Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../.././lib/svc/method/svc-kerberos-install
Real path: /lib/svc/method/svc-kerberos-install
Zurück

#! /usr/bin/ksh # # Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved. # # This script handles parts of Kerberos configuration that are not handled # automatically by SMF stencils. # . /lib/svc/share/smf_include.sh KADMIN=/usr/sbin/kadmin KLOOKUP=/usr/lib/krb5/klookup KT2PROF=/usr/lib/krb5/kt2prof MKTEMP=/usr/bin/mktemp SVCADM=/usr/sbin/svcadm SVCCFG=/usr/sbin/svccfg SVCPROP=/usr/bin/svcprop KRB5_CONF=/etc/krb5/krb5.conf KRB5_KEYTAB=/etc/krb5/krb5.keytab function err_msg { echo "ERROR: $*" >&2 } # # To turn debug on, set 'install/debug' to 'true' in configuration profile: # # ... # <service version="1" type="service" name="system/kerberos/install"> # <instance enabled="true" name="default"> # <property_group type="application" name="install"> # <propval type="boolean" name="debug" value="true"/> # ... # function debug { [[ "$debug_on" == 'true' ]] && echo "DEBUG: $*" >&2 } function get_prop { typeset pg_prop value pg_prop=$1 value=$($SVCPROP -p $pg_prop $SMF_FMRI 2>/dev/null) [[ $? -eq 0 ]] && print -- $value return $? } function add_prop_value { typeset pg_prop=$1 typeset value=$2 typeset values # do not create duplicates values=$(get_prop $pg_prop $SMF_FMRI) for i in $values; do if [[ "$i" == "$value" ]]; then debug "Ignoring duplicate $value for $pg_prop = $values" return fi done debug "Adding $pg_prop <- $value" $SVCCFG -s $SMF_FMRI addpropvalue \ $pg_prop astring: $value if [[ $? -ne 0 ]]; then err_msg "$0: Adding value $value to property $pg_prop failed." fi } function get_fqhn { typeset fqhn # # Retry after time-out to workaround dns/client-SMF issue. # Although this service depends on dns/client, SMF sometime runs # start method when DNS is not yet fully functional. # for i in 1 5 give_up; do if fqhn=$($KLOOKUP); then print -- $fqhn return 0 fi if [[ "$i" == 'give_up' ]]; then err_msg "$0: no DNS record for current host" return 1 fi echo -- "$0: WARNING: DNS lookup failed, retry in $i s" 1>&2 sleep $i done } function update_domain_realm_mapping { typeset done default_realm dns_lookup_realm dns_fallback typeset lhn hostname domain client_machine short_fqdn # skip, if already processed done=$(get_prop install/domain_realm_map_complete) if [[ $? -eq 0 && "$done" == 'true' ]]; then debug "Domain-realm mapping already processed." return 0 fi # skip, if not neded or not configured default_realm=$(get_prop default_realm) dns_lookup_realm=$(get_prop libdefaults/dns_lookup_realm) dns_fallback=$(get_prop libdefaults/dns_fallback) if [[ -z "$default_realm" || "$dns_lookup_realm" == 'true' \ || "$dns_fallback" == 'true' ]]; then debug "Not updating domain-realm mapping." $SVCCFG -s $SMF_FMRI setprop \ install/domain_realm_map_complete= boolean: true return 0 fi # if logical hostname of cluster configured, map its fqdn instead lhn=$(get_prop autoreg/lhn) if [[ -n "$lhn" ]]; then if [[ "$lhn" == *.* ]]; then hostname=${lhn%%.*} domain=${lhn#*.} else hostname=$lhn client_machine=$(get_fqhn) domain=${client_machine#*.} fi else client_machine=$(get_fqhn) hostname=${client_machine%%.*} domain=${client_machine#*.} fi if [[ -z "$hostname" || -z "$domain" ]]; then return 1 fi add_prop_value default_realm/domains "$hostname.$domain" short_fqdn=${domain#*.*} if [[ "$short_fqdn" == *.* ]]; then domain=$short_fqdn fi add_prop_value default_realm/domains ".$domain" $SVCCFG -s $SMF_FMRI setprop \ install/domain_realm_map_complete= boolean: true $SVCCFG -s $SMF_FMRI refresh return 0 } # # Performs initial configuration of the service # Return value # 0 continue processing # 1 exit returning $SMF_EXIT_OK # N>1 exit returning N function initial_config { typeset completed key admin kdctype realm rtrn # skip, if already processed completed=$(get_prop install/config_complete) if [[ $? -ne 0 ]]; then echo "Service $SMF_FMRI not configured, exiting." >&2 exit $SMF_EXIT_OK fi if [[ "$completed" == 'true' ]]; then debug "Skipping initial config steps" return fi # # Auto-registration to a MS AD # Undocumented '-S' switch tells kclient not to prompt for admin # password, but instead to obtain credentials through temporary keytab # stored in SMF property autoreg/key. In this mode kclient never # re-creates pre-existing computer accounts, only sets new password. # key=$(get_prop autoreg/key) admin=$(get_prop autoreg/princ) kdctype=$(get_prop autoreg/kdctype) realm=$(get_prop libdefaults/default_realm) if [[ -n "$key" && -n "$admin" && "$kdctype" == 'ms_ad' ]]; then kclient -S -T ms_ad -R $realm -a $admin if [[ $? -ne 0 ]]; then err_msg "Auto-registering to AD domain failed in an"\ " unrecoverable manner. You can retry AD join"\ " manualy by running:"\ " 'kclient -T ms_ad -R $realm -a $admin'" rtrn=$SMF_EXIT_ERR_FATAL else rtrn=$SMF_EXIT_OK fi debug "Destroying auxiliary admin keytab." $SVCCFG -s $SMF_FMRI delpg autoreg $SVCCFG -s $SMF_FMRI delprop install/config_complete $SVCCFG -s $SMF_FMRI refresh exit $rtrn fi # opt-in for stencil-generated configuration file $SVCCFG -s $SMF_FMRI setprop \ krb5_conf/disabled= boolean: false if [[ $? != 0 ]]; then err_msg "$0: setprop failed" exit $SMF_EXIT_ERR_CONFIG fi # do not re-run initial setup $SVCCFG -s $SMF_FMRI setprop \ install/config_complete= boolean: true if [[ $? != 0 ]]; then err_msg "$0: setprop failed" exit $SMF_EXIT_ERR_CONFIG fi # refresh and exit, to allow svcio create krb5.conf $SVCADM refresh $SMF_FMRI exit $SMF_EXIT_OK } function join_kdc { typeset admin_princ=$1 typeset base64_keytab=$2 typeset services=$(get_prop autoreg/services) typeset lhn=$(get_prop autoreg/lhn) typeset fqdns=$(get_prop autoreg/fqdns) typeset CONSEQ="Auto-registering to KDC failed in an unrecoverable"\ " manner. You can obtain keys for service principals for this host manually"\ " by running kclient(8) or kadmin(8)." typeset tmp_keytab hostname domain client_machine princs auth_arg typeset auth_arg out # reconstruct admin keytab tmp_keytab=$($MKTEMP $SMF_SYSVOL_FS/tmpXXXX.keytab) if [[ -z "$tmp_keytab" ]]; then err_msg "$0: Cannot create temporary file for keytab. $CONSEQ" return 1; fi $KT2PROF -d -p 'autoreg/key' -k $tmp_keytab if [[ $? -ne 0 ]]; then err_msg "$0: Cannot reconstruct admin keytab. $CONSEQ" rm -f $tmp_keytab return 1; fi debug "Temporary keytab $tmp_keytab" # create principal names if [[ -n "$lhn" ]]; then if [[ "$lhn" == *.* ]]; then hostname=${lhn%%.*} domain=${lhn#*.} else hostname=$lhn client_machine=$(get_fqhn) domain=${client_machine#*.} fi else client_machine=$(get_fqhn) hostname=${client_machine%%.*} domain=${client_machine#*.} fi if [[ -z "$hostname" || -z "$domain" ]]; then err_msg "$0: Hostname canonicalization failed. $CONSEQ" rm -f $tmp_keytab return 1 fi princs="" for svc in $services; do princs="$princs $svc/$hostname.$domain" for fqdn in $fqdns; do princs="$princs $svc/$hostname.${fqdn#.}" done done debug "Hostname: $hostname, domain: $domain, princs: $princs" # run kadmin commands auth_arg="-p $admin_princ -kt $tmp_keytab" for princ in $princs; do # first try adding already existing principal out=$($KADMIN $auth_arg -q "ktadd $princ" 2>&1) if [[ "$out" == *'does not exist'* ]]; then # principals don't exists yet, try creating them debug "Principal $princ does not exist, creating." $KADMIN $auth_arg -q "addprinc -randkey $princ" out=$($KADMIN $auth_arg -q "ktadd $princ" 2>&1) fi if [[ "$out" == *'added to keytab'* ]]; then debug "Principal $princ added to keytab" else err_msg "Failed to add keys for $princ: $out" fi done rm -f $tmp_keytab # if at least keys for host principal were added, it is a success if /usr/bin/klist -k $KRB5_KEYTAB | fgrep "host/$hostname" \ >/dev/null 2>&1; then $SVCCFG -s $SMF_FMRI delprop libdefaults/verify_ap_req_nofail $SVCCFG -s $SMF_FMRI delprop appdefaults-kinit/no_addresses return 0; else err_msg "$0: Keytab provisioning failed. $CONSEQ" return 1; fi } function backup_keytab { typeset tmp_profile rtrn # temporary file for profile with base64-encoded keytab tmp_profile=$($MKTEMP $SMF_SYSVOL_FS/scXXXX.xml) if [[ -z "$tmp_profile" ]]; then err_msg "$0: Cannot create temporary file for keytab backup." return 1; fi # turn system keytab into an auxiliary configuration profile $KT2PROF -k $KRB5_KEYTAB -p keytab/key -x $tmp_profile if [[ $? -ne 0 ]]; then err_msg "Creating keytab backup in SMF failed." rm -f $tmp_profile return 1 fi # and apply the profile $SVCCFG apply $tmp_profile rtrn=$? rm -f $tmp_profile return $rtrn } function setup_keytab { typeset key admin kdctype # do not overwrite existing keytab if [[ -f "$KRB5_KEYTAB" ]]; then debug "$0: $KRB5_KEYTAB already present, skipping." return fi # restore pre-generated keytab, if present in SMF if get_prop keytab/key >/dev/null 2>&1; then $KT2PROF -d -k $KRB5_KEYTAB -p keytab/key if [[ $? -eq 0 ]]; then debug "Keytab restored from SMF property." $SVCCFG -s $SMF_FMRI delprop libdefaults/verify_ap_req_nofail $SVCCFG -s $SMF_FMRI delprop appdefaults-kinit/no_addresses return else err_msg "Failed to restore pre-generated keytab." fi fi # auto-registration to a Solaris KDC key=$(get_prop autoreg/key) admin=$(get_prop autoreg/princ) kdctype=$(get_prop autoreg/kdctype) if [[ -n "$key" && -n "$admin" && "$kdctype" == 'solaris' ]]; then join_kdc $admin $key \ && backup_keytab debug "Destroying auxiliary admin keytab." $SVCCFG -s $SMF_FMRI delpg autoreg $SVCCFG -s $SMF_FMRI refresh fi } # main: debug_on=$(get_prop 'install/debug') case "$1" in 'start') # # Start method updates properties and calls refresh on itself # to let svcio re-create complete version of krb5.conf. # Auto-registration to Solaris KDC only takes place in refresh method. # debug "kerberos-install: start method"; initial_config update_domain_realm_mapping exit $SMF_EXIT_OK ;; 'stop') debug "kerberos-install: stop method"; exit $SMF_EXIT_OK ;; 'refresh') debug "kerberos-install: refresh method"; initial_config update_domain_realm_mapping setup_keytab exit $SMF_EXIT_OK ;; *) echo "Usage: $0 {start | refresh | unconfigure }" exit $SMF_EXIT_ERR_OTHER ;; esac