Главная   Изменения   Спек   Патчи   Исходники   Загрузить   Gear   Bugs and FR  Repocop 

pax_global_header00006660000000000000000000000064112743456470014527gustar00rootroot0000000000000052 comment=39c5697e367e30d047ba92616797829905dba8cd
alterator-kdc-0.2/000075500000000000000000000000001127434564700141225ustar00rootroot00000000000000alterator-kdc-0.2/.gear/000075500000000000000000000000001127434564700151165ustar00rootroot00000000000000alterator-kdc-0.2/.gear/rules000064400000000000000000000000751127434564700161750ustar00rootroot00000000000000tar: . name=@name@-@version@-@release@ base=@name@-@version@
alterator-kdc-0.2/alterator-kdc.spec000064400000000000000000000032661127434564700175410ustar00rootroot00000000000000Name: alterator-kdc
Version: 0.2
Release: alt7

BuildArch: noarch

Source: %name-%version-%release.tar

Summary: Alterator module for Kerberos KDC
License: GPL
Group: System/Configuration/Other

Requires: krb5-kdc pwgen

%description
Alterator module for Kerberos KDC

%prep
%setup

%install
mkdir %buildroot
find etc usr |cpio -pmd %buildroot

%files
%_sysconfdir/hooks/hostname.d/30-kdc
%_sysconfdir/hooks/hostname.d/40-keytab
%_bindir/alterator-kdc-functions
%_bindir/alterator-kdc-princ-functions
%_bindir/alterator-kdc-dhcp-host-option
%_libexecdir/alterator/hooks/trust.d/*

%changelog
* Wed Nov  4 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt7
- modified to not expose extra reqs

* Fri Aug 21 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt6
- place dovecot own keytab under /etc/dovecot #(21165)

* Fri Jun 26 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt5
- place squid own keytab under /etc/squid

* Tue Jun 16 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt4
- http principal autogeneration added

* Tue Apr 28 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt3
- filter out unwanted messages during dhcpd.conf create (#19811)
- add imap/pop3/smtp to autogen'd princs too

* Wed Apr 22 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt2
- use dedicated option space for alt-specific dhcp options

* Tue Apr 21 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.2-alt1
- hook into dhcp-reset added

* Fri Apr 10 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.1-alt3
- samba hooks added

* Tue Apr  7 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.1-alt2
- keytab hook added

* Fri Mar 20 2009 Sergey Bolshakov <sbolshakov@altlinux.ru> 0.1-alt1
- Initial release
alterator-kdc-0.2/etc/000075500000000000000000000000001127434564700146755ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/000075500000000000000000000000001127434564700160205ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/hostname.d/000075500000000000000000000000001127434564700200605ustar00rootroot00000000000000alterator-kdc-0.2/etc/hooks/hostname.d/30-kdc000075500000000000000000000005221127434564700207660ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system
. alterator-kdc-functions

[ "$SERVER_ROLE" == "master" ] || exit 0

old_domain="${1#*.}"
new_domain="${2#*.}"
shift
shift

[ "$old_domain" != "$new_domain" ] || exit 0

echo -n "Proceed with full kdc reset... " >&2

DOMAINNAME="$new_domain" kdcinit
service krb5kdc restart &>/dev/null
echo "done." >&2
alterator-kdc-0.2/etc/hooks/hostname.d/40-keytab000075500000000000000000000010031127434564700215000ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0

. alterator-kdc-princ-functions

rm -f -- /etc/krb5.keytab
genkeytab /etc/krb5.keytab $(hostname)

if [ -d /etc/squid ]; then
    rm -f /etc/squid/squid.keytab
    genkeytab /etc/squid/squid.keytab $(hostname)
    chown squid.squid /etc/squid/squid.keytab
fi

if [ -d /etc/dovecot ]; then
    rm -f /etc/dovecot/dovecot.keytab
    genkeytab /etc/dovecot/dovecot.keytab $(hostname)
    chown dovecot.dovecot /etc/dovecot/dovecot.keytab
fi
alterator-kdc-0.2/usr/000075500000000000000000000000001127434564700147335ustar00rootroot00000000000000alterator-kdc-0.2/usr/bin/000075500000000000000000000000001127434564700155035ustar00rootroot00000000000000alterator-kdc-0.2/usr/bin/alterator-kdc-dhcp-host-option000075500000000000000000000011051127434564700233570ustar00rootroot00000000000000#!/bin/sh -e

. /etc/sysconfig/system
. /etc/sysconfig/network

[ "$SERVER_ROLE" = "master" ] || exit 0

[ "$#" -eq 1 ] || exit 0

. shell-error
. shell-signal
. alterator-kdc-princ-functions

cleanup()
{
    [ -z "$temp" ] || rm -fr -- "$temp"
}

temp="$(mktemp -dt ${0##*/}.XXXXXXXX)"
set_cleanup_handler cleanup

princname()
{
    printf 'nfs/%s.%s\n' "${1%.*}" "${DOMAINNAME:=$(dnsdomainname)}"
}

princ=$(princname $1)
hasprinc $princ || addprinc $princ > /dev/null
ktadd $temp/keytab $princ > /dev/null
printf -- 'option altlinux.keydata "%s"; ' $(base64 -w0 < $temp/keytab)
alterator-kdc-0.2/usr/bin/alterator-kdc-functions000075500000000000000000000101341127434564700221720ustar00rootroot00000000000000#!/bin/sh

. shell-error

kdc_uses_ldap=${KDC_USE_LDAP:=1}

kdc_root=/var/lib/kerberos/krb5kdc

krb5_conf=/etc/krb5.conf
kdc_conf="$kdc_root/kdc.conf"
acl_file="$kdc_root/kadm5.acl"
admin_keytab="$kdc_root/kadm5.keytab"

ldap_kdc_cn=kdc
ldap_kadmin_cn=kadmin

master_key_type=des-cbc-crc
supported_enctypes='rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3'

[ -n "$(type -p pwgen)" ] || fatal "pwgen not found"
[ -n "$(type -p kdb5_util)" ] || fatal "kdb5_util not found"
[ -n "$(type -p kdb5_ldap_util)" ] || fatal "kdb5_ldap_util not found"

#---------------------------------------------------------------
domain()
{
    printf '%s\n' "${DOMAINNAME:=$(dnsdomainname)}"
}

realm()
{
    # yeah, that simple
    domain |tr '[[:lower:]]' '[[:upper:]]'
}

ldapconf()
{
    local conf="/etc/openldap/slapd-$(domain).conf"
    [ -f "$conf" ] || fatal "no $conf found"
    [ "$(sed -n '/^suffix/ s/^suffix[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $conf)" = "$(suffix)" ] || fatal "unexpected suffix in $conf"
    printf '%s\n' $conf
}

suffix()
{
    printf '%s%s\n' dc= $(domain|sed -e s@\\.@,dc=@g)
}

rootdn()
{
    sed -n '/^rootdn/ s/^rootdn[[:blank:]]\+\"\([^[:blank:]\"]\+\).\+$/\1/p' $(ldapconf)
}

rootpw()
{
    sed -n '/^rootpw/ s/^rootpw[[:blank:]]\([^[:blank:]]\+\)/\1/p' $(ldapconf)
}

#---------------------------------------------------------------
fill_krb_conf()
{
cat << E_O_F
[libdefaults]
default_realm = $(realm)
dns_lookup_realm = true
dns_lookup_kdc = true

[domain_realm]
.$(domain) = $(realm)
$(domain) = $(realm)

$(fill_krb_ldap_conf)
E_O_F
}

fill_acl_file()
{
    printf '*/admin@%s	*\n' $(realm)
}

fill_krb_ldap_conf()
{
[ $kdc_uses_ldap = 0 ] || cat << E_O_F
[dbdefaults]
ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,$(suffix)"
[dbmodules]
$(domain) = {
    db_library = kldap
    ldap_kdc_dn = cn=${ldap_kdc_cn},ou=kdcroot,$(suffix)
    ldap_kadmind_dn = cn=${ldap_kadmin_cn},ou=kdcroot,$(suffix)
    ldap_service_password_file = $kdc_root/$(domain).ldapkey
    ldap_servers = ldap://localhost/
    ldap_conns_per_server = 5
}
[realms]
$(realm) = {
    database_module = $(domain)
}
E_O_F
}

fill_kdc_conf()
{
cat << E_O_F
[kdcdefaults]
acl_file = $acl_file
admin_keytab = $admin_keytab

[realms]
$(realm) = {
    master_key_type = $master_key_type
    supported_enctypes = $supported_enctypes
}
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
E_O_F
}

#---------------------------------------------------------------
dropdb()
{
    find $kdc_root -type f -delete
}

createdb()
{
    if [ $kdc_uses_ldap = 0 ]; then
	createbaredb
    else
	createrole ${ldap_kdc_cn}
	createrole ${ldap_kadmin_cn}
	createldapdb
    fi
}

createbaredb()
{
    kdb5_util create -r $(realm) -s -P $(pwgen -s1)
}

ldapargs()
{
    printf -- '-D %s -w %s -H ldap://localhost/\n' $(rootdn) $(rootpw)
}

createrole()
{
    local cn=$1; shift
    local suffix=$(suffix)
    local passwd=$(pwgen -s1)
    local ldapargs=$(ldapargs)

    printf 'dn: cn=%s,ou=kdcroot,%s\ncn: %s\nsn: %s\nobjectclass: top\nobjectclass: person\nuserpassword: %s\n' \
	$cn $suffix $cn $cn $passwd | ldapadd -x $ldapargs
    printf '%s\n%s' $passwd $passwd |\
	kdb5_ldap_util $ldapargs stashsrvpw -f $kdc_root/$(domain).ldapkey cn=$cn,ou=kdcroot,$suffix
}

createldapdb()
{
    kdb5_ldap_util $(ldapargs) create -subtrees ou=kdcroot,$(suffix) -r $(realm) -s -P $(pwgen -s1)
    touch $kdc_root/principal
}
#---------------------------------------------------------------
update_samba()
{
    local smbconf='/etc/samba/smb.conf'
    local smbpasswd=$(type -p smbpasswd)
    [ -f $smbconf -a -n $smbpasswd ] || return 0
    sed -i \
	-e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \
	-e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \
	-e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \
	$smbconf
    $smbpasswd -w $(rootpw)
}

updateservices()
{
    update_samba
}

#---------------------------------------------------------------
kdcinit()
{
    dropdb
    fill_acl_file > "$acl_file"
    fill_kdc_conf > "$kdc_conf"
    fill_krb_conf > "$krb5_conf"
    createdb
    updateservices
}
alterator-kdc-0.2/usr/bin/alterator-kdc-princ-functions000075500000000000000000000021021127434564700232770ustar00rootroot00000000000000#!/bin/sh

. shell-error

[ -n "$(type -p kadmin.local)" ] || fatal "kadmin.local not found"

#---------------------------------------------------------------
getprinc()
{
    kadmin.local -q "getprinc $1"
}

hasprinc()
{
    getprinc $1 2>/dev/null |grep -q ^Principal
}

delprinc()
{
    kadmin.local -q "delprinc -force $1"
}

addprinc()
{
    kadmin.local -q "addprinc -randkey $1"
}

changepw()
{
    printf '%s\n%s' $2 $2 |kadmin.local -q "cpw $1"
}

ktadd()
{
    kadmin.local -q "ktadd -e des-cbc-crc:normal -k $1 $2"
}

genkey()
{
    local princ="$1"
    local keytab="$2"
    shift; shift
    
    if hasprinc $princ; then
	delprinc $princ
    fi
    addprinc $princ
    ktadd $keytab $princ
}

genkeytab()
{
    local keytab="$1"
    local hostname="$2"
    shift; shift

    case "$keytab" in
	*krb5.keytab)
	for p in nfs cifs host imap pop3 smtp; do
	    genkey $p/$hostname $keytab
	done
	;;
	*squid.keytab)
	for p in http HTTP; do
	    genkey $p/$hostname $keytab
	done
	;;
	*dovecot.keytab)
	for p in pop imap smtp; do
	    genkey $p/$hostname $keytab
	done
	;;
    esac
}
alterator-kdc-0.2/usr/lib/000075500000000000000000000000001127434564700155015ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/000075500000000000000000000000001127434564700174765ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/000075500000000000000000000000001127434564700206215ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/000075500000000000000000000000001127434564700222245ustar00rootroot00000000000000alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/kdc000075500000000000000000000017311127434564700227150ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0

. shell-error
. shell-signal
. alterator-kdc-princ-functions

SSH=$(type -p trust-ssh)
SCP=$(type -p trust-scp)

[ -n "$SSH" -a -n "$SCP" ] || exit 0

cleanup()
{
    [ -z "$temp" ] || rm -fr -- "$temp"
}

temp="$(mktemp -dt ${0##*/}.XXXXXXXX)"
set_cleanup_handler cleanup

addkeytab()
{
    local host="$1"
    shift
    genkeytab $temp/krb5.keytab $host
    $SCP $temp/krb5.keytab $host:/etc/krb5.keytab

    if $SSH $host test -d /etc/squid; then
	genkeytab $temp/squid.keytab $host
	$SCP $temp/squid.keytab $host:/etc/squid/squid.keytab
	$SSH $host chown squid.squid /etc/squid/squid.keytab
    fi

    if $SSH $host test -d /etc/dovecot; then
	genkeytab $temp/dovecot.keytab $host
	$SCP $temp/dovecot.keytab $host:/etc/dovecot/dovecot.keytab
	$SSH $host chown dovecot.dovecot /etc/dovecot/dovecot.keytab
    fi
}

case "$2" in
    add) addkeytab "$1" ;;
    *) message "unknown action $2, skipped"
esac
alterator-kdc-0.2/usr/lib/alterator/hooks/trust.d/smb000075500000000000000000000012571127434564700227400ustar00rootroot00000000000000#!/bin/sh

. /etc/sysconfig/system

[ "$SERVER_ROLE" = "master" ] || exit 0
[ "$2" = "add" ] || exit 0
target="$1"
shift
shift

. alterator-kdc-functions

SSH=$(type -p trust-ssh)
[ -n "$SSH" ] || exit 0

cat <<E_O_F |$SSH $target
smbconf='/etc/samba/smb.conf'
smbpasswd=\$(type -p smbpasswd)
[ -f \$smbconf -a -n \$smbpasswd ] || exit 0
sed -i \
    -e "/^[[:blank:]]*realm/ s/=.\+$/= $(realm)/" \
    -e "/^[[:blank:]]*passdb[[:blank:]]\+backend/ s,=.\+$,= ldapsam:ldaps://$(hostname)/," \
    -e "/^[[:blank:]]*ldap[[:blank:]]\+suffix/ s/=.\+$/= $(suffix)/" \
    -e "/^[[:blank:]]*ldap[[:blank:]]\+admin[[:blank:]]\+dn/ s/=.\+$/= $(rootdn)/" \$smbconf
\$smbpasswd -w $(rootpw)
E_O_F