diff --git a/xCAT-server/lib/xcat/plugins/credentials.pm b/xCAT-server/lib/xcat/plugins/credentials.pm index 207525fdd..e0dd51e03 100644 --- a/xCAT-server/lib/xcat/plugins/credentials.pm +++ b/xCAT-server/lib/xcat/plugins/credentials.pm @@ -150,6 +150,30 @@ sub process_request } $tfilename = "/etc/xcat/cfgloc"; + } elsif (/krb5_keytab/) { #TODO: MUST RELAY TO MASTER + my $princsuffix=$request->{'_xcat_clientfqdn'}->[0]; + $ENV{KRB5CCNAME}="/tmp/xcat/krb5cc_xcat_$$"; + system('kinit -S kadmin/admin -k -t /etc/xcat/krb5_pass xcat/admin'); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force host/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force nfs/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey host/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey nfs/$princsuffix'"); + unlink "/tmp/xcat/keytab.$$"; + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ nfs/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ host/$princsuffix'"); + system("kdestroy -c /tmp/xcat/krb5cc_xcat_$$"); + unlink("/tmp/xcat/krb5cc_xcat_$$"); + my $keytab; + open($keytab, "/tmp/xcat/keytab.$$"); + my $tabdata="\n"; + my $buf; + require MIME::Base64; + while (read($keytab,$buf,1140)) { + $tabdata.=MIME::Base64::encode_base64($buf); + } + push @{$rsp->{'data'}},{content=>[$tabdata],desc=>[$_]}; + unlink "/tmp/xcat/keytab.$$"; + next; } else { next; } diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd index 93899a229..77ae7cb43 100755 --- a/xCAT-server/sbin/xcatd +++ b/xCAT-server/sbin/xcatd @@ -562,6 +562,7 @@ until ($quit) { } $clientselect->add($connection); my $peerhost=undef; + my $peerfqdn=undef; my $peer=$connection->peer_certificate("owner"); if ($peer) { $peer =~ m/CN=([^\/]*)/; @@ -584,13 +585,14 @@ if ($inet6support) { unless ($peerhost) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); } + $peerfqdn=$peerhost; $peerhost =~ s/\.$domain\.*$//; $peerhost =~ s/-eth\d*$//; $peerhost =~ s/-myri\d*$//; $peerhost =~ s/-ib\d*$//; #printf('info'.": xcatd: connection from ".($peername ? $peername . "@" . $peerhost : $peerhost)."\n"); $$progname="xCATd SSL: Instance for ".($peername ? $peername ."@".$peerhost : $peerhost); - service_connection($connection,$peername,$peerhost); + service_connection($connection,$peername,$peerhost,$peerfqdn); xexit(0); } $sslclients++; #THROTTLE @@ -1166,6 +1168,7 @@ sub service_connection { my $sock = shift; my $peername = shift; my $peerhost = shift; + my $peerfqdn = shift; my $peerport = $sock->peerport; my %tables=(); #some paranoid measures could reduce a third party abusing stage3 image to attempting to get USER/PASS for BMCs: @@ -1205,6 +1208,7 @@ sub service_connection { if (validate($peername,$peerhost,$req)) { $req->{'_xcat_authname'} = [$peername]; $req->{'_xcat_clienthost'} = [$peerhost]; + $req->{'_xcat_clientfqdn'} = [$peerfqdn]; $req->{'_xcat_clientport'}= [$peerport]; $$progname="xCATd SSL: ".$req->{command}->[0]." for ".($peername ? $peername ."@".$peerhost : $peerhost); if ($req->{command}->[0] eq "authcheck") { #provide a method for UI to verify a user without actually requesting action diff --git a/xCAT/postscripts/getcredentials.awk b/xCAT/postscripts/getcredentials.awk index 94d868a88..9343897a6 100755 --- a/xCAT/postscripts/getcredentials.awk +++ b/xCAT/postscripts/getcredentials.awk @@ -7,7 +7,8 @@ BEGIN { print "" |& server print " getcredentials" |& server print " 300" |& server - print " "ARGV[1]"" |& server + for (i=1; i"ARGV[i]"" |& server print "" |& server while (server |& getline) {