2010-08-24 15:37:18 +00:00

39 lines
1.8 KiB
Plaintext

#step 1, determine the realm and such
DNSDOMAIN=`dnsdomainname`
UPDNSDOMAIN=`echo $DNSDOMAIN|tr a-z A-Z`
LDAPBASEDN=dc=`echo $DNSDOMAIN|sed -e 's/\./,dc=/'`
HOSTPRINC=`hostname`
#generate a random 32 character password
MYPASS=$(tr -dc A-Za-z0-9 </dev/urandom|head -c 32)
if [ "$OSVER" = "rhels6" ]; then
#enable kerberos
authconfig --update --krb5realm=$UPDNSDOMAIN --enablekrb5kdcdns --enablekrb5
#change password
(echo $TEMPHOSTPASS;echo $MYPASS;echo $MYPASS)|kpasswd $HOSTPRINC
(echo $MYPASS)|kinit $HOSTPRINC
#KVNO=`kvno $HOSTPRINC|awk '{print $NF}'`
#(echo add_entry -password -p $HOSTPRINC -k $KVNO -e des;echo $MYPASS;echo wkt /etc/host.keytab)|ktutil
OLDUMASK=`umask`
umask 0077
echo $MYPASS > /etc/krb5.hostpass
umask $OLDUMASK
#ok, time for ldap
LDAPSRV=`host -t SRV _ldap._tcp.$DNSDOMAIN|awk '{print $NF}'`
#sed -ie 's/#uri ldap:\/\/127.0.0.1/uri ldap:\/\/$LDAPSRV\//' /etc/nslcd.conf
#sed -ie 's/# base dc.*/base $LDAPBASEDN/' /etc/nslcd.conf
echo use_sasl on >> /etc/nslcd.conf
echo sasl_mech GSSAPI >> /etc/nslcd.conf
echo sasl_secprops maxssf=0 >> /etc/nslcd.conf
echo krb5_ccname /var/run/ldap_krb5cc >> /etc/nslcd.conf
sed -i '/# Mappings for Active Directory/,/^[^#]/ s/^#\([^ ]\)/\1/' /etc/nslcd.conf
authconfig --update --enableldap --ldapserver=$LDAPSRV --ldapbasedn=$LDAPBASEDN
echo 'kinit '$HOSTPRINC'-c /var/run/ldap_krb5cc < /etc/krb5.hostpass >& /dev/null;chown nslcd /var/run/ldap_krb5cc' >> /etc/rc.local
echo 'kinit '$HOSTPRINC'-c /var/run/ldap_krb5cc < /etc/krb5.hostpass >& /dev/null;chown nslcd /var/run/ldap_krb5cc' >> /etc/cron.hourly/nslcdkrb.cron
chmod +x /etc/cron.hourly/nslcdkrb.cron
fi
#TODO: SLES/maybe RHEL5. Uncomfortable with libnss_ldap without root_krb5_ccname, ldap needs diff credentials per user
# or else the host private key must be wide open...