pax_global_header00006660000000000000000000000064111755502560014521gustar00rootroot0000000000000052 comment=59ad6e9ed5cac91f99fbe4e482fd6f6f5c0093cb alterator-kdc-0.2/000075500000000000000000000000001117555025600141145ustar00rootroot00000000000000alterator-kdc-0.2/.gear/000075500000000000000000000000001117555025600151105ustar00rootroot00000000000000alterator-kdc-0.2/.gear/rules000064400000000000000000000000751117555025600161670ustar00rootroot00000000000000tar: . name=@name@-@version@-@release@ base=@name@-@version@ alterator-kdc-0.2/alterator-kdc.spec000064400000000000000000000024001117555025600175200ustar00rootroot00000000000000Name: alterator-kdc Version: 0.2 Release: alt3 BuildArch: noarch Source: %name-%version-%release.tar Summary: Alterator module for Kerberos KDC License: GPL Group: System/Configuration/Other Requires: krb5-kdc pwgen samba-common %description Alterator module for Kerberos KDC %prep %setup %install mkdir %buildroot find etc usr |cpio -pmd %buildroot %files %_sysconfdir/hooks/hostname.d/30-kdc %_sysconfdir/hooks/hostname.d/40-keytab %_bindir/alterator-kdc-functions %_bindir/alterator-kdc-princ-functions %_bindir/alterator-kdc-dhcp-host-option %_libexecdir/alterator/hooks/trust.d/* %changelog * Tue Apr 28 2009 Sergey Bolshakov 0.2-alt3 - filter out unwanted messages during dhcpd.conf create (#19811) - add imap/pop3/smtp to autogen'd princs too * Wed Apr 22 2009 Sergey Bolshakov 0.2-alt2 - use dedicated option space for alt-specific dhcp options * Tue Apr 21 2009 Sergey Bolshakov 0.2-alt1 - hook into dhcp-reset added * Fri Apr 10 2009 Sergey Bolshakov 0.1-alt3 - samba hooks added * Tue Apr 7 2009 Sergey Bolshakov 0.1-alt2 - keytab hook added * Fri Mar 20 2009 Sergey Bolshakov 0.1-alt1 - Initial release alterator-kdc-0.2/etc/000075500000000000000000000000001117555025600146675ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/000075500000000000000000000000001117555025600160125ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/hostname.d/000075500000000000000000000000001117555025600200525ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/hostname.d/30-kdc000075500000000000000000000005221117555025600207600ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system . alterator-kdc-functions [ "$SERVER_ROLE" == "master" ] || exit 0 old_domain="${1#*.}" new_domain="${2#*.}" shift shift [ "$old_domain" != "$new_domain" ] || exit 0 echo -n "Proceed with full kdc reset... " >&2 DOMAINNAME="$new_domain" kdcinit service krb5kdc restart &>/dev/null echo "done." >&2 alterator-kdc-0.2/etc/hooks/hostname.d/40-keytab000075500000000000000000000002571117555025600215040ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 . alterator-kdc-princ-functions rm -f -- /etc/krb5.keytab genkeytab /etc/krb5.keytab $(hostname) alterator-kdc-0.2/usr/000075500000000000000000000000001117555025600147255ustar00rootroot00000000000000alterator-kdc-0.2/usr/bin/000075500000000000000000000000001117555025600154755ustar00rootroot00000000000000alterator-kdc-0.2/usr/bin/alterator-kdc-dhcp-host-option000075500000000000000000000011051117555025600233510ustar00rootroot00000000000000#!/bin/sh -e . /etc/sysconfig/system . /etc/sysconfig/network [ "$SERVER_ROLE" = "master" ] || exit 0 [ "$#" -eq 1 ] || exit 0 . shell-error . shell-signal . alterator-kdc-princ-functions cleanup() { [ -z "$temp" ] || rm -fr -- "$temp" } temp="$(mktemp -dt ${0##*/}.XXXXXXXX)" set_cleanup_handler cleanup princname() { printf 'nfs/%s.%s\n' "${1%.*}" "${DOMAINNAME:=$(dnsdomainname)}" } princ=$(princname $1) hasprinc $princ || addprinc $princ > /dev/null ktadd $temp/keytab $princ > /dev/null printf -- 'option altlinux.keydata "%s"; ' $(base64 -w0 < $temp/keytab) alterator-kdc-0.2/usr/bin/alterator-kdc-functions000075500000000000000000000100411117555025600221610ustar00rootroot00000000000000#!/bin/sh . shell-error kdc_uses_ldap=${KDC_USE_LDAP:=1} kdc_root=/var/lib/kerberos/krb5kdc krb5_conf=/etc/krb5.conf kdc_conf="$kdc_root/kdc.conf" acl_file="$kdc_root/kadm5.acl" admin_keytab="$kdc_root/kadm5.keytab" ldap_kdc_cn=kdc ldap_kadmin_cn=kadmin master_key_type=des-cbc-crc supported_enctypes='rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3' [ -n "$(type -p pwgen)" ] || fatal "pwgen not found" [ -n "$(type -p kdb5_util)" ] || fatal "kdb5_util not found" [ -n "$(type -p kdb5_ldap_util)" ] || fatal "kdb5_ldap_util not found" #--------------------------------------------------------------- domain() { printf '%s\n' "${DOMAINNAME:=$(dnsdomainname)}" } realm() { # yeah, that simple domain |tr '[[:lower:]]' '[[:upper:]]' } ldapconf() { local conf="/etc/openldap/slapd-$(domain).conf" [ -f "$conf" ] || fatal "no $conf found" [ "$(sed -n '/^suffix/ s/^suffix[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf)" = "$(suffix)" ] || fatal "unexpected suffix in $conf" printf '%s\n' $conf } suffix() { printf '%s%s\n' dc= $(domain|sed -e s@\\.@,dc=@g) } rootdn() { sed -n '/^rootdn/ s/^rootdn[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $(ldapconf) } rootpw() { sed -n '/^rootpw/ s/^rootpw[[:blank:]]\([^[:blank:]]\+\)/\1/p' $(ldapconf) } #--------------------------------------------------------------- fill_krb_conf() { cat << E_O_F [libdefaults] default_realm = $(realm) dns_lookup_realm = true dns_lookup_kdc = true [domain_realm] .$(domain) = $(realm) $(domain) = $(realm) $(fill_krb_ldap_conf) E_O_F } fill_acl_file() { printf '*/admin@%s *\n' $(realm) } fill_krb_ldap_conf() { [ $kdc_uses_ldap = 0 ] || cat << E_O_F [dbdefaults] ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,$(suffix)" [dbmodules] $(domain) = { db_library = kldap ldap_kdc_dn = cn=${ldap_kdc_cn},ou=kdcroot,$(suffix) ldap_kadmind_dn = cn=${ldap_kadmin_cn},ou=kdcroot,$(suffix) ldap_service_password_file = $kdc_root/$(domain).ldapkey ldap_servers = ldap://localhost/ ldap_conns_per_server = 5 } [realms] $(realm) = { database_module = $(domain) } E_O_F } fill_kdc_conf() { cat << E_O_F [kdcdefaults] acl_file = $acl_file admin_keytab = $admin_keytab [realms] $(realm) = { master_key_type = $master_key_type supported_enctypes = $supported_enctypes } [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON E_O_F } #--------------------------------------------------------------- dropdb() { find $kdc_root -type f -delete } createdb() { if [ $kdc_uses_ldap = 0 ]; then createbaredb else createrole ${ldap_kdc_cn} createrole ${ldap_kadmin_cn} createldapdb fi } createbaredb() { kdb5_util create -r $(realm) -s -P $(pwgen -s1) } ldapargs() { printf -- '-D %s -w %s -H ldap://localhost/\n' $(rootdn) $(rootpw) } createrole() { local cn=$1; shift local suffix=$(suffix) local passwd=$(pwgen -s1) local ldapargs=$(ldapargs) printf 'dn: cn=%s,ou=kdcroot,%s\ncn: %s\nsn: %s\nobjectclass: top\nobjectclass: person\nuserpassword: %s\n' \ $cn $suffix $cn $cn $passwd | ldapadd -x $ldapargs printf '%s\n%s' $passwd $passwd |\ kdb5_ldap_util $ldapargs stashsrvpw -f $kdc_root/$(domain).ldapkey cn=$cn,ou=kdcroot,$suffix } createldapdb() { kdb5_ldap_util $(ldapargs) create -subtrees ou=kdcroot,$(suffix) -r $(realm) -s -P $(pwgen -s1) touch $kdc_root/principal } #--------------------------------------------------------------- update_samba() { local smbconf='/etc/samba/smb.conf' [ -f $smbconf ] || return 0 sed -i \ -e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \ -e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \ -e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \ $smbconf smbpasswd -w $(rootpw) } updateservices() { update_samba } #--------------------------------------------------------------- kdcinit() { dropdb fill_acl_file > "$acl_file" fill_kdc_conf > "$kdc_conf" fill_krb_conf > "$krb5_conf" createdb updateservices } alterator-kdc-0.2/usr/bin/alterator-kdc-princ-functions000075500000000000000000000014121117555025600232740ustar00rootroot00000000000000#!/bin/sh . shell-error [ -n "$(type -p kadmin.local)" ] || fatal "kadmin.local not found" #--------------------------------------------------------------- getprinc() { kadmin.local -q "getprinc $1" } hasprinc() { getprinc $1 2>/dev/null |grep -q ^Principal } delprinc() { kadmin.local -q "delprinc -force $1" } addprinc() { kadmin.local -q "addprinc -randkey $1" } changepw() { printf '%s\n%s' $2 $2 |kadmin.local -q "cpw $1" } ktadd() { kadmin.local -q "ktadd -e des-cbc-crc:normal -k $1 $2" } genkeytab() { local keytab="$1" local hostname="$2" shift; shift for p in nfs cifs host imap pop3 smtp; do princ=$p/$hostname if hasprinc $princ; then delprinc $princ fi addprinc $princ ktadd $keytab $princ done } alterator-kdc-0.2/usr/lib/000075500000000000000000000000001117555025600154735ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/000075500000000000000000000000001117555025600174705ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/000075500000000000000000000000001117555025600206135ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/000075500000000000000000000000001117555025600222165ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/kdc000075500000000000000000000007411117555025600227070ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 . shell-error . shell-signal . alterator-kdc-princ-functions cleanup() { [ -z "$temp" ] || rm -fr -- "$temp" } temp="$(mktemp -dt ${0##*/}.XXXXXXXX)" set_cleanup_handler cleanup addkeytab() { local host="$1" shift genkeytab $temp/keytab $host trust-scp $temp/keytab $host:/etc/krb5.keytab } case "$2" in add) addkeytab "$1" ;; *) message "unknown action $2, skipped" esac alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/smb000075500000000000000000000011161117555025600227240ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 [ "$2" = "add" ] || exit 0 target="$1" shift shift . alterator-kdc-functions cat <