1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
#!/bin/sh
# Copyright 2018 Canonical Ltd.
# This code is licensed under the same terms as MIT Kerberos.
set -ex
adjust_hostname() {
local myhostname="$1"
echo "${myhostname}" > /etc/hostname
hostname "${myhostname}"
if ! grep -qE "${myhostname}" /etc/hosts; then
# just so it's resolvable
echo "127.0.1.10 ${myhostname}" >> /etc/hosts
fi
}
create_realm() {
local realm_name="$1"
local kerberos_server="$2"
# start fresh
rm -rf /var/lib/krb5kdc/*
rm -rf /etc/krb5kdc/*
rm -f /etc/krb5.keytab
# setup some defaults
cat > /etc/krb5kdc/kdc.conf <<EOF
[kdcdefaults]
kdc_ports = 750,88
[realms]
${realm_name} = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
EOF
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = ${realm_name}
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
${realm_name} = {
kdc = ${kerberos_server}
admin_server = ${kerberos_server}
}
EOF
echo "# */admin *" > /etc/krb5kdc/kadm5.acl
# create the realm
kdb5_util create -s -P secretpassword
# restart services
systemctl restart krb5-kdc.service krb5-admin-server.service
}
|
