added kerberos

kerberos/krb_addclient.sh

@@ -0,0 +1,138 @@
+#!/bin/bash
+#
+# Bind a linux host to kerberos
+#
+# $Id: $
+#
+#
+
+# Location of the kerberos commands
+kadmin=${KADMIN:-/usr/sbin/kadmin}
+kinit=${KINIT:-/usr/bin/kinit}
+kdestroy=${KDESTROY:-/usr/bin/kdestroy}
+if [[ ! -x $kadmin ]]; then
+    echo "$kadmin is not executable. Check the path or set the KADMIN variable"
+fi
+if [[ ! -x $kinit ]]; then
+    echo "$kinit is not executable. Check the path or set the KINIT variable"
+fi
+if [[ ! -x $kdestroy ]]; then
+    echo "$kdestroy is not executable. Check the path or set the KDESTROY variable"
+fi
+
+# Export the credentials cache location for all the krb5 commands
+krb5ccname="/tmp/kerberos_bind_cc_$$" 
+
+# Print usage information
+usage () 
+{
+    scriptname=`basename $0`
+    cat << EOF
+Usage: $scriptname -u <admin username> [-h <hostname>] [-k <keytab>]
+
+OPTIONS:
+ -u username of the kerberos administrator
+ -h hostname to generate a keytab for
+ -k location of the keytab file
+
+If -h is specified, then -k *must* be specified as well.
+EOF
+}
+
+# Error condition convenience function
+die () 
+{
+	echo "$@ failed: error code $?"
+	exit 1
+}
+
+# kadmin convenience function
+kadmin_command () 
+{
+    $kadmin -c $krb5ccname -q "$@" > /dev/null || die $@
+}
+
+# Read command line options
+while getopts "h:k:u:" option
+do
+    case $option in
+        h)
+        hostname=$OPTARG
+        ;;
+        k)
+        keytab=$OPTARG
+        ;;
+        u)
+        username=$OPTARG
+        ;;
+        ?)
+        usage
+        exit
+        ;;
+    esac
+done
+
+# Check to make sure the username was specified
+if [[ -z $username ]]; then
+    echo "Error: no username specified"
+    usage
+    exit 1
+fi
+
+# Set the hostname and keytab variables if they were not specified on the command line.
+# If a hostname was specified, then ensure the keytab was as well.
+# If only a keytab was specified, we don't really care.
+if [[ -z $hostname ]]; then
+    hostname=`hostname -f`
+    keytab=/etc/krb5.keytab
+elif [[ -z $keytab ]]; then
+    echo "Error: You must specify -k if you specify -h"
+    usage
+    exit 1
+fi
+
+# Destroy our credentials no matter what happens
+trap "echo 'Destroying temporary kerberos credentials in $krb5ccname...'; $kdestroy; echo 'done'; exit 1" 1 2 3 5 15
+
+# Create the credentials cache
+echo ">> Creating temporary kerberos credentials cache, $krb5ccname..."
+$kinit -S kadmin/admin -c $krb5ccname $username
+
+# Create principals
+echo ">> Creating principals..."
+echo ">> Creating host/ principal..."
+kadmin_command "addprinc -randkey host/$hostname"
+echo ">> Creating nfs/ principal..."
+kadmin_command "addprinc -randkey nfs/$hostname"
+echo ">> Creating root/ principal..."
+kadmin_command "addprinc -randkey root/$hostname"
+
+# Add them to our keytab
+echo ">> Updating keytab..."
+echo ">> Getting host/ principal..."
+kadmin_command "ktadd -k $keytab  host/$hostname"
+echo ">> Getting nfs/ principal..."
+kadmin_command "ktadd -k $keytab  root/$hostname"
+echo ">> Getting root/ principal..."
+kadmin_command "ktadd -k $keytab  -e des-cbc-crc:normal nfs/$hostname"
+
+# Clean up
+echo ">> Destroying temporary kerberos credentials in $krb5ccname..."
+$kdestroy -c $krb5ccname
+
+echo ">> Script completed successfully"
+exit 0
+
+# POD documentation
+
+=head1 NAME
+
+B<kerberos_bind> - binds a linux host to the Kerberos KDC
+
+=head1 SYNOPSIS
+
+B<kerberos_bind> admin_user_name
+
+=head1 DESCRIPTION
+
+B<kerberos_bind> creates the necessary principals to bind a Linux host to the KDC. It requires Kerberos to be configured in /etc/krb5.conf.