blob: 950a67a2d1ab3bfec0f4b902b45d0122fc0cff20 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
#!/bin/bash
set -e
# clear caching daemon's NIS netgroup cache
nscd -i netgroup
DOMAIN="intern"
DLW_KRB5_KEYTABS_DIR="/var/lib/debian-edu/dlw-keytabs"
DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
DLW_HOSTS=""
SPECIAL_USER="debian-edu"
# obtain DLW_HOSTS from NIS Netgroup or from the command line
if [ -z "$1" ]; then
DLW_HOSTS="${DLW_HOSTS_NETGROUP}"
else
while [ -n "${1}" ]; do
if echo ${DLW_HOSTS_NETGROUP} | grep -q "${1}.${DOMAIN}"; then
DLW_HOSTS="${DLW_HOSTS} ${1}.${DOMAIN}"
else
echo "WARNING: Host ${1} not a diskless workstation"
logger -t update-dlw-krb5-keytabs -p warning "Host '${1}' is not a diskless workstation."
fi
shift
done
fi
mkdir -p "${DLW_KRB5_KEYTABS_DIR}"
chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTABS_DIR}"
chmod 0710 "${DLW_KRB5_KEYTABS_DIR}"
for dlw_host in ${DLW_HOSTS}; do
DLW_KRB5_KEYTAB="${DLW_KRB5_KEYTABS_DIR}/${dlw_host}.keytab"
host_found="false"
ldap_cn=$(echo ${dlw_host} | cut -d"." -f1)
ldap_host=""
while read KEY VALUE; do
case "$KEY" in
dn:)
ldap_host=""
;;
cn:)
ldap_host="$VALUE"
if [ "${ldap_host}.${DOMAIN}" = "${dlw_host}" ]; then
host_found="true"
else
continue
fi
if LANG=C kadmin.local -q "get_principal host/${dlw_host}" 2>/dev/null | grep -q "^Principal: host/${dlw_host}@.*" &&
LANG=C kadmin.local -q "get_principal nfs/${dlw_host}" 2>/dev/null | grep -q "^Principal: nfs/${dlw_host}@.*" ; then
kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new host/${dlw_host}"
kadmin.local -q "ktadd -k ${DLW_KRB5_KEYTAB}.new nfs/${dlw_host}"
chown "root:${SPECIAL_USER}" "${DLW_KRB5_KEYTAB}.new"
chmod 0640 "${DLW_KRB5_KEYTAB}.new"
mv -v "${DLW_KRB5_KEYTAB}.new" "${DLW_KRB5_KEYTAB}"
cp -av "${DLW_KRB5_KEYTAB}" "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
else
echo "WARNING: Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
logger -t update-dlw-krb5-keytabs -p warning "Diskless workstation '${dlw_host}' is missing a host (host/${dlw_host}) or service (nfs/${dlw_host}) principal in the Kerberos database."
fi
break
;;
*)
;;
esac
done <<< `ldapsearch -xLLL "(&(cn=$ldap_cn)(|(objectClass=GOHard)(objectClass=ipHost)))" cn 2>/dev/null | perl -p00e 's/\r?\n //g'`
if [ "$host_found" != "true" ]; then
# if we land here,three things might have happened:
#
# 1. this script is called from gosa-remove-host (and we need to clean up the keytab file)
# 2. this script has been called with a wrong hostname (one that does not exist in LDAP)
# 3. this script has found a DLW entry in NIS netgroup 'diskless-workstation-hosts' that
# does not exist in LDAP (any more). Manual tidying up required in that case.
if [ -f "${DLW_KRB5_KEYTAB}" ]; then
logger -t update-dlw-krb5-keytabs -p info "Cleaning up DLW keytab file of host '${dlw_host}'."
rm -v "${DLW_KRB5_KEYTAB}"
rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
elif [ -f "${DLW_KRB5_KEYTAB/.${DOMAIN}/}" ]; then
logger -t update-dlw-krb5-keytabs -p info "Cleaning up leftover DLW keytab file of host '${dlw_host}' (without domain part)."
rm -v "${DLW_KRB5_KEYTAB/.${DOMAIN}/}"
else
echo "WARNING: Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
logger -t update-dlw-krb5-keytabs -p warning "Hostname '${dlw_host}' listed in NIS netgorup 'diskless-workstation-hosts', but not found as a host entry in Debian Edu LDAP."
fi
fi
done
logger -t update-dlw-krb5-keytabs -p notice "Diskless workstation Krb5 keytab files updated."
exit 0
|
