Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs e FR  Repocop 

pax_global_header00006660000000000000000000000064122046705720014517gustar00rootroot0000000000000052 comment=cbda8e5c3d4aea13afa3e2eaca41513ef94f35de
alterator-kdc-0.5/000075500000000000000000000000001220467057200141155ustar00rootroot00000000000000alterator-kdc-0.5/.gear/000075500000000000000000000000001220467057200151115ustar00rootroot00000000000000alterator-kdc-0.5/.gear/rules000064400000000000000000000000751220467057200161700ustar00rootroot00000000000000tar: . name=@name@-@version@-@release@ base=@name@-@version@
alterator-kdc-0.5/alterator-kdc.spec000064400000000000000000000046371220467057200175370ustar00rootroot00000000000000Name: alterator-kdc
Version: 0.5
Release: alt2

BuildArch: noarch

Source: %name-%version-%release.tar

Summary: Alterator module for Kerberos KDC
License: GPL
Group: System/Configuration/Other

Requires: krb5-kdc pwgen

%description
Alterator module for Kerberos KDC

%prep
%setup

%install
mkdir %buildroot
find etc usr |cpio -pmd %buildroot

%files
%_sysconfdir/hooks/hostname.d/30-kdc
%_sysconfdir/hooks/hostname.d/40-keytab
%_bindir/alterator-kdc-functions
%_bindir/alterator-kdc-princ-functions
%_bindir/alterator-kdc-dhcp-host-option
%_libexecdir/alterator/hooks/trust.d/*

%changelog
* Tue Aug 20 2013 Anton V. Boyarshinov <boyarsh@altlinux.ru> 0.5-alt2
- revert to 0.4-alt1

* Tue Aug 20 2013 Anton V. Boyarshinov <boyarsh@altlinux.ru> 0.5-alt1
- +requires_preauth added while creating principals

* Mon Nov 12 2012 Anton V. Boyarshinov <boyarsh@altlinux.ru> 0.4-alt1
- master key cipher changed from des-cbc-crc (OMG!)
  to aes256-cts-hmac-sha1-96

* Tue May 15 2012 Anton V. Boyarshinov <boyarsh@altlinux.ru> 0.3-alt1
- do full kdc reset if old and new domains are equal, but no krb base
  for new domain

* Fri Mar 18 2011 Anton V. Boyarshinov <boyarsh@altlinux.ru> 0.2-alt9
- chkconfig krb5kdc added

* Wed Mar 16 2011 Anton V. Boyarshinov <boyarsh@altlinux.ru> 0.2-alt8
- improved error handling, no freeze if no ldapconf

* Wed Nov  4 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt7
- modified to not expose extra reqs

* Fri Aug 21 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt6
- place dovecot own keytab under /etc/dovecot #(21165)

* Fri Jun 26 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt5
- place squid own keytab under /etc/squid

* Tue Jun 16 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt4
- http principal autogeneration added

* Tue Apr 28 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt3
- filter out unwanted messages during dhcpd.conf create (#19811)
- add imap/pop3/smtp to autogen'd princs too

* Wed Apr 22 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt2
- use dedicated option space for alt-specific dhcp options

* Tue Apr 21 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt1
- hook into dhcp-reset added

* Fri Apr 10 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.1-alt3
- samba hooks added

* Tue Apr  7 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.1-alt2
- keytab hook added

* Fri Mar 20 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.1-alt1
- Initial release
alterator-kdc-0.5/etc/000075500000000000000000000000001220467057200146705ustar00rootroot00000000000000alterator-kdc-0.5/etc/hooks/000075500000000000000000000000001220467057200160135ustar00rootroot00000000000000alterator-kdc-0.5/etc/hooks/hostname.d/000075500000000000000000000000001220467057200200535ustar00rootroot00000000000000alterator-kdc-0.5/etc/hooks/hostname.d/30-kdc000075500000000000000000000005541220467057200207660ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system
. alterator-kdc-functions

[ "$SERVER_ROLE" == "master" ] || exit 0

old_domain="${1#*.}"
new_domain="${2#*.}"
shift
shift

grep -q "= $new_domain$" /etc/krb5.conf && exit 0

echo -n "Proceed with full kdc reset... " >&2

DOMAINNAME="$new_domain" kdcinit
service krb5kdc restart &>/dev/null
chkconfig krb5kdc on
echo "done." >&2
alterator-kdc-0.5/etc/hooks/hostname.d/40-keytab000075500000000000000000000010031220467057200214730ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0

. alterator-kdc-princ-functions

rm -f -- /etc/krb5.keytab
genkeytab /etc/krb5.keytab $(hostname)

if [ -d /etc/squid ]; then
    rm -f /etc/squid/squid.keytab
    genkeytab /etc/squid/squid.keytab $(hostname)
    chown squid.squid /etc/squid/squid.keytab
fi

if [ -d /etc/dovecot ]; then
    rm -f /etc/dovecot/dovecot.keytab
    genkeytab /etc/dovecot/dovecot.keytab $(hostname)
    chown dovecot.dovecot /etc/dovecot/dovecot.keytab
fi
alterator-kdc-0.5/usr/000075500000000000000000000000001220467057200147265ustar00rootroot00000000000000alterator-kdc-0.5/usr/bin/000075500000000000000000000000001220467057200154765ustar00rootroot00000000000000alterator-kdc-0.5/usr/bin/alterator-kdc-dhcp-host-option000075500000000000000000000011051220467057200233520ustar00rootroot00000000000000#!/bin/sh -e

. /etc/sysconfig/system
. /etc/sysconfig/network

[ "$SERVER_ROLE" = "master" ] || exit 0

[ "$#" -eq 1 ] || exit 0

. shell-error
. shell-signal
. alterator-kdc-princ-functions

cleanup()
{
    [ -z "$temp" ] || rm -fr -- "$temp"
}

temp="$(mktemp -dt ${0##*/}.XXXXXXXX)"
set_cleanup_handler cleanup

princname()
{
    printf 'nfs/%s.%s\n' "${1%.*}" "${DOMAINNAME:=$(dnsdomainname)}"
}

princ=$(princname $1)
hasprinc $princ || addprinc $princ > /dev/null
ktadd $temp/keytab $princ > /dev/null
printf -- 'option altlinux.keydata "%s"; ' $(base64 -w0 < $temp/keytab)
alterator-kdc-0.5/usr/bin/alterator-kdc-functions000075500000000000000000000106641220467057200221750ustar00rootroot00000000000000#!/bin/sh

. shell-error

kdc_uses_ldap=${KDC_USE_LDAP:=1}

kdc_root=/var/lib/kerberos/krb5kdc

krb5_conf=/etc/krb5.conf
kdc_conf="$kdc_root/kdc.conf"
acl_file="$kdc_root/kadm5.acl"
admin_keytab="$kdc_root/kadm5.keytab"

ldap_kdc_cn=kdc
ldap_kadmin_cn=kadmin

master_key_type=aes256-cts-hmac-sha1-96
supported_enctypes='aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal arcfour-hmac-md5:normal des3-cbc-sha1:normal'

[ -n "$(type -p pwgen)" ] || fatal "pwgen not found"
[ -n "$(type -p kdb5_util)" ] || fatal "kdb5_util not found"
[ -n "$(type -p kdb5_ldap_util)" ] || fatal "kdb5_ldap_util not found"

#---------------------------------------------------------------
domain()
{
    printf '%s\n' "${DOMAINNAME:=$(dnsdomainname)}"
}

realm()
{
    # yeah, that simple
    domain |tr '[[:lower:]]' '[[:upper:]]'
}

ldapconf()
{
    local conf="/etc/openldap/slapd-$(domain).conf"
    [ -f "$conf" ] || fatal "no $conf found"
    [ "$(sed -n '/^suffix/ s/^suffix[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf)" = "$(suffix)" ] || fatal "unexpected suffix in $conf"
    printf '%s\n' $conf
}

suffix()
{
    printf '%s%s\n' dc= $(domain|sed -e s@\\.@,dc=@g)
}

rootdn()
{
    local conf=$(ldapconf)
    [ -n "$conf" ] || fatal "no ldapconf found"
    sed -n '/^rootdn/ s/^rootdn[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf
}

rootpw()
{
    local conf=$(ldapconf)
    [ -n "$conf" ] || fatal "no ldapconf found"
    sed -n '/^rootpw/ s/^rootpw[[:blank:]]\([^[:blank:]]\+\)/\1/p' $conf
}

#---------------------------------------------------------------
fill_krb_conf()
{
cat << E_O_F
[libdefaults]
default_realm = $(realm)
dns_lookup_realm = true
dns_lookup_kdc = true

[domain_realm]
.$(domain) = $(realm)
$(domain) = $(realm)

$(fill_krb_ldap_conf)
E_O_F
}

fill_acl_file()
{
    printf '*/admin@%s	*\n' $(realm)
}

fill_krb_ldap_conf()
{
[ $kdc_uses_ldap = 0 ] || cat << E_O_F
[dbdefaults]
ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,$(suffix)"
[dbmodules]
$(domain) = {
    db_library = kldap
    ldap_kdc_dn = cn=${ldap_kdc_cn},ou=kdcroot,$(suffix)
    ldap_kadmind_dn = cn=${ldap_kadmin_cn},ou=kdcroot,$(suffix)
    ldap_service_password_file = $kdc_root/$(domain).ldapkey
    ldap_servers = ldap://localhost/
    ldap_conns_per_server = 5
}
[realms]
$(realm) = {
    database_module = $(domain)
}
E_O_F
}

fill_kdc_conf()
{
cat << E_O_F
[kdcdefaults]
acl_file = $acl_file
admin_keytab = $admin_keytab

[realms]
$(realm) = {
    master_key_type = $master_key_type
    supported_enctypes = $supported_enctypes
}
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
E_O_F
}

#---------------------------------------------------------------
dropdb()
{
    find $kdc_root -type f -delete
}

createdb()
{
    if [ $kdc_uses_ldap = 0 ]; then
	createbaredb
    else
	createrole ${ldap_kdc_cn}
	createrole ${ldap_kadmin_cn}
	createldapdb
    fi
}

createbaredb()
{
    kdb5_util create -r $(realm) -s -P $(pwgen -s1)
}

ldapargs()
{
    local rootdn=$(rootdn)
    [ -n "$rootdn" ] || fatal "no rootdn"
    local rootpw=$(rootpw)
    [ -n "$rootpw" ] || fatal "no rootpw"
    printf -- '-D %s -w %s -H ldap://localhost/\n' $rootdn $rootpw
}

createrole()
{
    local cn=$1; shift
    local suffix=$(suffix)
    local passwd=$(pwgen -s1)
    local ldapargs=$(ldapargs)
    [ -n "$ldapargs" ] || fatal "no ldapargs"

    printf 'dn: cn=%s,ou=kdcroot,%s\ncn: %s\nsn: %s\nobjectclass: top\nobjectclass: person\nuserpassword: %s\n' \
	$cn $suffix $cn $cn $passwd | ldapadd -x $ldapargs
    printf '%s\n%s' $passwd $passwd |\
	kdb5_ldap_util $ldapargs stashsrvpw -f $kdc_root/$(domain).ldapkey cn=$cn,ou=kdcroot,$suffix
}

createldapdb()
{
    kdb5_ldap_util $(ldapargs) create -subtrees ou=kdcroot,$(suffix) -r $(realm) -s -P $(pwgen -s1)
    touch $kdc_root/principal
}
#---------------------------------------------------------------
update_samba()
{
    local smbconf='/etc/samba/smb.conf'
    local smbpasswd=$(type -p smbpasswd)
    [ -f $smbconf -a -n $smbpasswd ] || return 0
    sed -i \
	-e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \
	-e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \
	-e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \
	$smbconf
    $smbpasswd -w $(rootpw)
}

updateservices()
{
    update_samba
}

#---------------------------------------------------------------
kdcinit()
{
    dropdb
    fill_acl_file > "$acl_file"
    fill_kdc_conf > "$kdc_conf"
    fill_krb_conf > "$krb5_conf"
    createdb
    updateservices
}
alterator-kdc-0.5/usr/bin/alterator-kdc-princ-functions000075500000000000000000000021161220467057200232770ustar00rootroot00000000000000#!/bin/sh

. shell-error

[ -n "$(type -p kadmin.local)" ] || fatal "kadmin.local not found"

#---------------------------------------------------------------
getprinc()
{
    kadmin.local -q "getprinc $1"
}

hasprinc()
{
    getprinc $1 2>/dev/null |grep -q ^Principal
}

delprinc()
{
    kadmin.local -q "delprinc -force $1"
}

addprinc()
{
    kadmin.local -q "addprinc -randkey $1"
}

changepw()
{
    printf '%s\n%s' $2 $2 |kadmin.local -q "cpw $1"
}

ktadd()
{
    kadmin.local -q "ktadd -e aes256-cts-hmac-sha1-96:normal -k $1 $2"
}

genkey()
{
    local princ="$1"
    local keytab="$2"
    shift; shift
    
    if hasprinc $princ; then
	delprinc $princ
    fi
    addprinc $princ
    ktadd $keytab $princ
}

genkeytab()
{
    local keytab="$1"
    local hostname="$2"
    shift; shift

    case "$keytab" in
	*krb5.keytab)
	for p in nfs cifs host imap pop3 smtp; do
	    genkey $p/$hostname $keytab
	done
	;;
	*squid.keytab)
	for p in http HTTP; do
	    genkey $p/$hostname $keytab
	done
	;;
	*dovecot.keytab)
	for p in pop imap smtp; do
	    genkey $p/$hostname $keytab
	done
	;;
    esac
}
alterator-kdc-0.5/usr/lib/000075500000000000000000000000001220467057200154745ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/000075500000000000000000000000001220467057200174715ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/hooks/000075500000000000000000000000001220467057200206145ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/hooks/trust.d/000075500000000000000000000000001220467057200222175ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/hooks/trust.d/kdc000075500000000000000000000017311220467057200227100ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0

. shell-error
. shell-signal
. alterator-kdc-princ-functions

SSH=$(type -p trust-ssh)
SCP=$(type -p trust-scp)

[ -n "$SSH" -a -n "$SCP" ] || exit 0

cleanup()
{
    [ -z "$temp" ] || rm -fr -- "$temp"
}

temp="$(mktemp -dt ${0##*/}.XXXXXXXX)"
set_cleanup_handler cleanup

addkeytab()
{
    local host="$1"
    shift
    genkeytab $temp/krb5.keytab $host
    $SCP $temp/krb5.keytab $host:/etc/krb5.keytab

    if $SSH $host test -d /etc/squid; then
	genkeytab $temp/squid.keytab $host
	$SCP $temp/squid.keytab $host:/etc/squid/squid.keytab
	$SSH $host chown squid.squid /etc/squid/squid.keytab
    fi

    if $SSH $host test -d /etc/dovecot; then
	genkeytab $temp/dovecot.keytab $host
	$SCP $temp/dovecot.keytab $host:/etc/dovecot/dovecot.keytab
	$SSH $host chown dovecot.dovecot /etc/dovecot/dovecot.keytab
    fi
}

case "$2" in
    add) addkeytab "$1" ;;
    *) message "unknown action $2, skipped"
esac
alterator-kdc-0.5/usr/lib/alterator/hooks/trust.d/smb000075500000000000000000000012571220467057200227330ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0
[ "$2" = "add" ] || exit 0
target="$1"
shift
shift

. alterator-kdc-functions

SSH=$(type -p trust-ssh)
[ -n "$SSH" ] || exit 0

cat <<E_O_F |$SSH $target
smbconf='/etc/samba/smb.conf'
smbpasswd=\$(type -p smbpasswd)
[ -f \$smbconf -a -n \$smbpasswd ] || exit 0
sed -i \
    -e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \
    -e "/^[[:blank:]]*passdb[[:blank:]]\+backend/ s,=.\+$,= ldapsam:ldaps://$(hostname)/," \
    -e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \
    -e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \$smbconf
\$smbpasswd -w $(rootpw)
E_O_F