; *) ;; esac ;; *) ;; esac fi } CheckTime () { # check time is synchronised (<300s) with the KDC and Kerberos Server time echo echo "Nevertheless, let's check time is synchronised (<300s) with the KDC Server machine: $KDC_SERVER time" timeKDC_SERVER=`ssh $KDC_SERVER date +%s` RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check time is synchronised with $KRB_SERVER has failed" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi timeNFSCLIENT=`date +%s` if [ $timeKDC_SERVER -ge $timeNFSCLIENT ] then gaptime="$(( $timeKDC_SERVER - $timeNFSCLIENT ))" else gaptime="$(( $timeNFSCLIENT - $timeKDC_SERVER ))" fi if [ $((gaptime)) -gt 300 ] then echo " KDC Server and NFS CLient times differ more than 5 minutes" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi echo "Time is Synchronized with the time of the KDC Server: $KDC_SERVER" vm "Difference time is: $gaptime seconds" echo } NtpCheckTime () { echo echo "ntp searching" ntpdate -d $NTP_SERVER >/dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then sleep 5 ntpdate -d $NTP_SERVER >/dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "ntp is not configured" CheckTime fi fi } function CheckFQDN_NFSCLIENTNAME () { # Check host has a fully-qualified domain name # Check in the /etc/hosts file the fully-qualified domain name is the first entry # on the line with the machine's IP address, and the machine's name must not be included # on the localhost line. FQDN_NFSCLIENTNAME=`/bin/hostname --fqdn` RETVAL=$? if [ $RETVAL -ne 0 ] then echo echo "Kerberos NFS Client Setup not completed" exit 1 fi if [ "$NFSCLIENTNAME" != "$FQDN_NFSCLIENTNAME" ] then echo "The hostname is not a FQDN name " echo "The hostname is: $NFSCLIENTNAME" echo "The Fully-Qualified Name is: $FQDN_NFSCLIENTNAME" echo "Do you want to set it: yes/no[yes]" ANSWER="yes" read ANSWER case $ANSWER in yes) NFSCLIENTNAME="$FQDN_NFSCLIENTNAME" hostname "$NFSCLIENTNAME" ;; *) ;; esac fi RETNAME=`awk '{ print $2}' /etc/hosts | grep "$FQDN_NFSCLIENTNAME" ` if [ "$RETNAME" != "$FQDN_NFSCLIENTNAME" ] then echo "In the /etc/hosts file, the Fully-qualified name: $FQDN_NFSCLIENTNAME" echo "must be first after the IP addres :" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi grep "127.0.0.1" /etc/hosts | grep "$NFSCLIENTNAME" > /dev/null if [ $? == 0 ] then echo "The machine's name "$NFSCLIENTNAME" must not be included" echo "on the localhost line in /etc/hosts" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi } function CheckREALM () { # Check REALM is fully-qualified name and UPPER CASE REALM_UPPERCASE=`echo $REALM | tr "[a-z]" "[A-Z]"` while test "$REALM_UPPERCASE" != "$REALM" do echo "REALM: $REALM not uppercase, enter it again:"; read REALM ; done } function CheckEtcServices () { # Check the /etc/services file lists the NFS service (port 2049). RETVAL=1 while [ $RETVAL != 0 ] do grep "#nfs" /etc/services | grep tcp |grep 2049 > /dev/null RETVAL=$? if [ $RETVAL == 0 ] then echo "The NFS service (port 2049) is not validated in /etc/services" echo echo "Kerberos NFS Server Setup not completed" exit 1 fi grep nfs /etc/services | grep 2049 > /dev/null RETVAL=$? if [ $RETVAL != 0 ] then echo " /etc/services doesn't list the NFS service (port 2049)" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi done } function CheckDNS () { # Check in /etc/resolv.conf the name server is the same as in KDC_SERVER:/etc/resolv.conf dnsdomainname > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Bad domain name set in /etc/resolv.conf or Bad hostname" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi if [ -r /etc/resolv.conf ] then NS_KDC_SERVER=`nslookup $KDC_SERVER | grep Server | cut -f3` if [ -z "NS_KDC_SERVER" ] then echo " $KDC_SERVER Name Server can't reached" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi NS_NFSCLIENTNAME=`nslookup $NFSCLIENTNAME | grep Server | cut -f3` if [ -z "NS_NFSCLIENTNAME" ] then echo " $NFSCLIENTNAME Name Server can't reached" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi if [ "$NS_KDC_SERVER" != "$NS_NFSCLIENTNAME" ] then echo " $NFSCLIENTNAME doesn't have the same nameserver as $KDC_SERVER" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi else echo "/etc/resolv.conf not present" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi } function CheckEnv () { CheckRPCGSSMod # Ask to load rpcsec_gss_krb5 module if necessary CheckEtcServices # Check the /etc/services file lists the NFS service (port 2049) CheckFQDN_NFSCLIENTNAME # Check host has a fully-qualified domain name # Check the /etc/hosts file lists the fully-qualified domain name # as the first entry on the line with the machine's IP address CheckDNS # Check in /etc/resolv.conf name server is the same as in /etc/resolv.conf # of the KDC Server } function ping_check () { if ping $1 -c 5 > /dev/null; then : else echo "$1 is unreachable" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi } function Check_KDC_KRB_NFS () { # check $KDC_SERVER reachable ping_check $KDC_SERVER # check necessary daemons are running # check krb5kdc is running echo "Let's check the krb5kdc daemon is running on the KDC Server: $KDC_SERVER" if [ "$KDC_SERVER" == "$KRB_SERVER" ] then `ssh $KDC_SERVER "ps -e | grep krb5kdc && ps -e | grep kadmind" >$TMP/krbnfscl.tmp` else `ssh $KDC_SERVER "ps -e | grep krb5kdc" > $TMP/krbnfscl.tmp` fi grep krb5kdc $TMP/krbnfscl.tmp > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check the krb5kdc daemon is running on $KDC_SERVER has failed" echo echo "Kerberos NFS Client Setup not completed" rm $TMP/krbnfscl.tmp exit 1 fi echo "krb5kdc is running" echo # check $KRB_SERVER reachable ping_check $KRB_SERVER # check kadmind is running echo "Let's check the kadmind is running on the Kerberos Administration Server: $KRB_SERVER" if [ "$KDC_SERVER" != "$KRB_SERVER" ] then `ssh $KRB_SERVER "ps -e | grep kadmind" > $TMP/krbnfscl.tmp` fi grep kadmind $TMP/krbnfscl.tmp > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check the kadmind daemon is running has failed" echo echo "Kerberos NFS Client Setup not completed" rm $TMP/krbnfscl.tmp exit 1 fi echo "kadmind is running" echo # check $NFS_SERVER reachable ping_check $NFS_SERVER # check NFS Server daemons are running echo "Let's check nfsd,rpc.mountd,rpc.svcgssd,rpc.idmapd daemons are running on the NFS Server: $NFS_SERVER" `ssh $NFS_SERVER "ps -e | grep nfsd && ps -e | grep rpc.mountd && ps -e | grep rpc.svcgssd && ps -e | grep rpc.idmapd"> $TMP/krbnfscl.tmp` grep nfsd $TMP/krbnfscl.tmp > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check NFS daemons are running on $NFS_SERVER has failed" echo echo "Kerberos NFS Client Setup not completed" rm $TMP/krbnfscl.tmp exit 1 fi echo "nfsd daemon is running" grep rpc.mountd $TMP/krbnfscl.tmp > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check rpc.mountd daemon is running on $NFS_SERVER has failed" echo echo "Kerberos NFS Client Setup not completed" rm $TMP/krbnfscl.tmp exit 1 fi echo "rpc.mountd daemon is running" grep rpc.svcgssd $TMP/krbnfscl.tmp > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check rpc.svcgssd daemon is running on $NFS_SERVER has failed" echo echo "Kerberos NFS Client Setup not completed" rm $TMP/krbnfscl.tmp exit 1 fi echo "rpc.svcgssd daemon is running" grep rpc.idmapd $TMP/krbnfscl.tmp > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Test to check rpc.idmapd daemon is running on $NFS_SERVER has failed" echo echo "Kerberos NFS Client Setup not completed" rm $TMP/krbnfscl.tmp exit 1 fi echo "rpc.idmapd daemon is running on the NFS Server" echo rm $TMP/krbnfscl.tmp } function Check_LOCAL_IDMAPD () { # check idmapd is running on the client machine echo "Let's check the idmapd daemon is running on the NFS Client " ps -e | grep idmapd > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "rpc.idmapd daemon is not running" echo "Do you want to have this command loading it: yes/no[no]" ANSWER="no" read ANSWER case $ANSWER in yes) service rpcidmapd start ;; *) echo echo "Kerberos NFS Server Setup not completed" exit 1 ;; esac fi echo "rpc.idmapd daemon is running on the NFS Client" echo } function CheckStart_LOCAL_IDMAPD () { # check idmapd is running on the client machine ps -e | grep idmapd > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Let's start rpc.idmapd daemon which is not running" service rpcidmapd start fi } function ResetKRBNFSCl () { # Delete files from the previous configuration rm /tmp/krb5cc* >/dev/null 2>&1 } function CreateKRB5Conf () { # Get the krb5.conf from the Kerberos Administration Server echo echo "Get scp the $KRB_CONF/krb5.conf file from the Kerberos Administration Server: $KRB_SERVER" scp root@$KRB_SERVER:$KRB_CONF/krb5.conf $KRB_CONF/krb5.conf > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Error when getting krb5.conf file from the Kerberos Administration Server: $KRB_SERVER" echo echo "To change the Kerberos Administration Server, use -b parameter in the command line:" echo echo "$UsageStart" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi mkdir $KRB_ENV >/dev/null 2>&1 mkdir $KRB_LOG > /dev/null 2>&1 >$KRB_LOG/kadmin.log } AddPrincipalNFSCl () { # Create machine credentials for the client by creating a Kerberos V5 principal/instance name # of the form nfs/dns.name.of.client@REALM echo echo "Create credentials for the client by creating a Kerberos V5 principal: nfs/$NFSCLIENTNAME" echo kadmin -p $KRB_ADMIN/admin -q "addprinc -randkey nfs/$NFSCLIENTNAME" } AddKeyNFSCl () { # Add a key for the nfs principal in /etc/krb5.keytab kadmin -p $KRB_ADMIN/admin -q "ktadd -e des-cbc-crc:normal -k $KRB_CONF/krb5.keytab nfs/$NFSCLIENTNAME" } AddPrincipalUser () { # Add the principal for the user (given by -u in the command line) other than root allowed to do a mount # Don't forget user or users options in /etc/fstab for the mounting if [ "$NFSCLIENTUSER" != "root" ] then echo "Let's replace or add a principal for the user: $NFSCLIENTNAME" kadmin -p $KRB_ADMIN/admin -q "delprinc $NFSCLIENTUSER" kadmin -p $KRB_ADMIN/admin -q "addprinc $NFSCLIENTUSER" su $NFSCLIENTUSER -c "kinit" RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Try again, last chance" su $NFSCLIENTUSER -c "kinit" RETVAL=$? if [ $RETVAL -ne 0 ] then echo echo "Kerberos NFS Client Setup not completed" exit 1 fi fi fi case $RPCGSSD_OPTION_N in yes) echo echo "Create credentials for the client by creating a Kerberos V5 principal: root" echo kadmin -p $KRB_ADMIN/admin -q "addprinc root" kinit root ;; *) ;; esac } function CheckTGT () { # Check the NFS krbtgt ticket if [ -r /tmp/krb5cc_machine_$REALM ] then echo "Let's check krbtgt ticket is in the cache /tmp/krb5cc_machine_$REALM" echo klist -5 -e -c /tmp/krb5cc_machine_$REALM | grep krbtgt else IDUSER=`id -u $NFSCLIENTUSER` echo "Let's check krbtgt ticket is in the cache /tmp/krb5cc_$IDUSER" echo klist -5 -e -c /tmp/krb5cc_$IDUSER | grep krbtgt fi RETVAL=$? if [ $RETVAL != 0 ] then echo echo " nfs krbtgt ticket missing" fi } function StartRpcGssd () { # Starts rpc.gssd daemon killall rpc.gssd > /dev/null 2>&1 echo case $LINUXDISTRIBUTION in FEDORA) echo "Type yes to use Kerberos Credentials (rpc.gssd started with option -n)" echo "rather than Machine Credentials(rpc.gssd started without the option -n):" echo "yes/no[no]" RPCGSSD_OPTION_N="no" read RPCGSSD_OPTION_N ;; *) RPCGSSD_OPTION_N="no" ;; esac case $RPCGSSD_OPTION_N in yes) if [ $modverbose != 0 ] then rpc.gssd -n -vvvv -rrrr else rpc.gssd -n fi ;; *) if [ $modverbose != 0 ] then rpc.gssd -vvvv -rrrr else rpc.gssd fi ;; esac RETVAL=$? if [ $RETVAL -ne 0 ] then echo echo "rpc.gssd fails to start" echo echo "Kerberos NFS Client Setup not completed" exit 1 fi } function CheckRpcGssd () { # Check rpc.gssd daemon is running ps -e | grep rpc.gssd > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "rpc.gssd not started" echo "Do you want to start it: yes/no[yes]" ANSWER="yes" read ANSWER case $ANSWER in yes) StartRpcGssd ;; *) ;; esac fi } function CheckStartRpcGssd () { # Check rpc.gssd daemon is running ps -e | grep rpc.gssd > /dev/null RETVAL=$? if [ $RETVAL -ne 0 ] then echo "Let's start rpc.gssd which is not running(Option -n not used)" rpc.gssd fi } # # Main section # start () { FinalizeStartConfiguration # Finalize the configuration after the command line processing TestKerberosInstall # Check Kerberos Client package is installed CheckEnv # Check synchronized times, hostname is FQDN, # /etc/resolv.conf,/etc/hosts, /etc/services Check_KDC_KRB_NFS # Check on KDC and Kerberos Server krb5kdc and kadmind daemons are running # Check nfsd, rpc.mountd,rpc.svcgssd,rpc.idmapd are started on the NFS Server Check_LOCAL_IDMAPD # Check rpc.idmapd is started on the NFS Client NtpCheckTime # Check time is synchronised (<300s) with the KDC and Kerberos Server time ResetKRBNFSCl # Delete files from the previous configuration AddPrincipalNFSCl # Create machine credentials for the client. # This by creating a Kerberos V5 principal/instance name of the # form nfs/dns.name.of.client@REALM AddKeyNFSCl # Add a key for this principal in /etc/krb5.keytab StartRpcGssd # Start rpc.gssd daemon AddPrincipalUser # Add a new principal for user other than root } status () { FinalizeStatusConfiguration # Finalize the configuration after the command line processing CheckEnv # Check times ar synchronized, hostname is FQDN, # /etc/resolv.conf,/etc/hosts, /etc/services Check_KDC_KRB_NFS # Check KDC and Kerberos Server is running krb5kdc and kadmind daemons # Check nfsd, rpc.mountd,rpc.svcgssd,rpc.idmapd are started on the NFS Server Check_LOCAL_IDMAPD # Check rpc.idmapd is started on the NFS Client NtpCheckTime # Check time is synchronised (<300s) with the KDC and Kerberos Server time CheckRpcGssd # Check rpc.gssd is running CheckTGT # Check the krbtgt ticket } reboot () { CheckStart_LOCAL_IDMAPD # Check rpc.idmapd is started on the NFS Client CheckStartRpcGssd # Check rpc.gssd is running } # # Main section # # See how we were called. case "$1" in start) # Command Line Processing OPTIND=2 while getopts :hva:b:c:d:D:k:n:r:s:u: PARAMS do case $PARAMS in a) # Get the kerberos administrator principal name KRB_ADMIN=$OPTARG ;; b) # Get the kerberos administration server name KRB_SERVER=$OPTARG ;; c) # Get the directory where is located the krb5.conf file KRB_CONF=$OPTARG ;; d) # Get the domain name for the Kerberos realm DOMAIN=$OPTARG ;; D) # Get Linux Distribution name LINUXDISTRIBUTION=$OPTARG ;; h) # help echo "$UsageStart" exit 0 ;; k) # Get the KDC Server name KDC_SERVER=$OPTARG ;; n) # Get the NTP Server name NTP_SERVER=$OPTARG ;; r) # Get the REALM name REALM=$OPTARG ;; s) # Get the NFS Server name NFS_SERVER=$OPTARG ;; u) # Get the user name NFSCLIENTUSER=$OPTARG ;; v) # Set verbose mode echo "Verbose mode set" modverbose=1 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageStart" exit 1 ;; esac done start echo echo "Kerberos NFS Client Setup completed" ;; status) # Command Line Processing OPTIND=2 while getopts :hvb:c:D:k:n:s:u: PARAMS do case $PARAMS in b) # Get the kerberos administration server name KRB_SERVER=$OPTARG ;; c) # Get the directory where is located the krb5.conf file KRB_CONF=$OPTARG ;; D) # Get Linux Distribution name LINUXDISTRIBUTION=$OPTARG ;; h) # help echo "$UsageStatus" exit 0 ;; k) # Get the KDC Server name KDC_SERVER=$OPTARG ;; n) # Get the NTP Server name NTP_SERVER=$OPTARG ;; r) # Get the REALM name REALM=$OPTARG ;; s) # Get the NFS Server name NFS_SERVER=$OPTARG ;; u) # Get the user name NFSCLIENTUSER=$OPTARG ;; v) # Set verbose mode echo "Verbose mode set" modverbose=1 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageStatus" exit 1 ;; esac done status ;; reboot) # Command Line Processing OPTIND=2 while getopts :h:D: PARAMS do case $PARAMS in D) # Get Linux Distribution name LINUXDISTRIBUTION=$OPTARG ;; h) # help echo "$UsageReboot" exit 0 ;; *) echo "bad parameter: -$OPTARG" echo "$UsageReboot" exit 1 ;; esac done reboot ;; *) echo "Usage: $0 {start|status|reboot} -h" exit 1 ;; esac