pax_global_header00006660000000000000000000000064122046705720014517gustar00rootroot0000000000000052 comment=cbda8e5c3d4aea13afa3e2eaca41513ef94f35de alterator-kdc-0.5/000075500000000000000000000000001220467057200141155ustar00rootroot00000000000000alterator-kdc-0.5/.gear/000075500000000000000000000000001220467057200151115ustar00rootroot00000000000000alterator-kdc-0.5/.gear/rules000064400000000000000000000000751220467057200161700ustar00rootroot00000000000000tar: . name=@name@-@version@-@release@ base=@name@-@version@ alterator-kdc-0.5/alterator-kdc.spec000064400000000000000000000046371220467057200175370ustar00rootroot00000000000000Name: alterator-kdc Version: 0.5 Release: alt2 BuildArch: noarch Source: %name-%version-%release.tar Summary: Alterator module for Kerberos KDC License: GPL Group: System/Configuration/Other Requires: krb5-kdc pwgen %description Alterator module for Kerberos KDC %prep %setup %install mkdir %buildroot find etc usr |cpio -pmd %buildroot %files %_sysconfdir/hooks/hostname.d/30-kdc %_sysconfdir/hooks/hostname.d/40-keytab %_bindir/alterator-kdc-functions %_bindir/alterator-kdc-princ-functions %_bindir/alterator-kdc-dhcp-host-option %_libexecdir/alterator/hooks/trust.d/* %changelog * Tue Aug 20 2013 Anton V. Boyarshinov 0.5-alt2 - revert to 0.4-alt1 * Tue Aug 20 2013 Anton V. Boyarshinov 0.5-alt1 - +requires_preauth added while creating principals * Mon Nov 12 2012 Anton V. Boyarshinov 0.4-alt1 - master key cipher changed from des-cbc-crc (OMG!) to aes256-cts-hmac-sha1-96 * Tue May 15 2012 Anton V. Boyarshinov 0.3-alt1 - do full kdc reset if old and new domains are equal, but no krb base for new domain * Fri Mar 18 2011 Anton V. Boyarshinov 0.2-alt9 - chkconfig krb5kdc added * Wed Mar 16 2011 Anton V. Boyarshinov 0.2-alt8 - improved error handling, no freeze if no ldapconf * Wed Nov 4 2009 Sergey Bolshakov 0.2-alt7 - modified to not expose extra reqs * Fri Aug 21 2009 Sergey Bolshakov 0.2-alt6 - place dovecot own keytab under /etc/dovecot #(21165) * Fri Jun 26 2009 Sergey Bolshakov 0.2-alt5 - place squid own keytab under /etc/squid * Tue Jun 16 2009 Sergey Bolshakov 0.2-alt4 - http principal autogeneration added * Tue Apr 28 2009 Sergey Bolshakov 0.2-alt3 - filter out unwanted messages during dhcpd.conf create (#19811) - add imap/pop3/smtp to autogen'd princs too * Wed Apr 22 2009 Sergey Bolshakov 0.2-alt2 - use dedicated option space for alt-specific dhcp options * Tue Apr 21 2009 Sergey Bolshakov 0.2-alt1 - hook into dhcp-reset added * Fri Apr 10 2009 Sergey Bolshakov 0.1-alt3 - samba hooks added * Tue Apr 7 2009 Sergey Bolshakov 0.1-alt2 - keytab hook added * Fri Mar 20 2009 Sergey Bolshakov 0.1-alt1 - Initial release alterator-kdc-0.5/etc/000075500000000000000000000000001220467057200146705ustar00rootroot00000000000000alterator-kdc-0.5/etc/hooks/000075500000000000000000000000001220467057200160135ustar00rootroot00000000000000alterator-kdc-0.5/etc/hooks/hostname.d/000075500000000000000000000000001220467057200200535ustar00rootroot00000000000000alterator-kdc-0.5/etc/hooks/hostname.d/30-kdc000075500000000000000000000005541220467057200207660ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system . alterator-kdc-functions [ "$SERVER_ROLE" == "master" ] || exit 0 old_domain="${1#*.}" new_domain="${2#*.}" shift shift grep -q "= $new_domain$" /etc/krb5.conf && exit 0 echo -n "Proceed with full kdc reset... " >&2 DOMAINNAME="$new_domain" kdcinit service krb5kdc restart &>/dev/null chkconfig krb5kdc on echo "done." >&2 alterator-kdc-0.5/etc/hooks/hostname.d/40-keytab000075500000000000000000000010031220467057200214730ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 . alterator-kdc-princ-functions rm -f -- /etc/krb5.keytab genkeytab /etc/krb5.keytab $(hostname) if [ -d /etc/squid ]; then rm -f /etc/squid/squid.keytab genkeytab /etc/squid/squid.keytab $(hostname) chown squid.squid /etc/squid/squid.keytab fi if [ -d /etc/dovecot ]; then rm -f /etc/dovecot/dovecot.keytab genkeytab /etc/dovecot/dovecot.keytab $(hostname) chown dovecot.dovecot /etc/dovecot/dovecot.keytab fi alterator-kdc-0.5/usr/000075500000000000000000000000001220467057200147265ustar00rootroot00000000000000alterator-kdc-0.5/usr/bin/000075500000000000000000000000001220467057200154765ustar00rootroot00000000000000alterator-kdc-0.5/usr/bin/alterator-kdc-dhcp-host-option000075500000000000000000000011051220467057200233520ustar00rootroot00000000000000#!/bin/sh -e . /etc/sysconfig/system . /etc/sysconfig/network [ "$SERVER_ROLE" = "master" ] || exit 0 [ "$#" -eq 1 ] || exit 0 . shell-error . shell-signal . alterator-kdc-princ-functions cleanup() { [ -z "$temp" ] || rm -fr -- "$temp" } temp="$(mktemp -dt ${0##*/}.XXXXXXXX)" set_cleanup_handler cleanup princname() { printf 'nfs/%s.%s\n' "${1%.*}" "${DOMAINNAME:=$(dnsdomainname)}" } princ=$(princname $1) hasprinc $princ || addprinc $princ > /dev/null ktadd $temp/keytab $princ > /dev/null printf -- 'option altlinux.keydata "%s"; ' $(base64 -w0 < $temp/keytab) alterator-kdc-0.5/usr/bin/alterator-kdc-functions000075500000000000000000000106641220467057200221750ustar00rootroot00000000000000#!/bin/sh . shell-error kdc_uses_ldap=${KDC_USE_LDAP:=1} kdc_root=/var/lib/kerberos/krb5kdc krb5_conf=/etc/krb5.conf kdc_conf="$kdc_root/kdc.conf" acl_file="$kdc_root/kadm5.acl" admin_keytab="$kdc_root/kadm5.keytab" ldap_kdc_cn=kdc ldap_kadmin_cn=kadmin master_key_type=aes256-cts-hmac-sha1-96 supported_enctypes='aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal arcfour-hmac-md5:normal des3-cbc-sha1:normal' [ -n "$(type -p pwgen)" ] || fatal "pwgen not found" [ -n "$(type -p kdb5_util)" ] || fatal "kdb5_util not found" [ -n "$(type -p kdb5_ldap_util)" ] || fatal "kdb5_ldap_util not found" #--------------------------------------------------------------- domain() { printf '%s\n' "${DOMAINNAME:=$(dnsdomainname)}" } realm() { # yeah, that simple domain |tr '[[:lower:]]' '[[:upper:]]' } ldapconf() { local conf="/etc/openldap/slapd-$(domain).conf" [ -f "$conf" ] || fatal "no $conf found" [ "$(sed -n '/^suffix/ s/^suffix[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf)" = "$(suffix)" ] || fatal "unexpected suffix in $conf" printf '%s\n' $conf } suffix() { printf '%s%s\n' dc= $(domain|sed -e s@\\.@,dc=@g) } rootdn() { local conf=$(ldapconf) [ -n "$conf" ] || fatal "no ldapconf found" sed -n '/^rootdn/ s/^rootdn[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf } rootpw() { local conf=$(ldapconf) [ -n "$conf" ] || fatal "no ldapconf found" sed -n '/^rootpw/ s/^rootpw[[:blank:]]\([^[:blank:]]\+\)/\1/p' $conf } #--------------------------------------------------------------- fill_krb_conf() { cat << E_O_F [libdefaults] default_realm = $(realm) dns_lookup_realm = true dns_lookup_kdc = true [domain_realm] .$(domain) = $(realm) $(domain) = $(realm) $(fill_krb_ldap_conf) E_O_F } fill_acl_file() { printf '*/admin@%s *\n' $(realm) } fill_krb_ldap_conf() { [ $kdc_uses_ldap = 0 ] || cat << E_O_F [dbdefaults] ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,$(suffix)" [dbmodules] $(domain) = { db_library = kldap ldap_kdc_dn = cn=${ldap_kdc_cn},ou=kdcroot,$(suffix) ldap_kadmind_dn = cn=${ldap_kadmin_cn},ou=kdcroot,$(suffix) ldap_service_password_file = $kdc_root/$(domain).ldapkey ldap_servers = ldap://localhost/ ldap_conns_per_server = 5 } [realms] $(realm) = { database_module = $(domain) } E_O_F } fill_kdc_conf() { cat << E_O_F [kdcdefaults] acl_file = $acl_file admin_keytab = $admin_keytab [realms] $(realm) = { master_key_type = $master_key_type supported_enctypes = $supported_enctypes } [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON E_O_F } #--------------------------------------------------------------- dropdb() { find $kdc_root -type f -delete } createdb() { if [ $kdc_uses_ldap = 0 ]; then createbaredb else createrole ${ldap_kdc_cn} createrole ${ldap_kadmin_cn} createldapdb fi } createbaredb() { kdb5_util create -r $(realm) -s -P $(pwgen -s1) } ldapargs() { local rootdn=$(rootdn) [ -n "$rootdn" ] || fatal "no rootdn" local rootpw=$(rootpw) [ -n "$rootpw" ] || fatal "no rootpw" printf -- '-D %s -w %s -H ldap://localhost/\n' $rootdn $rootpw } createrole() { local cn=$1; shift local suffix=$(suffix) local passwd=$(pwgen -s1) local ldapargs=$(ldapargs) [ -n "$ldapargs" ] || fatal "no ldapargs" printf 'dn: cn=%s,ou=kdcroot,%s\ncn: %s\nsn: %s\nobjectclass: top\nobjectclass: person\nuserpassword: %s\n' \ $cn $suffix $cn $cn $passwd | ldapadd -x $ldapargs printf '%s\n%s' $passwd $passwd |\ kdb5_ldap_util $ldapargs stashsrvpw -f $kdc_root/$(domain).ldapkey cn=$cn,ou=kdcroot,$suffix } createldapdb() { kdb5_ldap_util $(ldapargs) create -subtrees ou=kdcroot,$(suffix) -r $(realm) -s -P $(pwgen -s1) touch $kdc_root/principal } #--------------------------------------------------------------- update_samba() { local smbconf='/etc/samba/smb.conf' local smbpasswd=$(type -p smbpasswd) [ -f $smbconf -a -n $smbpasswd ] || return 0 sed -i \ -e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \ -e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \ -e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \ $smbconf $smbpasswd -w $(rootpw) } updateservices() { update_samba } #--------------------------------------------------------------- kdcinit() { dropdb fill_acl_file > "$acl_file" fill_kdc_conf > "$kdc_conf" fill_krb_conf > "$krb5_conf" createdb updateservices } alterator-kdc-0.5/usr/bin/alterator-kdc-princ-functions000075500000000000000000000021161220467057200232770ustar00rootroot00000000000000#!/bin/sh . shell-error [ -n "$(type -p kadmin.local)" ] || fatal "kadmin.local not found" #--------------------------------------------------------------- getprinc() { kadmin.local -q "getprinc $1" } hasprinc() { getprinc $1 2>/dev/null |grep -q ^Principal } delprinc() { kadmin.local -q "delprinc -force $1" } addprinc() { kadmin.local -q "addprinc -randkey $1" } changepw() { printf '%s\n%s' $2 $2 |kadmin.local -q "cpw $1" } ktadd() { kadmin.local -q "ktadd -e aes256-cts-hmac-sha1-96:normal -k $1 $2" } genkey() { local princ="$1" local keytab="$2" shift; shift if hasprinc $princ; then delprinc $princ fi addprinc $princ ktadd $keytab $princ } genkeytab() { local keytab="$1" local hostname="$2" shift; shift case "$keytab" in *krb5.keytab) for p in nfs cifs host imap pop3 smtp; do genkey $p/$hostname $keytab done ;; *squid.keytab) for p in http HTTP; do genkey $p/$hostname $keytab done ;; *dovecot.keytab) for p in pop imap smtp; do genkey $p/$hostname $keytab done ;; esac } alterator-kdc-0.5/usr/lib/000075500000000000000000000000001220467057200154745ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/000075500000000000000000000000001220467057200174715ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/hooks/000075500000000000000000000000001220467057200206145ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/hooks/trust.d/000075500000000000000000000000001220467057200222175ustar00rootroot00000000000000alterator-kdc-0.5/usr/lib/alterator/hooks/trust.d/kdc000075500000000000000000000017311220467057200227100ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 . shell-error . shell-signal . alterator-kdc-princ-functions SSH=$(type -p trust-ssh) SCP=$(type -p trust-scp) [ -n "$SSH" -a -n "$SCP" ] || exit 0 cleanup() { [ -z "$temp" ] || rm -fr -- "$temp" } temp="$(mktemp -dt ${0##*/}.XXXXXXXX)" set_cleanup_handler cleanup addkeytab() { local host="$1" shift genkeytab $temp/krb5.keytab $host $SCP $temp/krb5.keytab $host:/etc/krb5.keytab if $SSH $host test -d /etc/squid; then genkeytab $temp/squid.keytab $host $SCP $temp/squid.keytab $host:/etc/squid/squid.keytab $SSH $host chown squid.squid /etc/squid/squid.keytab fi if $SSH $host test -d /etc/dovecot; then genkeytab $temp/dovecot.keytab $host $SCP $temp/dovecot.keytab $host:/etc/dovecot/dovecot.keytab $SSH $host chown dovecot.dovecot /etc/dovecot/dovecot.keytab fi } case "$2" in add) addkeytab "$1" ;; *) message "unknown action $2, skipped" esac alterator-kdc-0.5/usr/lib/alterator/hooks/trust.d/smb000075500000000000000000000012571220467057200227330ustar00rootroot00000000000000#!/bin/sh . /etc/sysconfig/system [ "$SERVER_ROLE" = "master" ] || exit 0 [ "$2" = "add" ] || exit 0 target="$1" shift shift . alterator-kdc-functions SSH=$(type -p trust-ssh) [ -n "$SSH" ] || exit 0 cat <