|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +sleep 10 |
| 4 | + |
| 5 | +[[ "TRACE" ]] && set -x |
| 6 | + |
| 7 | +: ${REALM:=EXAMPLE.COM} |
| 8 | +: ${DOMAIN_REALM:=example.com} |
| 9 | +: ${KERB_MASTER_KEY:=masterkey} |
| 10 | +: ${KERB_ADMIN_USER:=admin} |
| 11 | +: ${KERB_ADMIN_PASS:=admin} |
| 12 | +: ${SEARCH_DOMAINS:=example.com} |
| 13 | +: ${LDAP_DC:=dc=example,dc=com} |
| 14 | +: ${LDAP_USER:=admin} |
| 15 | +: ${LDAP_PASS:=admin} |
| 16 | +: ${LDAP_URL:=ldap://ldap} |
| 17 | + |
| 18 | +fix_nameserver() { |
| 19 | + cat>/etc/resolv.conf<<EOF |
| 20 | +nameserver $NAMESERVER_IP |
| 21 | +search $SEARCH_DOMAINS |
| 22 | +EOF |
| 23 | +} |
| 24 | + |
| 25 | +create_config() { |
| 26 | + KDC_ADDRESS=$(hostname -f) |
| 27 | + |
| 28 | + cat>/etc/krb5.conf<<EOF |
| 29 | +[logging] |
| 30 | + default = FILE:/var/log/kerberos/krb5libs.log |
| 31 | + kdc = FILE:/var/log/kerberos/krb5kdc.log |
| 32 | + admin_server = FILE:/var/log/kerberos/kadmind.log |
| 33 | +
|
| 34 | +[libdefaults] |
| 35 | + default_realm = $REALM |
| 36 | + dns_lookup_realm = false |
| 37 | + dns_lookup_kdc = false |
| 38 | + ticket_lifetime = 24h |
| 39 | + renew_lifetime = 7d |
| 40 | + forwardable = true |
| 41 | +
|
| 42 | +[realms] |
| 43 | + $REALM = { |
| 44 | + kdc = $KDC_ADDRESS |
| 45 | + admin_server = $KDC_ADDRESS |
| 46 | + default_domain = $DOMAIN_REALM |
| 47 | + database_module = openldap_ldapconf |
| 48 | + } |
| 49 | +
|
| 50 | +[domain_realm] |
| 51 | + .$DOMAIN_REALM = $REALM |
| 52 | + $DOMAIN_REALM = $REALM |
| 53 | +
|
| 54 | +[dbdefaults] |
| 55 | + ldap_kerberos_container_dn = cn=krbContainer,$LDAP_DC |
| 56 | +
|
| 57 | +[dbmodules] |
| 58 | + openldap_ldapconf = { |
| 59 | + db_library = kldap |
| 60 | + ldap_kdc_dn = "cn=$LDAP_USER,$LDAP_DC" |
| 61 | +
|
| 62 | + # this object needs to have read rights on |
| 63 | + # the realm container, principal container and realm sub-trees |
| 64 | + ldap_kadmind_dn = "cn=$LDAP_USER,$LDAP_DC" |
| 65 | +
|
| 66 | + # this object needs to have read and write rights on |
| 67 | + # the realm container, principal container and realm sub-trees |
| 68 | + ldap_service_password_file = /etc/krb5kdc/service.keyfile |
| 69 | + ldap_servers = $LDAP_URL |
| 70 | + ldap_conns_per_server = 5 |
| 71 | + } |
| 72 | +EOF |
| 73 | +} |
| 74 | + |
| 75 | +create_db() { |
| 76 | + kdb5_util -P $KERB_MASTER_KEY -r $REALM create -s |
| 77 | +} |
| 78 | + |
| 79 | +init_ldap() { |
| 80 | + kdb5_ldap_util -D cn=$LDAP_USER,$LDAP_DC create -subtrees $LDAP_DC -r $REALM -s -H $LDAP_URL <<EOF |
| 81 | +$LDAP_PASS |
| 82 | +$KERB_ADMIN_PASS |
| 83 | +$KERB_ADMIN_PASS |
| 84 | +EOF |
| 85 | + |
| 86 | + kdb5_ldap_util -D cn=$LDAP_USER.,$LDAP_DC stashsrvpw -f /etc/krb5kdc/service.keyfile cn=$LDAP_USER,$LDAP_DC <<EOF |
| 87 | +$LDAP_PASS |
| 88 | +$LDAP_PASS |
| 89 | +$LDAP_PASS |
| 90 | +EOF |
| 91 | +} |
| 92 | + |
| 93 | +start_kdc() { |
| 94 | + service krb5-kdc start |
| 95 | + service krb5-admin-server start |
| 96 | +} |
| 97 | + |
| 98 | +restart_kdc() { |
| 99 | + service krb5-kdc restart |
| 100 | + service krb5-admin-server restart |
| 101 | +} |
| 102 | + |
| 103 | +create_admin_user() { |
| 104 | + kadmin.local -q "addprinc -x dn=cn=$KERB_ADMIN_USER,$LDAP_DC admin" <<EOF |
| 105 | +$LDAP_PASS |
| 106 | +$LDAP_PASS |
| 107 | +EOF |
| 108 | + echo "admin@$REALM *" > /etc/krb5kdc/kadm5.acl |
| 109 | +} |
| 110 | + |
| 111 | +if [ ! -f /kerberos_initialized ]; then |
| 112 | + mkdir -p /var/log/kerberos |
| 113 | + |
| 114 | + create_config |
| 115 | + init_ldap |
| 116 | + create_admin_user |
| 117 | + create_db |
| 118 | + start_kdc |
| 119 | + |
| 120 | + touch /kerberos_initialized |
| 121 | +else |
| 122 | + start_kdc |
| 123 | +fi |
| 124 | + |
| 125 | +tail -F /var/log/kerberos/krb5kdc.log |
0 commit comments