diff options
| author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2022-01-04 09:14:07 +0100 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2022-02-08 10:03:59 +0100 |
| commit | 01de0e5645039065c9f29b62c2973452ca59e565 (patch) | |
| tree | b6484cf132676e77c2452f05282f8fde5f33d6b6 | |
| parent | 75672c80d3b1f2bc8a45d960d61d9496c5bfae20 (diff) | |
| download | itzks-systems-01de0e5645039065c9f29b62c2973452ca59e565.tar.gz itzks-systems-01de0e5645039065c9f29b62c2973452ca59e565.tar.bz2 itzks-systems-01de0e5645039065c9f29b62c2973452ca59e565.zip | |
mainserver: Provide gosa-*-host hook script extension that collects Krb5 host keytabs of diskless workstation hosts in a separate folder and makes those (theoretically, if used) available to diskless workstations via SSH as unprivileged user.
4 files changed, 125 insertions, 0 deletions
diff --git a/debian/itzks-systems-mainserver.install b/debian/itzks-systems-mainserver.install index 013baf6..d578f45 100644 --- a/debian/itzks-systems-mainserver.install +++ b/debian/itzks-systems-mainserver.install @@ -8,3 +8,4 @@ sbin/itzks-reset-userprofile usr/sbin/ usr-lib-nagios-plugins/check_puppetmaster* usr/lib/nagios/plugins/ usr-lib-nagios-plugins/check_squid usr/lib/nagios/plugins/ share/debian-edu-config/tools/gosa-*-itzks usr/share/debian-edu-config/tools/ +share/debian-edu-config/tools/update-dlw-krb5-keytabs-itzks usr/share/debian-edu-config/tools/ diff --git a/share/debian-edu-config/tools/gosa-create-host-itzks b/share/debian-edu-config/tools/gosa-create-host-itzks index ae484b0..0ad0d51 100755 --- a/share/debian-edu-config/tools/gosa-create-host-itzks +++ b/share/debian-edu-config/tools/gosa-create-host-itzks @@ -7,6 +7,16 @@ HOST="${1}" # call Debian Edu's gosa-create-host /usr/share/debian-edu-config/tools/gosa-create-host ${@} +# During creation of a host, we should ideally call update-dlw-krb5-keytabs-itzks +# here already. However, it is not possible to add a NIS netgroup tab to a +# GOsa² system before the system object (and the additional DNS bits) has/have +# been created. So, calling the update-dlw-krb5-keytabs-itzks script +# makes no sense here... + +# FIXME: And: it would be really helpful to have POST-action hooks available for +# NIS netgroups... In case people don't edit hosts individually, but prefer +# mass-adding hosts to the diskless-workstation-hosts NIS netgroup. + # ITZkS: assure that host keytabs are readable by puppet chown :puppet /etc/debian-edu/host-keytabs/*.keytab chmod 0640 /etc/debian-edu/host-keytabs/*.keytab diff --git a/share/debian-edu-config/tools/gosa-modify-host-itzks b/share/debian-edu-config/tools/gosa-modify-host-itzks index 9d053e6..a79000b 100755 --- a/share/debian-edu-config/tools/gosa-modify-host-itzks +++ b/share/debian-edu-config/tools/gosa-modify-host-itzks @@ -14,6 +14,11 @@ if ! LANG=C kadmin.local -q "get_principal host/$HOST.intern" 2>/dev/null | gre fi +# call DLW keytabs' update script (delay execution for 10s because GOsa² needs +# to write the NIS netgroup information first (this hook gets called between +# saving the host object to LDAP, but before updating the NIS netgroup settings). +( sleep 10; /usr/share/debian-edu-config/tools/update-dlw-krb5-keytabs-itzks ${@} ) & + # ITZkS: assure that host keytabs are readable by puppet chown :puppet /etc/debian-edu/host-keytabs/*.keytab chmod 0640 /etc/debian-edu/host-keytabs/*.keytab diff --git a/share/debian-edu-config/tools/update-dlw-krb5-keytabs-itzks b/share/debian-edu-config/tools/update-dlw-krb5-keytabs-itzks new file mode 100755 index 0000000..f13e99f --- /dev/null +++ b/share/debian-edu-config/tools/update-dlw-krb5-keytabs-itzks @@ -0,0 +1,109 @@ +#!/bin/bash + +set -e + +# clear caching daemon's NIS netgroup cache +nscd -i netgroup + +DOMAIN="intern" +DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs" +DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$") + +DLW_HOSTS="" + +SPECIAL_USER="debian-edu" + +# obtain DLW_HOSTS from NIS Netgroup or from the command line +if [ -z "$1" ]; then + DLW_HOSTS="${DLW_HOSTS_NETGROUP}" +else + while [ -n "${1}" ]; do + if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}"; then + DLW_HOSTS="${DLW_HOSTS} ${1}" + shift + else + echo "WARNING: Host ${1} not a diskless workstation" + logger -t update-dlw-krb5-keytabs -p warning "Host '${1}' is not a diskless workstation." + fi + shift + done +fi + +mkdir -p "${DLW_KRB5_KEYTABS_DIR}" +chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}" +chmod 0710 "${DLW_KRB5_KEYTABS_DIR}" + +for dlw_host in ${DLW_HOSTS}; do + + DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab" + + host_found="false" + ldap_cn=$(echo ${dlw_host} | cut -d"." -f1) + + ldap_host="" + + while read KEY VALUE; do + case "$KEY" in + dn:) + ldap_host="" + ;; + cn:) + ldap_host="$VALUE" + if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}" ]; then + host_found="true" + else + continue + fi + + if LANG=C kadmin.local -q "get_principal host/${dlw_host}" 2>/dev/null | grep -q "^Principal: host/${dlw_host}@.*" && + LANG=C kadmin.local -q "get_principal nfs/${dlw_host}" 2>/dev/null | grep -q "^Principal: nfs/${dlw_host}@.*" ; then + + + kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new host/${dlw_host}" + kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}" + + chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTAB}.new" + chmod 0640 "${DLW_KRB5_KEYTAB}.new" + mv -v "${DLW_KRB5_KEYTAB}.new" "${DLW_KRB5_KEYTAB}" + cp -av "${DLW_KRB5_KEYTAB}" "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" + else + echo "WARNING: Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database." + logger -t update-dlw-krb5-keytabs -p warning "Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database." + fi + break + ;; + *) + ;; + esac + done <<< `ldapsearch -xLLL "(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null | perl -p00e 's/\r?\n //g'` + + if [ "$host_found" != "true" ]; then + + # if we land here,three things might have happened: + # + # 1. this script is called from gosa-remove-host (and we need to clean up the keytab file) + # 2. this script has been called with a wrong hostname (one that does not exist in LDAP) + # 3. this script has found a DLW entry in NIS netgroup 'diskless-workstation-hosts' that + # does not exist in LDAP (any more). Manual tidying up required in that case. + + if [ -f "${DLW_KRB5_KEYTAB}" ]; then + logger -t update-dlw-krb5-keytabs -p info "Cleaning up DLW keytab file of host '${dlw_host}'." + rm -v "${DLW_KRB5_KEYTAB}" + rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" + elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then + logger -t update-dlw-krb5-keytabs -p info "Cleaning up leftover DLW keytab file of host '${dlw_host}' (without domain part)." + rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" + else + + echo "WARNING: Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP." + logger -t update-dlw-krb5-keytabs -p warning "Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP." + + fi + + fi + +done + +logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab files updated." + +exit 0 |