pax_global_header00006660000000000000000000000064112743456470014527gustar00rootroot0000000000000052 comment=39c5697e367e30d047ba92616797829905dba8cd alterator-kdc-0.2/000075500000000000000000000000001127434564700141225ustar00rootroot00000000000000alterator-kdc-0.2/.gear/000075500000000000000000000000001127434564700151165ustar00rootroot00000000000000alterator-kdc-0.2/.gear/rules000064400000000000000000000000751127434564700161750ustar00rootroot00000000000000tar: . name=@name@-@version@-@release@ base=@name@-@version@ alterator-kdc-0.2/alterator-kdc.spec000064400000000000000000000032661127434564700175410ustar00rootroot00000000000000Name: alterator-kdc Version: 0.2 Release: alt7 BuildArch: noarch Source: %name-%version-%release.tar Summary: Alterator module for Kerberos KDC License: GPL Group: System/Configuration/Other Requires: krb5-kdc pwgen %description Alterator module for Kerberos KDC %prep %setup %install mkdir %buildroot find etc usr |cpio -pmd %buildroot %files %_sysconfdir/hooks/hostname.d/30-kdc %_sysconfdir/hooks/hostname.d/40-keytab %_bindir/alterator-kdc-functions %_bindir/alterator-kdc-princ-functions %_bindir/alterator-kdc-dhcp-host-option %_libexecdir/alterator/hooks/trust.d/* %changelog * Wed Nov 4 2009 Sergey Bolshakov 0.2-alt7 - modified to not expose extra reqs * Fri Aug 21 2009 Sergey Bolshakov 0.2-alt6 - place dovecot own keytab under /etc/dovecot #(21165) * Fri Jun 26 2009 Sergey Bolshakov 0.2-alt5 - place squid own keytab under /etc/squid * Tue Jun 16 2009 Sergey Bolshakov 0.2-alt4 - http principal autogeneration added * Tue Apr 28 2009 Sergey Bolshakov 0.2-alt3 - filter out unwanted messages during dhcpd.conf create (#19811) - add imap/pop3/smtp to autogen'd princs too * Wed Apr 22 2009 Sergey Bolshakov 0.2-alt2 - use dedicated option space for alt-specific dhcp options * Tue Apr 21 2009 Sergey Bolshakov 0.2-alt1 - hook into dhcp-reset added * Fri Apr 10 2009 Sergey Bolshakov 0.1-alt3 - samba hooks added * Tue Apr 7 2009 Sergey Bolshakov 0.1-alt2 - keytab hook added * Fri Mar 20 2009 Sergey Bolshakov 0.1-alt1 - Initial release alterator-kdc-0.2/etc/000075500000000000000000000000001127434564700146755ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/000075500000000000000000000000001127434564700160205ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/hostname.d/000075500000000000000000000000001127434564700200605ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/hostname.d/30-kdc000075500000000000000000000005221127434564700207660ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system . alterator-kdc-functions [ "$SERVER_ROLE" == "master" ] || exit 0 old_domain="${1#*.}" new_domain="${2#*.}" shift shift [ "$old_domain" != "$new_domain" ] || exit 0 echo -n "Proceed with full kdc reset... " >&2 DOMAINNAME="$new_domain" kdcinit service krb5kdc restart &>/dev/null echo "done." >&2 alterator-kdc-0.2/etc/hooks/hostname.d/40-keytab000075500000000000000000000010031127434564700215000ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 . alterator-kdc-princ-functions rm -f -- /etc/krb5.keytab genkeytab /etc/krb5.keytab $(hostname) if [ -d /etc/squid ]; then rm -f /etc/squid/squid.keytab genkeytab /etc/squid/squid.keytab $(hostname) chown squid.squid /etc/squid/squid.keytab fi if [ -d /etc/dovecot ]; then rm -f /etc/dovecot/dovecot.keytab genkeytab /etc/dovecot/dovecot.keytab $(hostname) chown dovecot.dovecot /etc/dovecot/dovecot.keytab fi alterator-kdc-0.2/usr/000075500000000000000000000000001127434564700147335ustar00rootroot00000000000000alterator-kdc-0.2/usr/bin/000075500000000000000000000000001127434564700155035ustar00rootroot00000000000000alterator-kdc-0.2/usr/bin/alterator-kdc-dhcp-host-option000075500000000000000000000011051127434564700233570ustar00rootroot00000000000000#!/bin/sh -e . /etc/sysconfig/system . /etc/sysconfig/network [ "$SERVER_ROLE" = "master" ] || exit 0 [ "$#" -eq 1 ] || exit 0 . shell-error . shell-signal . alterator-kdc-princ-functions cleanup() { [ -z "$temp" ] || rm -fr -- "$temp" } temp="$(mktemp -dt ${0##*/}.XXXXXXXX)" set_cleanup_handler cleanup princname() { printf 'nfs/%s.%s\n' "${1%.*}" "${DOMAINNAME:=$(dnsdomainname)}" } princ=$(princname $1) hasprinc $princ || addprinc $princ > /dev/null ktadd $temp/keytab $princ > /dev/null printf -- 'option altlinux.keydata "%s"; ' $(base64 -w0 < $temp/keytab) alterator-kdc-0.2/usr/bin/alterator-kdc-functions000075500000000000000000000101341127434564700221720ustar00rootroot00000000000000#!/bin/sh . shell-error kdc_uses_ldap=${KDC_USE_LDAP:=1} kdc_root=/var/lib/kerberos/krb5kdc krb5_conf=/etc/krb5.conf kdc_conf="$kdc_root/kdc.conf" acl_file="$kdc_root/kadm5.acl" admin_keytab="$kdc_root/kadm5.keytab" ldap_kdc_cn=kdc ldap_kadmin_cn=kadmin master_key_type=des-cbc-crc supported_enctypes='rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3' [ -n "$(type -p pwgen)" ] || fatal "pwgen not found" [ -n "$(type -p kdb5_util)" ] || fatal "kdb5_util not found" [ -n "$(type -p kdb5_ldap_util)" ] || fatal "kdb5_ldap_util not found" #--------------------------------------------------------------- domain() { printf '%s\n' "${DOMAINNAME:=$(dnsdomainname)}" } realm() { # yeah, that simple domain |tr '[[:lower:]]' '[[:upper:]]' } ldapconf() { local conf="/etc/openldap/slapd-$(domain).conf" [ -f "$conf" ] || fatal "no $conf found" [ "$(sed -n '/^suffix/ s/^suffix[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf)" = "$(suffix)" ] || fatal "unexpected suffix in $conf" printf '%s\n' $conf } suffix() { printf '%s%s\n' dc= $(domain|sed -e s@\\.@,dc=@g) } rootdn() { sed -n '/^rootdn/ s/^rootdn[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $(ldapconf) } rootpw() { sed -n '/^rootpw/ s/^rootpw[[:blank:]]\([^[:blank:]]\+\)/\1/p' $(ldapconf) } #--------------------------------------------------------------- fill_krb_conf() { cat << E_O_F [libdefaults] default_realm = $(realm) dns_lookup_realm = true dns_lookup_kdc = true [domain_realm] .$(domain) = $(realm) $(domain) = $(realm) $(fill_krb_ldap_conf) E_O_F } fill_acl_file() { printf '*/admin@%s *\n' $(realm) } fill_krb_ldap_conf() { [ $kdc_uses_ldap = 0 ] || cat << E_O_F [dbdefaults] ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,$(suffix)" [dbmodules] $(domain) = { db_library = kldap ldap_kdc_dn = cn=${ldap_kdc_cn},ou=kdcroot,$(suffix) ldap_kadmind_dn = cn=${ldap_kadmin_cn},ou=kdcroot,$(suffix) ldap_service_password_file = $kdc_root/$(domain).ldapkey ldap_servers = ldap://localhost/ ldap_conns_per_server = 5 } [realms] $(realm) = { database_module = $(domain) } E_O_F } fill_kdc_conf() { cat << E_O_F [kdcdefaults] acl_file = $acl_file admin_keytab = $admin_keytab [realms] $(realm) = { master_key_type = $master_key_type supported_enctypes = $supported_enctypes } [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON E_O_F } #--------------------------------------------------------------- dropdb() { find $kdc_root -type f -delete } createdb() { if [ $kdc_uses_ldap = 0 ]; then createbaredb else createrole ${ldap_kdc_cn} createrole ${ldap_kadmin_cn} createldapdb fi } createbaredb() { kdb5_util create -r $(realm) -s -P $(pwgen -s1) } ldapargs() { printf -- '-D %s -w %s -H ldap://localhost/\n' $(rootdn) $(rootpw) } createrole() { local cn=$1; shift local suffix=$(suffix) local passwd=$(pwgen -s1) local ldapargs=$(ldapargs) printf 'dn: cn=%s,ou=kdcroot,%s\ncn: %s\nsn: %s\nobjectclass: top\nobjectclass: person\nuserpassword: %s\n' \ $cn $suffix $cn $cn $passwd | ldapadd -x $ldapargs printf '%s\n%s' $passwd $passwd |\ kdb5_ldap_util $ldapargs stashsrvpw -f $kdc_root/$(domain).ldapkey cn=$cn,ou=kdcroot,$suffix } createldapdb() { kdb5_ldap_util $(ldapargs) create -subtrees ou=kdcroot,$(suffix) -r $(realm) -s -P $(pwgen -s1) touch $kdc_root/principal } #--------------------------------------------------------------- update_samba() { local smbconf='/etc/samba/smb.conf' local smbpasswd=$(type -p smbpasswd) [ -f $smbconf -a -n $smbpasswd ] || return 0 sed -i \ -e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \ -e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \ -e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \ $smbconf $smbpasswd -w $(rootpw) } updateservices() { update_samba } #--------------------------------------------------------------- kdcinit() { dropdb fill_acl_file > "$acl_file" fill_kdc_conf > "$kdc_conf" fill_krb_conf > "$krb5_conf" createdb updateservices } alterator-kdc-0.2/usr/bin/alterator-kdc-princ-functions000075500000000000000000000021021127434564700232770ustar00rootroot00000000000000#!/bin/sh . shell-error [ -n "$(type -p kadmin.local)" ] || fatal "kadmin.local not found" #--------------------------------------------------------------- getprinc() { kadmin.local -q "getprinc $1" } hasprinc() { getprinc $1 2>/dev/null |grep -q ^Principal } delprinc() { kadmin.local -q "delprinc -force $1" } addprinc() { kadmin.local -q "addprinc -randkey $1" } changepw() { printf '%s\n%s' $2 $2 |kadmin.local -q "cpw $1" } ktadd() { kadmin.local -q "ktadd -e des-cbc-crc:normal -k $1 $2" } genkey() { local princ="$1" local keytab="$2" shift; shift if hasprinc $princ; then delprinc $princ fi addprinc $princ ktadd $keytab $princ } genkeytab() { local keytab="$1" local hostname="$2" shift; shift case "$keytab" in *krb5.keytab) for p in nfs cifs host imap pop3 smtp; do genkey $p/$hostname $keytab done ;; *squid.keytab) for p in http HTTP; do genkey $p/$hostname $keytab done ;; *dovecot.keytab) for p in pop imap smtp; do genkey $p/$hostname $keytab done ;; esac } alterator-kdc-0.2/usr/lib/000075500000000000000000000000001127434564700155015ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/000075500000000000000000000000001127434564700174765ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/000075500000000000000000000000001127434564700206215ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/000075500000000000000000000000001127434564700222245ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/kdc000075500000000000000000000017311127434564700227150ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 . shell-error . shell-signal . alterator-kdc-princ-functions SSH=$(type -p trust-ssh) SCP=$(type -p trust-scp) [ -n "$SSH" -a -n "$SCP" ] || exit 0 cleanup() { [ -z "$temp" ] || rm -fr -- "$temp" } temp="$(mktemp -dt ${0##*/}.XXXXXXXX)" set_cleanup_handler cleanup addkeytab() { local host="$1" shift genkeytab $temp/krb5.keytab $host $SCP $temp/krb5.keytab $host:/etc/krb5.keytab if $SSH $host test -d /etc/squid; then genkeytab $temp/squid.keytab $host $SCP $temp/squid.keytab $host:/etc/squid/squid.keytab $SSH $host chown squid.squid /etc/squid/squid.keytab fi if $SSH $host test -d /etc/dovecot; then genkeytab $temp/dovecot.keytab $host $SCP $temp/dovecot.keytab $host:/etc/dovecot/dovecot.keytab $SSH $host chown dovecot.dovecot /etc/dovecot/dovecot.keytab fi } case "$2" in add) addkeytab "$1" ;; *) message "unknown action $2, skipped" esac alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/smb000075500000000000000000000012571127434564700227400ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 [ "$2" = "add" ] || exit 0 target="$1" shift shift . alterator-kdc-functions SSH=$(type -p trust-ssh) [ -n "$SSH" ] || exit 0 cat <