xref: /illumos-gate/usr/src/cmd/krb5/kadmin/kclient/kclient.sh (revision 03270635d68df6a0392fb8f4b7c04acad764648b)
1#!/bin/ksh93 -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23# Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
24# Copyright 2016 Toomas Soome <tsoome@me.com>
25#
26# This script is used to setup the Kerberos client by
27# supplying information about the Kerberos realm and kdc.
28#
29# The kerberos configuration file (/etc/krb5/krb5.conf) would
30# be generated and local host's keytab file setup. The script
31# can also optionally setup the system to do kerberized nfs and
32# bringover a master krb5.conf copy from a specified location.
33#
34
35function cleanup {
36
37	kdestroy -q > $TMP_FILE 2>&1
38	rm -r $TMPDIR > /dev/null 2>&1
39
40	exit $1
41}
42function exiting {
43
44        printf "\n$(gettext "Exiting setup, nothing changed").\n\n"
45
46	cleanup $1
47}
48
49function error_message {
50
51        printf -- "---------------------------------------------------\n" >&2
52        printf "$(gettext "Setup FAILED").\n\n" >&2
53
54        cleanup 1
55}
56
57function check_bin {
58
59	typeset bin=$1
60
61	if [[ ! -x $bin ]]; then
62		printf "$(gettext "Could not access/execute %s").\n" $bin >&2
63		error_message
64	fi
65}
66
67function cannot_create {
68	typeset filename="$1"
69	typeset stat="$2"
70
71	if [[ $stat -ne 0 ]]; then
72		printf "\n$(gettext "Can not create/edit %s, exiting").\n" $filename >&2
73		error_message
74	fi
75}
76
77function update_pam_conf {
78	typeset PAM TPAM service
79
80	PAM=/etc/pam.conf
81
82	TPAM=$(mktemp -q -t kclient-pamconf.XXXXXX)
83	if [[ -z $TPAM ]]; then
84		printf "\n$(gettext "Can not create temporary file, exiting").\n" >&2
85		error_message
86	fi
87
88	cp $PAM $TPAM >/dev/null 2>&1
89
90	printf "$(gettext "Configuring %s").\n\n" $PAM
91
92	for service in $SVCs; do
93		svc=${service%:*}
94		auth_type=${service#*:}
95		if egrep -s "^$svc[ 	][ 	]*auth.*pam_krb5*" $TPAM; then
96			printf "$(gettext "The %s service is already configured for pam_krb5, please merge this service in %s").\n\n" $svc $PAM >&2
97			continue
98		else
99			exec 3>>$TPAM
100			printf "\n$svc\tauth include\t\tpam_krb5_$auth_type\n" 1>&3
101		fi
102	done
103
104	cp $TPAM $PAM > /dev/null 2>&1
105
106	rm $TPAM > /dev/null 2>&1
107}
108
109function modify_nfssec_conf {
110	typeset NFSSEC_FILE="/etc/nfssec.conf"
111
112	if [[ -r $NFSSEC_FILE ]]; then
113		cat $NFSSEC_FILE > $NFSSEC_FILE.sav
114		cannot_create $NFSSEC_FILE.sav $?
115	fi
116
117	cat $NFSSEC_FILE > $TMP_FILE
118	cannot_create $TMP_FILE $?
119
120	if grep -s "#krb5" $NFSSEC_FILE > /dev/null 2>&1; then
121		sed "s%^#krb5%krb5%" $TMP_FILE >$NFSSEC_FILE
122		cannot_create $NFSSEC_FILE $?
123	fi
124}
125
126function call_kadmin {
127	typeset svc="$1"
128	typeset bool1 bool2 bool3 bool4
129	typeset service_princ getprincsubcommand anksubcommand ktaddsubcommand
130	typeset ktremsubcommand
131
132	for listentry in $fqdnlist; do
133
134	# Reset conditional vars to 1
135	bool1=1; bool2=1; bool3=1; bool4=1
136
137	service_princ=$(echo "${svc}/${listentry}")
138	getprincsubcommand="getprinc $service_princ"
139	anksubcommand="addprinc -randkey $service_princ"
140	ktaddsubcommand="ktadd $service_princ"
141	ktremsubcommand="ktrem $service_princ all"
142
143	kadmin -c $KRB5CCNAME -q "$getprincsubcommand" 1>$TMP_FILE 2>&1
144
145	egrep -s "$(gettext "get_principal: Principal does not exist")" $TMP_FILE
146	bool1=$?
147	egrep -s "$(gettext "get_principal: Operation requires ``get")" $TMP_FILE
148	bool2=$?
149
150	if [[ $bool1 -eq 0 || $bool2 -eq 0 ]]; then
151		kadmin -c $KRB5CCNAME -q "$anksubcommand" 1>$TMP_FILE 2>&1
152
153		egrep -s "$(gettext "add_principal: Principal or policy already exists while creating \"$service_princ@$realm\".")" $TMP_FILE
154		bool3=$?
155
156		egrep -s "$(gettext "Principal \"$service_princ@$realm\" created.")" $TMP_FILE
157		bool4=$?
158
159		if [[ $bool3 -eq 0 || $bool4 -eq 0 ]]; then
160			printf "$(gettext "%s entry ADDED to KDC database").\n" $service_princ
161		else
162			cat $TMP_FILE;
163			printf "\n$(gettext "kadmin: add_principal of %s failed, exiting").\n" $service_princ >&2
164			error_message
165		fi
166	else
167		printf "$(gettext "%s entry already exists in KDC database").\n" $service_princ >&2
168	fi
169
170	klist -k 1>$TMP_FILE 2>&1
171	egrep -s "$service_princ@$realm" $TMP_FILE
172	if [[ $? -eq 0 ]]; then
173		printf "$(gettext "%s entry already present in keytab").\n" $service_princ >&2
174		# Don't care is this succeeds or not, just need to replace old
175		# entries as it is assummed that the client is reinitialized
176		kadmin -c $KRB5CCNAME -q "$ktremsubcommand" 1>$TMP_FILE 2>&1
177	fi
178
179	kadmin -c $KRB5CCNAME -q "$ktaddsubcommand" 1>$TMP_FILE 2>&1
180	egrep -s "$(gettext "added to keytab WRFILE:$KRB5_KEYTAB_FILE.")" $TMP_FILE
181	if [[ $? -ne 0 ]]; then
182		cat $TMP_FILE;
183		printf "\n$(gettext "kadmin: ktadd of %s failed, exiting").\n" $service_princ >&2
184		error_message
185	else
186		printf "$(gettext "%s entry ADDED to keytab").\n" $service_princ
187	fi
188
189	done
190}
191
192function writeup_krb5_conf {
193	typeset dh
194
195	printf "\n$(gettext "Setting up %s").\n\n" $KRB5_CONFIG_FILE
196
197	exec 3>$KRB5_CONFIG
198	if [[ $? -ne 0 ]]; then
199		printf "\n$(gettext "Can not write to %s, exiting").\n" $KRB5_CONFIG >&2
200		error_message
201	fi
202
203	printf "[libdefaults]\n" 1>&3
204	if [[ $no_keytab == yes ]]; then
205		printf "\tverify_ap_req_nofail = false\n" 1>&3
206	fi
207	if [[ $dns_lookup == yes ]]; then
208	    printf "\t$dnsarg = on\n" 1>&3
209	    if [[ $dnsarg == dns_lookup_kdc ]]; then
210		printf "\tdefault_realm = $realm\n" 1>&3
211		printf "\n[domain_realm]\n" 1>&3
212		if [[ -n $fkdc_list ]]; then
213			for kdc in $fkdc_list; do
214				printf "\t$kdc = $realm\n" 1>&3
215			done
216		fi
217		printf "\t$FKDC = $realm\n" 1>&3
218		printf "\t$client_machine = $realm\n" 1>&3
219		if [[ -z $short_fqdn ]]; then
220			printf "\t.$domain = $realm\n\n" 1>&3
221		else
222			printf "\t.$short_fqdn = $realm\n\n" 1>&3
223		fi
224		if [[ -n $domain_list ]]; then
225			for dh in $domain_list; do
226				printf "\t$dh = $realm\n" 1>&3
227			done
228		fi
229	    else
230		if [[ $dnsarg = dns_lookup_realm ]]; then
231		    printf "\tdefault_realm = $realm\n" 1>&3
232		    printf "\n[realms]\n" 1>&3
233		    printf "\t$realm = {\n" 1>&3
234		    if [[ -n $kdc_list ]]; then
235			for kdc in $kdc_list; do
236				printf "\t\tkdc = $kdc\n" 1>&3
237			done
238		    else
239		    	printf "\t\tkdc = $KDC\n" 1>&3
240		    fi
241		    printf "\t\tadmin_server = $KDC\n" 1>&3
242		    if [[ $non_solaris == yes ]]; then
243			printf "\n\t\tkpasswd_protocol = SET_CHANGE\n" 1>&3
244		    fi
245		    printf "\t}\n\n" 1>&3
246		else
247		    printf "\tdefault_realm = $realm\n\n" 1>&3
248		fi
249	    fi
250	else
251	    printf "\tdefault_realm = $realm\n\n" 1>&3
252
253	    printf "[realms]\n" 1>&3
254	    printf "\t$realm = {\n" 1>&3
255	    if [[ -n $kdc_list ]]; then
256		for kdc in $kdc_list; do
257			printf "\t\tkdc = $kdc\n" 1>&3
258		done
259	    else
260	    	printf "\t\tkdc = $KDC\n" 1>&3
261	    fi
262	    printf "\t\tadmin_server = $KDC\n" 1>&3
263	    if [[ $non_solaris == yes ]]; then
264	    	printf "\n\t\tkpasswd_protocol = SET_CHANGE\n" 1>&3
265	    fi
266	    printf "\t}\n\n" 1>&3
267
268	    printf "[domain_realm]\n" 1>&3
269	    if [[ -n $fkdc_list ]]; then
270		for kdc in $fkdc_list; do
271			printf "\t$kdc = $realm\n" 1>&3
272		done
273	    fi
274	    printf "\t$FKDC = $realm\n" 1>&3
275	    printf "\t$client_machine = $realm\n" 1>&3
276	    if [[ -z $short_fqdn ]]; then
277		printf "\t.$domain = $realm\n\n" 1>&3
278	    else
279		printf "\t.$short_fqdn = $realm\n\n" 1>&3
280	    fi
281	    if [[ -n $domain_list ]]; then
282		for dh in $domain_list; do
283			printf "\t$dh = $realm\n" 1>&3
284		done
285	    fi
286	fi
287
288	printf "[logging]\n" 1>&3
289	printf "\tdefault = FILE:/var/krb5/kdc.log\n" 1>&3
290	printf "\tkdc = FILE:/var/krb5/kdc.log\n" 1>&3
291	printf "\tkdc_rotate = {\n\t\tperiod = 1d\n\t\tversions = 10\n\t}\n\n" 1>&3
292
293	printf "[appdefaults]\n" 1>&3
294	printf "\tkinit = {\n\t\trenewable = true\n\t\tforwardable = true\n" 1>&3
295	if [[ $no_keytab == yes ]]; then
296		printf "\t\tno_addresses = true\n" 1>&3
297	fi
298	printf "\t}\n" 1>&3
299}
300
301function ask {
302	typeset question=$1
303	typeset default_answer=$2
304
305	if [[ -z $default_answer ]]; then
306		printf "$question :"
307	else
308		printf "$question [$default_answer]: "
309	fi
310	read answer
311	test -z "$answer" && answer="$default_answer"
312}
313
314function yesno {
315	typeset question="$1"
316
317	answer=
318	yn=`printf "$(gettext "y/n")"`
319	y=`printf "$(gettext "y")"`
320	n=`printf "$(gettext "n")"`
321	yes=`printf "$(gettext "yes")"`
322	no=`printf "$(gettext "no")"`
323
324	while [[ -z $answer ]]; do
325		ask "$question" $yn
326		case $answer in
327			$y|$yes)	answer=yes;;
328			$n|$no)		answer=no;;
329			*)		answer=;;
330		esac
331	done
332}
333
334function query {
335	yesno "$*"
336
337	if [[ $answer == no ]]; then
338		printf "\t$(gettext "No action performed").\n"
339	fi
340}
341
342
343function read_profile {
344	typeset param value
345	typeset file="$1"
346
347	if [[ ! -d $file && -r $file ]]; then
348		while read param value
349		do
350			case $param in
351			REALM)  if [[ -z $realm ]]; then
352					realm="$value"
353					checkval="REALM"; check_value $realm
354				fi
355				;;
356			KDC)    if [[ -z $KDC ]]; then
357					KDC="$value"
358					checkval="KDC"; check_value $KDC
359				fi
360				;;
361			ADMIN)  if [[ -z $ADMIN_PRINC ]]; then
362					ADMIN_PRINC="$value"
363					checkval="ADMIN_PRINC"
364    					check_value $ADMIN_PRINC
365				fi
366				;;
367			FILEPATH)  if [[ -z $filepath ]]; then
368					filepath="$value"
369				   fi
370				   ;;
371			NFS)    if [[ -z $add_nfs ]]; then
372				    if [[ $value == 1 ]]; then
373					    add_nfs=yes
374				    else
375					    add_nfs=no
376				    fi
377				fi
378				;;
379			NOKEY)    if [[ -z $no_keytab ]]; then
380				    if [[ $value == 1 ]]; then
381					    no_keytab=yes
382				    else
383					    no_keytab=no
384				    fi
385				fi
386				;;
387			NOSOL)  if [[ -z $non_solaris ]]; then
388				    if [[ $value == 1 ]]; then
389					    non_solaris=yes
390					    no_keytab=yes
391				    else
392					    non_solaris=no
393				    fi
394				fi
395				;;
396			LHN)    if [[ -z $logical_hn ]]; then
397					logical_hn="$value"
398					checkval="LOGICAL_HOSTNAME"
399    					check_value $logical_hn
400				fi
401				;;
402			DNSLOOKUP) if [[ -z $dnsarg ]]; then
403					dnsarg="$value"
404					checkval="DNS_OPTIONS"
405					check_value $dnsarg
406				   fi
407				   ;;
408			FQDN) if [[ -z $fqdnlist ]]; then
409					fqdnlist="$value"
410					checkval="FQDN"
411					check_value $fqdnlist
412					verify_fqdnlist "$fqdnlist"
413			      fi
414			      ;;
415			MSAD) if [[ -z $msad ]]; then
416				if [[ $value == 1 ]]; then
417					msad=yes
418					non_solaris=yes
419				else
420					msad=no
421				fi
422			      fi
423			      ;;
424			esac
425		done <$file
426	else
427		printf "\n$(gettext "The kclient profile \`%s' is not valid, exiting").\n" $file >&2
428		error_message
429	fi
430}
431
432function ping_check {
433	typeset machine="$1"
434	typeset string="$2"
435
436	if ping $machine 2 > /dev/null 2>&1; then
437		:
438	else
439		printf "\n$(gettext "%s %s is unreachable, exiting").\n" $string $machine >&2
440		error_message
441	fi
442
443	# Output timesync warning if not using a profile, i.e. in
444	# interactive mode.
445	if [[ -z $profile && $string == KDC ]]; then
446		# It's difficult to sync up time with KDC esp. if in a
447		# zone so just print a warning about KDC time sync.
448		printf "\n$(gettext "Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function").\n" >&2
449		printf "$(gettext "Both systems should run some form of time synchronization system like Network Time Protocol (NTP)").\n" >&2
450break
451	fi
452}
453
454function check_value {
455	typeset arg="$1"
456
457	if [[ -z $arg ]]; then
458		printf "\n$(gettext "No input obtained for %s, exiting").\n" $checkval >&2
459		error_message
460	else
461		echo "$arg" > $TMP_FILE
462		if egrep -s '[*$^#!]+' $TMP_FILE; then
463			printf "\n$(gettext "Invalid input obtained for %s, exiting").\n" $checkval >&2
464			error_message
465		fi
466	fi
467}
468
469function set_dns_value {
470	typeset -l arg="$1"
471
472	if [[ $arg == dns_lookup_kdc  ||  $arg == dns_lookup_realm  || $arg == dns_fallback ]]; then
473		dns_lookup=yes
474	else
475		if [[ $arg == none ]]; then
476			dns_lookup=no
477		else
478			printf "\n$(gettext "Invalid DNS lookup option, exiting").\n" >&2
479			error_message
480		fi
481	fi
482}
483
484function verify_kdcs {
485	typeset k_list="$1"
486	typeset -l kdc
487	typeset list fqhn f_list
488
489	kdc_list=$(echo "$k_list" | sed 's/,/ /g')
490
491	if [[ -z $k_list ]]; then
492		printf "\n$(gettext "At least one KDC should be listed").\n\n" >&2
493		usage
494	fi
495
496	for kdc in $k_list; do
497		if [[ $kdc != $KDC ]]; then
498			list="$list $kdc"
499			fkdc=`$KLOOKUP $kdc`
500			if ping $fkdc 2 > /dev/null; then
501				:
502			else
503				printf "\n$(gettext "%s %s is unreachable, no action performed").\n" "KDC" $fkdc >&2
504			fi
505			f_list="$f_list $fkdc"
506		fi
507	done
508
509	fkdc_list="$f_list"
510	kdc_list="$list"
511}
512
513function parse_service {
514	typeset service_list=$1
515
516	service_list=${service_list//,/ }
517	for service in $service_list; do
518		svc=${service%:}
519		auth_type=${service#:}
520		[[ -z $svc || -z $auth_type ]] && return
521		print -- $svc $auth_type
522	done
523}
524
525function verify_fqdnlist {
526	typeset list="$1"
527	typeset -l hostname
528	typeset -i count=1
529	typeset fqdnlist eachfqdn tmpvar fullhost
530
531	list=$(echo "$list" | tr -d " " | tr -d "\t")
532	hostname=$(uname -n | cut -d"." -f1)
533	fqdnlist=$client_machine
534
535	eachfqdn=$(echo "$list" | cut -d"," -f$count)
536	if [[ -z $eachfqdn ]]; then
537		printf "\n$(gettext "If the -f option is used, at least one FQDN should be listed").\n\n" >&2
538		usage
539	else
540		while [[ ! -z $eachfqdn ]]; do
541			tmpvar=$(echo "$eachfqdn" | cut -d"." -f1)
542			if [[ -z $tmpvar ]]; then
543				fullhost="$hostname$eachfqdn"
544			else
545				fullhost="$hostname.$eachfqdn"
546			fi
547
548			ping_check $fullhost $(gettext "System")
549			if [[ $fullhost == $client_machine ]]; then
550				:
551			else
552				fqdnlist="$fqdnlist $fullhost"
553			fi
554
555			if [[ $list == *,* ]]; then
556				((count = count + 1))
557				eachfqdn=$(echo "$list" | cut -d"," -f$count)
558			else
559				break
560			fi
561		done
562	fi
563}
564
565function setup_keytab {
566	typeset cname ask_fqdns current_release
567
568	#
569	# 1. kinit with ADMIN_PRINC
570	#
571
572	if [[ -z $ADMIN_PRINC ]]; then
573		printf "\n$(gettext "Enter the krb5 administrative principal to be used"): "
574		read ADMIN_PRINC
575		checkval="ADMIN_PRINC"; check_value $ADMIN_PRINC
576	fi
577
578	echo "$ADMIN_PRINC">$TMP_FILE
579
580	[[ -n $msad ]] && return
581	if egrep -s '\/admin' $TMP_FILE; then
582		# Already in "/admin" format, do nothing
583		:
584	else
585		if egrep -s '\/' $TMP_FILE; then
586			printf "\n$(gettext "Improper entry for krb5 admin principal, exiting").\n" >&2
587			error_message
588		else
589			ADMIN_PRINC=$(echo "$ADMIN_PRINC/admin")
590		fi
591	fi
592
593	printf "$(gettext "Obtaining TGT for %s") ...\n" $ADMIN_PRINC
594
595	cname=$(canon_resolve $KDC)
596	if [[ -n $cname ]]; then
597		kinit -S kadmin/$cname $ADMIN_PRINC
598	else
599		kinit -S kadmin/$FKDC $ADMIN_PRINC
600	fi
601	klist 1>$TMP_FILE 2>&1
602	if egrep -s "$(gettext "Valid starting")" $TMP_FILE && egrep -s "kadmin/$FKDC@$realm" $TMP_FILE; then
603    		:
604	else
605		printf "\n$(gettext "kinit of %s failed, exiting").\n" $ADMIN_PRINC >&2
606		error_message
607	fi
608
609	#
610	# 2. Do we want to create and/or add service principal(s) for fqdn's
611	#    other than the one listed in resolv.conf(4) ?
612	#
613	if [[ -z $options ]]; then
614		query "$(gettext "Do you have multiple DNS domains spanning the Kerberos realm") $realm ?"
615		ask_fqdns=$answer
616		if [[ $ask_fqdns == yes ]]; then
617			printf "$(gettext "Enter a comma-separated list of DNS domain names"): "
618			read fqdnlist
619			verify_fqdnlist "$fqdnlist"
620		else
621			fqdnlist=$client_machine
622		fi
623	else
624		if [[ -z $fqdnlist ]]; then
625			fqdnlist=$client_machine
626		fi
627	fi
628
629	if [[ $add_nfs == yes ]]; then
630		echo; call_kadmin nfs
631	fi
632
633	# Add the host entry to the keytab
634	echo; call_kadmin host
635
636}
637
638function setup_lhn {
639	typeset -l logical_hn
640
641	echo "$logical_hn" > $TMP_FILE
642	if egrep -s '[^.]\.[^.]+$' $TMP_FILE; then
643		# do nothing, logical_hn is in fqdn format
644		:
645	else
646		if egrep -s '\.+' $TMP_FILE; then
647			printf "\n$(gettext "Improper format of logical hostname, exiting").\n" >&2
648			error_message
649		else
650			# Attach fqdn to logical_hn, to get the Fully Qualified
651			# Host Name of the client requested
652			logical_hn=$(echo "$logical_hn.$fqdn")
653		fi
654	fi
655
656	client_machine=$logical_hn
657
658	ping_check $client_machine $(gettext "System")
659}
660
661function usage {
662	printf "\n$(gettext "Usage: kclient [ options ]")\n" >&2
663	printf "\t$(gettext "where options are any of the following")\n\n" >&2
664	printf "\t$(gettext "[ -D domain_list ]  configure a client that has mul
665tiple mappings of doamin and/or hosts to the default realm")\n" >&2
666	printf "\t$(gettext "[ -K ]  configure a client that does not have host/service keys")\n" >&2
667	printf "\t$(gettext "[ -R realm ]  specifies the realm to use")\n" >&2
668	printf "\t$(gettext "[ -T kdc_vendor ]  specifies which KDC vendor is the server")\n" >&2
669	printf "\t$(gettext "[ -a adminuser ]  specifies the Kerberos administrator")\n" >&2
670	printf "\t$(gettext "[ -c filepath ]  specifies the krb5.conf path used to configure this client")\n" >&2
671	printf "\t$(gettext "[ -d dnsarg ]  specifies which information should be looked up in DNS (dns_lookup_kdc, dns_lookup_realm, and dns_fallback)")\n" >&2
672	printf "\t$(gettext "[ -f fqdn_list ]  specifies which domains to configure host keys for this client")\n" >&2
673	printf "\t$(gettext "[ -h logicalhostname ]  configure the logical host name for a client that is in a cluster")\n" >&2
674	printf "\t$(gettext "[ -k kdc_list ]  specify multiple KDCs, if -m is not used the first KDC in the list is assumed to be the master.  KDC host names are used verbatim.")\n" >&2
675	printf "\t$(gettext "[ -m master ]  master KDC server host name")\n" >&2
676	printf "\t$(gettext "[ -n ]  configure client to be an NFS client")\n" >&2
677	printf "\t$(gettext "[ -p profile ]  specifies which profile file to use to configure this client")\n" >&2
678	printf "\t$(gettext "[ -s pam_list ]  update the service for Kerberos authentication")\n" >&2
679	error_message
680}
681
682function discover_domain {
683	typeset dom DOMs
684
685	if [[ -z $realm ]]; then
686		set -A DOMs -- `$KLOOKUP _ldap._tcp.dc._msdcs S`
687	else
688		set -A DOMs -- `$KLOOKUP _ldap._tcp.dc._msdcs.$realm S`
689	fi
690
691	[[ -z ${DOMs[0]} ]] && return 1
692
693	dom=${DOMs[0]}
694
695	dom=${dom#*.}
696	dom=${dom% *}
697
698	domain=$dom
699
700	return 0
701}
702
703function check_nss_hosts_or_ipnodes_config {
704	typeset backend
705
706	for backend in $1
707	do
708		[[ $backend == dns ]] && return 0
709	done
710	return 1
711}
712
713function check_nss_conf {
714	typeset i j hosts_config
715
716	for i in hosts ipnodes
717	do
718		grep "^${i}:" /etc/nsswitch.conf|read j hosts_config
719		check_nss_hosts_or_ipnodes_config "$hosts_config" || return 1
720	done
721
722	return 0
723}
724
725function canon_resolve {
726	typeset name ip
727
728	name=`$KLOOKUP $1 C`
729	[[ -z $name ]] && name=`$KLOOKUP $1 A`
730	[[ -z $name ]] && return
731
732	ip=`$KLOOKUP $name I`
733	[[ -z $ip ]] && return
734	for i in $ip
735	do
736		if ping $i 2 > /dev/null 2>&1; then
737			break
738		else
739			i=
740		fi
741	done
742
743	cname=`$KLOOKUP $ip P`
744	[[ -z $cname ]] && return
745
746	print -- "$cname"
747}
748
749function rev_resolve {
750	typeset name ip
751
752	ip=`$KLOOKUP $1 I`
753
754	[[ -z $ip ]] && return
755	name=`$KLOOKUP $ip P`
756	[[ -z $name ]] && return
757
758	print -- $name
759}
760
761# Convert an AD-style domain DN to a DNS domainname
762function dn2dns {
763	typeset OIFS dname dn comp components
764
765	dn=$1
766	dname=
767
768	OIFS="$IFS"
769	IFS=,
770	set -A components -- $1
771	IFS="$OIFS"
772
773	for comp in "${components[@]}"
774	do
775		[[ "$comp" == [dD][cC]=* ]] || continue
776		dname="$dname.${comp#??=}"
777	done
778
779	print ${dname#.}
780}
781
782# Form a base DN from a DNS domainname and container
783function getBaseDN {
784	if [[ -n "$2" ]]
785	then
786		baseDN="CN=$1,$(dns2dn $2)"
787	else
788		baseDN="$(dns2dn $2)"
789	fi
790}
791
792# Convert a DNS domainname to an AD-style DN for that domain
793function dns2dn {
794	typeset OIFS dn labels
795
796	OIFS="$IFS"
797	IFS=.
798	set -A labels -- $1
799	IFS="$OIFS"
800
801	dn=
802	for label in "${labels[@]}"
803	do
804		dn="${dn},DC=$label"
805	done
806
807	print -- "${dn#,}"
808}
809
810function getSRVs {
811	typeset srv port
812
813	$KLOOKUP $1 S | while read srv port
814	do
815		if ping $srv 2 > /dev/null 2>&1; then
816			print -- $srv $port
817		fi
818	done
819}
820
821function getKDC {
822	typeset j
823
824	set -A KPWs -- $(getSRVs _kpasswd._tcp.$dom.)
825	kpasswd=${KPWs[0]}
826
827	if [[ -n $siteName ]]
828	then
829		set -A KDCs -- $(getSRVs _kerberos._tcp.$siteName._sites.$dom.)
830		kdc=${KDCs[0]}
831		[[ -n $kdc ]] && return
832	fi
833
834	# No site name
835	set -A KDCs -- $(getSRVs _kerberos._tcp.$dom.)
836	kdc=${KDCs[0]}
837	[[ -n $kdc ]] && return
838
839	# Default
840	set -A KDCs -- $DomainDnsZones 88
841	kdc=$ForestDnsZones
842}
843
844function getDC {
845	typeset j
846
847	if [[ -n $siteName ]]
848	then
849		set -A DCs -- $(getSRVs _ldap._tcp.$siteName._sites.dc._msdcs.$dom.)
850		dc=${DCs[0]}
851		[[ -n $dc ]] && return
852	fi
853
854	# No site name
855	set -A DCs -- $(getSRVs _ldap._tcp.dc._msdcs.$dom.)
856	dc=${DCs[0]}
857	[[ -n $dc ]] && return
858
859	# Default
860	set -A DCs -- $DomainDnsZones 389
861	dc=$DomainDnsZones
862}
863
864function write_ads_krb5conf {
865	typeset kdcs
866
867	printf "\n$(gettext "Setting up %s").\n\n" $KRB5_CONFIG_FILE
868
869	for i in ${KDCs[@]}
870	do
871		[[ $i == +([0-9]) ]] && continue
872		if [[ -n $kdcs ]]
873		then
874			kdcs="$kdcs,$i"
875		else
876			kdcs=$i
877		fi
878	done
879
880	$KCONF -f $KRB5_CONFIG -r $realm -k $kdcs -m $KDC -p SET_CHANGE -d .$dom
881
882	if [[ $? -ne 0 ]]; then
883		printf "\n$(gettext "Can not update %s, exiting").\n" $KRB5_CONFIG >&2
884		error_message
885	fi
886}
887
888function getForestName {
889	ldapsearch -R -T -h $dc $ldap_args \
890	    -b "" -s base "" schemaNamingContext| \
891		grep ^schemaNamingContext|read j schemaNamingContext
892
893	if [[ $? -ne 0 ]]; then
894		printf "$(gettext "Can't find forest").\n" >&2
895		error_message
896	fi
897	schemaNamingContext=${schemaNamingContext#CN=Schema,CN=Configuration,}
898
899	[[ -z $schemaNamingContext ]] && return 1
900
901	forest=
902	while [[ -n $schemaNamingContext ]]
903	do
904		schemaNamingContext=${schemaNamingContext#DC=}
905		forest=${forest}.${schemaNamingContext%%,*}
906		[[ "$schemaNamingContext" = *,* ]] || break
907		schemaNamingContext=${schemaNamingContext#*,}
908	done
909	forest=${forest#.}
910}
911
912function getGC {
913	typeset j
914
915	[[ -n $gc ]] && return 0
916
917	if [[ -n $siteName ]]
918	then
919		set -A GCs -- $(getSRVs _ldap._tcp.$siteName._sites.gc._msdcs.$forest.)
920		gc=${GCs[0]}
921		[[ -n $gc ]] && return
922	fi
923
924	# No site name
925	set -A GCs -- $(getSRVs _ldap._tcp.gc._msdcs.$forest.)
926	gc=${GCs[0]}
927	[[ -n $gc ]] && return
928
929	# Default
930	set -A GCs -- $ForestDnsZones 3268
931	gc=$ForestDnsZones
932}
933
934#
935# The local variables used to calculate the IP address are of type unsigned
936# integer (-ui), as this is required to restrict the integer to 32b.
937# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b.
938#
939function ipAddr2num {
940	typeset OIFS
941	typeset -ui16 num
942
943	if [[ "$1" != +([0-9]).+([0-9]).+([0-9]).+([0-9]) ]]
944	then
945		print 0
946		return 0
947	fi
948
949	OIFS="$IFS"
950	IFS=.
951	set -- $1
952	IFS="$OIFS"
953
954	num=$((${1}<<24 | ${2}<<16 | ${3}<<8 | ${4}))
955
956	print -- $num
957}
958
959#
960# The local variables used to calculate the IP address are of type unsigned
961# integer (-ui), as this is required to restrict the integer to 32b.
962# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b.
963#
964function num2ipAddr {
965	typeset -ui16 num
966	typeset -ui10 a b c d
967
968	num=$1
969	a=$((num>>24        ))
970	b=$((num>>16 & 16#ff))
971	c=$((num>>8  & 16#ff))
972	d=$((num     & 16#ff))
973	print -- $a.$b.$c.$d
974}
975
976#
977# The local variables used to calculate the IP address are of type unsigned
978# integer (-ui), as this is required to restrict the integer to 32b.
979# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b.
980#
981function netmask2length {
982	typeset -ui16 netmask
983	typeset -i len
984
985	netmask=$1
986	len=32
987	while [[ $((netmask % 2)) -eq 0 ]]
988	do
989		netmask=$((netmask>>1))
990		len=$((len - 1))
991	done
992	print $len
993}
994
995#
996# The local variables used to calculate the IP address are of type unsigned
997# integer (-ui), as this is required to restrict the integer to 32b.
998# Starting in ksh88, Solaris has incorrectly assummed that -i represents 64b.
999#
1000function getSubnets {
1001	typeset -ui16 addr netmask
1002	typeset -ui16 classa=16\#ff000000
1003	typeset -ui16 classb=16\#ffff0000
1004	typeset -ui16 classc=16\#ffffff00
1005
1006	ifconfig -a|while read line
1007	do
1008		addr=0
1009		netmask=0
1010		set -- $line
1011		[[ $1 == inet ]] || continue
1012		while [[ $# -gt 0 ]]
1013		do
1014			case "$1" in
1015				inet) addr=$(ipAddr2num $2); shift;;
1016				netmask) eval netmask=16\#$2; shift;;
1017				*) :;
1018			esac
1019			shift
1020		done
1021
1022		[[ $addr -eq 0 || $netmask -eq 0 ]] && continue
1023		[[ $((addr & classa)) -eq 16\#7f000000 ]] && continue
1024
1025		print $(num2ipAddr $((addr & netmask)))/$(netmask2length $netmask)
1026		if [ $netmask -gt $classc ]
1027		then
1028			print $(num2ipAddr $((addr & classc)))/$(netmask2length $classc)
1029		fi
1030		if [ $netmask -gt $classb ]
1031		then
1032			print $(num2ipAddr $((addr & classb)))/$(netmask2length $classb)
1033		fi
1034		if [ $netmask -gt $classa ]
1035		then
1036			print $(num2ipAddr $((addr & classa)))/$(netmask2length $classa)
1037		fi
1038	done
1039}
1040
1041function getSite {
1042	typeset subnet siteDN j ldapsrv subnet_dom
1043
1044	eval "[[ -n \"\$siteName\" ]]" && return
1045	for subnet in $(getSubnets)
1046	do
1047		ldapsearch -R -T -h $dc $ldap_args \
1048		    -p 3268 -b "" -s sub cn=$subnet dn |grep ^dn|read j subnetDN
1049
1050		[[ -z $subnetDN ]] && continue
1051		subnet_dom=$(dn2dns $subnetDN)
1052		ldapsrv=$(canon_resolve DomainDnsZones.$subnet_dom)
1053		[[ -z $ldapsrv ]] && continue
1054		ldapsearch -R -T -h $ldapsrv $ldap_args \
1055		    -b "$subnetDN" -s base "" siteObject \
1056		    |grep ^siteObject|read j siteDN
1057
1058		[[ -z $siteDN ]] && continue
1059
1060		eval siteName=${siteDN%%,*}
1061		eval siteName=\${siteName#CN=}
1062		return
1063	done
1064}
1065
1066function doKRB5config {
1067	[[ -f $KRB5_CONFIG_FILE ]] && \
1068		cp $KRB5_CONFIG_FILE ${KRB5_CONFIG_FILE}-pre-kclient
1069
1070	[[ -f $KRB5_KEYTAB_FILE ]] && \
1071		cp $KRB5_KEYTAB_FILE ${KRB5_KEYTAB_FILE}-pre-kclient
1072
1073	[[ -s $KRB5_CONFIG ]] && cp $KRB5_CONFIG $KRB5_CONFIG_FILE
1074	[[ -s $KRB5_CONFIG_FILE ]] && chmod 0644 $KRB5_CONFIG_FILE
1075	[[ -s $new_keytab ]] && cp $new_keytab $KRB5_KEYTAB_FILE
1076	[[ -s $KRB5_KEYTAB_FILE ]] && chmod 0600 $KRB5_KEYTAB_FILE
1077}
1078
1079function addDNSRR {
1080	smbFMRI=svc:/network/smb/server:default
1081	ddnsProp=smbd/ddns_enable
1082	enProp=general/enabled
1083
1084	enabled=`svcprop -p $enProp $smbFMRI`
1085	ddns_enable=`svcprop -p $ddnsProp $smbFMRI`
1086
1087	if [[ $enabled == true && $ddns_enable != true ]]; then
1088		printf "$(gettext "Warning: won't create DNS records for client").\n"
1089		printf "$(gettext "%s property not set to 'true' for the %s FMRI").\n" $ddnsProp $smbFMRI
1090		return
1091	fi
1092
1093	# Destroy any existing ccache as GSS_C_NO_CREDENTIAL will pick up any
1094	# residual default credential in the cache.
1095	kdestroy > /dev/null 2>&1
1096
1097	$KDYNDNS -d $1 > /dev/null 2>&1
1098	if [[ $? -ne 0 ]]; then
1099		#
1100		# Non-fatal, we should carry-on as clients may resolve to
1101		# different servers and the client could already exist there.
1102		#
1103		printf "$(gettext "Warning: unable to create DNS records for client").\n"
1104		printf "$(gettext "This could mean that '%s' is not included as a 'nameserver' in the /etc/resolv.conf file or some other type of error").\n" $dc
1105	fi
1106}
1107
1108function setSMB {
1109	typeset domain=$1
1110	typeset server=$2
1111	smbFMRI=svc:/network/smb/server
1112
1113	printf "%s" "$newpw" | $KSMB -d $domain -s $server
1114	if [[ $? -ne 0 ]]; then
1115		printf "$(gettext "Warning: unable to set %s domain, server and password information").\n" $smbFMRI
1116		return
1117	fi
1118
1119	svcadm restart $smbFMRI > /dev/null 2>&1
1120	if [[ $? -ne 0 ]]; then
1121		printf "$(gettext "Warning: unable to restart %s").\n" $smbFMRI
1122	fi
1123}
1124
1125function compareDomains {
1126	typeset oldDom hspn newDom=$1
1127
1128	# If the client has been previously configured in a different
1129	# realm/domain then we need to prompt the user to see if they wish to
1130	# switch domains.
1131	klist -k 2>&1 | grep @ | read j hspn
1132	[[ -z $hspn ]] && return
1133
1134	oldDom=${hspn#*@}
1135	if [[ $oldDom != $newDom ]]; then
1136		printf "$(gettext "The client is currently configured in a different domain").\n"
1137		printf "$(gettext "Currently in the '%s' domain, trying to join the '%s' domain").\n" $oldDom $newDom
1138		query "$(gettext "Do you want the client to join a new domain") ?"
1139		printf "\n"
1140		if [[ $answer != yes ]]; then
1141			printf "$(gettext "Client will not be joined to the new domain").\n" >&2
1142			error_message
1143		fi
1144	fi
1145}
1146
1147function getKDCDC {
1148
1149	getKDC
1150	if [[ -n $kdc ]]; then
1151		KDC=$kdc
1152		dc=$kdc
1153	else
1154		getDC
1155		if [[ -n $dc ]]; then
1156			KDC=$dc
1157		else
1158			printf "$(gettext "Could not find domain controller server for '%s'.  Exiting").\n" $realm >&2
1159			error_message
1160		fi
1161	fi
1162}
1163
1164function gen_rand {
1165	typeset -u hex
1166
1167	dd if=/dev/random bs=1 count=1 2>/dev/null | od -A n -tx1 | read hex
1168
1169	printf %s $((16#$hex))
1170}
1171
1172function join_domain {
1173	typeset -u upcase_nodename
1174	typeset -l locase_nodename
1175	typeset -L15 string15
1176	typeset netbios_nodename fqdn
1177
1178	container=Computers
1179	ldap_args="-o authzid= -o mech=gssapi"
1180	userAccountControlBASE=4096
1181
1182	if [[ -z $ADMIN_PRINC ]]; then
1183		cprinc=Administrator
1184	else
1185		cprinc=$ADMIN_PRINC
1186	fi
1187
1188	if ! discover_domain; then
1189		printf "$(gettext "Can not find realm") '%s'.\n" $realm >&2
1190		error_message
1191	fi
1192
1193	dom=$domain
1194	realm=$domain
1195
1196	if [[ ${#hostname} -gt 15 ]]; then
1197		string15=$hostname
1198		upcase_nodename=$string15
1199		locase_nodename=$string15
1200	else
1201		upcase_nodename=$hostname
1202		locase_nodename=$hostname
1203	fi
1204
1205	netbios_nodename="${upcase_nodename}\$"
1206	fqdn=$hostname.$domain
1207	upn=host/${fqdn}@${realm}
1208
1209	object=$(mktemp -q -t kclient-computer-object.XXXXXX)
1210	if [[ -z $object ]]; then
1211		printf "\n$(gettext "Can not create temporary file, exiting").\n
1212" >&2
1213		error_message
1214        fi
1215
1216	modify_existing=false
1217	recreate=false
1218
1219	DomainDnsZones=$(rev_resolve DomainDnsZones.$dom.)
1220	ForestDnsZones=$(rev_resolve ForestDnsZones.$dom.)
1221
1222	getBaseDN "$container" "$dom"
1223
1224	if [[ -n $KDC ]]; then
1225		dc=$KDC
1226	else
1227		getKDCDC
1228	fi
1229
1230	write_ads_krb5conf
1231
1232	printf "$(gettext "Attempting to join '%s' to the '%s' domain").\n\n" $upcase_nodename $realm
1233
1234	kinit $cprinc@$realm
1235	if [[ $? -ne 0 ]]; then
1236		printf "$(gettext "Could not authenticate %s.  Exiting").\n" $cprinc@$realm >&2
1237		error_message
1238	fi
1239
1240	if getForestName
1241	then
1242		printf "\n$(gettext "Forest name found: %s")\n\n" $forest
1243	else
1244		printf "\n$(gettext "Forest name not found, assuming forest is the domain name").\n"
1245	fi
1246
1247	getGC
1248	getSite
1249
1250	if [[ -z $siteName ]]
1251	then
1252    		printf "$(gettext "Site name not found.  Local DCs/GCs will not be discovered").\n\n"
1253	else
1254    		printf "$(gettext "Looking for _local_ KDCs, DCs and global catalog servers (SRV RRs)").\n"
1255		getKDCDC
1256		getGC
1257
1258		write_ads_krb5conf
1259	fi
1260
1261	if [[ ${#GCs} -eq 0 ]]; then
1262		printf "$(gettext "Could not find global catalogs.  Exiting").\n" >&2
1263		error_message
1264	fi
1265
1266	# Check to see if the client is transitioning between domains.
1267	compareDomains $realm
1268
1269	# Here we check domainFunctionality to see which release:
1270	# 0, 1, 2: Windows 2000, 2003 Interim, 2003 respecitively
1271	# 3: Windows 2008
1272	level=0
1273	ldapsearch -R -T -h "$dc" $ldap_args -b "" -s base "" \
1274	 domainControllerFunctionality| grep ^domainControllerFunctionality| \
1275	 read j level
1276	if [[ $? -ne 0 ]]; then
1277		printf "$(gettext "Search for domain functionality failed, exiting").\n" >&2
1278		error_message
1279	fi
1280
1281	if ldapsearch -R -T -h "$dc" $ldap_args -b "$baseDN" \
1282	    -s sub sAMAccountName="$netbios_nodename" dn > /dev/null 2>&1
1283	then
1284		:
1285	else
1286		printf "$(gettext "Search for node failed, exiting").\n" >&2
1287		error_message
1288	fi
1289	ldapsearch -R -T -h "$dc" $ldap_args -b "$baseDN" -s sub \
1290	    sAMAccountName="$netbios_nodename" dn|grep "^dn:"|read j dn
1291
1292	if [[ -z $dn ]]; then
1293		: # modify_existing is already false, which is what we want.
1294	else
1295		printf "$(gettext "Computer account '%s' already exists in the '%s' domain").\n" $upcase_nodename $realm
1296		query "$(gettext "Do you wish to recreate this computer account") ?"
1297		printf "\n"
1298		if [[ $answer == yes ]]; then
1299			recreate=true
1300		else
1301			modify_existing=true
1302		fi
1303	fi
1304
1305	if [[ $modify_existing == false && -n $dn ]]; then
1306		query "$(gettext "Would you like to delete any sub-object found for this computer account") ?"
1307		if [[ $answer == yes ]]; then
1308			printf "$(gettext "Looking to see if the machine account contains other objects")...\n"
1309			ldapsearch -R -T -h "$dc" $ldap_args -b "$dn" -s sub "" dn | while read j sub_dn
1310			do
1311				[[ $j != dn: || -z $sub_dn || $dn == $sub_dn ]] && continue
1312				if $recreate; then
1313					printf "$(gettext "Deleting the following object: %s")\n" ${sub_dn#$dn}
1314					ldapdelete -h "$dc" $ldap_args "$sub_dn" > /dev/null 2>&1
1315					if [[ $? -ne 0 ]]; then
1316						printf "$(gettext "Error in deleting object: %s").\n" ${sub_dn#$dn}
1317					fi
1318				else
1319					printf "$(gettext "The following object will not be deleted"): %s\n" ${sub_dn#$dn}
1320				fi
1321			done
1322		fi
1323
1324		if $recreate; then
1325			ldapdelete -h "$dc" $ldap_args "$dn" > /dev/null 2>&1
1326			if [[ $? -ne 0 ]]; then
1327				printf "$(gettext "Error in deleting object: %s").\n" ${sub_dn#$dn} >&2
1328				error_message
1329			fi
1330		elif $modify_existing; then
1331			: # Nothing to delete
1332		else
1333			printf "$(gettext "A machine account already exists").\n" >&2
1334			error_message
1335		fi
1336	fi
1337
1338	[[ -z $dn ]] && dn="CN=${upcase_nodename},${baseDN}"
1339	if $modify_existing; then
1340		cat > "$object" <<EOF
1341dn: $dn
1342changetype: modify
1343replace: userPrincipalName
1344userPrincipalName: $upn
1345-
1346replace: servicePrincipalName
1347servicePrincipalName: host/${fqdn}
1348-
1349replace: userAccountControl
1350userAccountControl: $((userAccountControlBASE + 32 + 2))
1351-
1352replace: dNSHostname
1353dNSHostname: ${fqdn}
1354EOF
1355
1356		printf "$(gettext "A machine account already exists; updating it").\n"
1357		ldapadd -h "$dc" $ldap_args -f "$object" > /dev/null 2>&1
1358		if [[ $? -ne 0 ]]; then
1359			printf "$(gettext "Failed to modify the AD object via LDAP").\n" >&2
1360			error_message
1361		fi
1362	else
1363		dn="CN=${upcase_nodename},${baseDN}"
1364		cat > "$object" <<EOF
1365dn: $dn
1366objectClass: computer
1367cn: $upcase_nodename
1368sAMAccountName: ${netbios_nodename}
1369userPrincipalName: $upn
1370servicePrincipalName: host/${fqdn}
1371userAccountControl: $((userAccountControlBASE + 32 + 2))
1372dNSHostname: ${fqdn}
1373EOF
1374
1375		printf "$(gettext "Creating the machine account in AD via LDAP").\n\n"
1376
1377		ldapadd -h "$dc" $ldap_args -f "$object" > /dev/null 2>&1
1378		if [[ $? -ne 0 ]]; then
1379			printf "$(gettext "Failed to create the AD object via LDAP").\n" >&2
1380			error_message
1381		fi
1382	fi
1383
1384	# Generate a new password for the new account
1385	MAX_PASS=120
1386        i=0
1387
1388	# first check to see if /dev/random exists to generate a new password
1389	if [[ ! -e /dev/random ]]; then
1390		printf "$(gettext "/dev/random does not exist").\n" >&2
1391		error_message
1392	fi
1393
1394	while ((MAX_PASS > i))
1395	do
1396		# [MS-DISO] A machine password is an ASCII string of randomly
1397		# chosen characters. Each character's ASCII code is between 32
1398		# and 122 inclusive.
1399		c=$(printf "\\$(printf %o $(($(gen_rand) % 91 + 32)))\n")
1400		p="$p$c"
1401		((i+=1))
1402	done
1403
1404	newpw=$p
1405	if [[ ${#newpw} -ne MAX_PASS ]]; then
1406		printf "$(gettext "Password created was of incorrect length").\n" >&2
1407		error_message
1408	fi
1409
1410	# Set the new password
1411	printf "%s" "$newpw" | $KSETPW ${netbios_nodename}@${realm} > /dev/null 2>&1
1412	if [[ $? -ne 0 ]]
1413	then
1414		printf "$(gettext "Failed to set account password").\n" >&2
1415		error_message
1416	fi
1417
1418	# Lookup the new principal's kvno:
1419	ldapsearch -R -T -h "$dc" $ldap_args -b "$baseDN" \
1420		 -s sub cn=$upcase_nodename msDS-KeyVersionNumber| \
1421		grep "^msDS-KeyVersionNumber"|read j kvno
1422	[[ -z $kvno ]] && kvno=1
1423
1424	# Set supported enctypes.  This only works for Longhorn/Vista, so we
1425	# ignore errors here.
1426	userAccountControl=$((userAccountControlBASE + 524288 + 65536))
1427	set -A enctypes --
1428
1429	# Do we have local support for AES?
1430	encrypt -l|grep ^aes|read j minkeysize maxkeysize
1431	val=
1432	if [[ $maxkeysize -eq 256 ]]; then
1433		val=16
1434		enctypes[${#enctypes[@]}]=aes256-cts-hmac-sha1-96
1435	fi
1436	if [[ $minkeysize -eq 128 ]]; then
1437		((val=val+8))
1438		enctypes[${#enctypes[@]}]=aes128-cts-hmac-sha1-96
1439	fi
1440
1441	# RC4 comes next (whether it's better than 1DES or not -- AD prefers it)
1442	if encrypt -l|grep -q ^arcfour
1443	then
1444		((val=val+4))
1445		enctypes[${#enctypes[@]}]=arcfour-hmac-md5
1446	else
1447		# Use 1DES ONLY if we don't have arcfour
1448		userAccountControl=$((userAccountControl + 2097152))
1449	fi
1450	if encrypt -l | grep -q ^des
1451	then
1452		((val=val+2))
1453		enctypes[${#enctypes[@]}]=des-cbc-md5
1454	fi
1455
1456	if [[ ${#enctypes[@]} -eq 0 ]]
1457	then
1458		printf "$(gettext "No enctypes are supported").\n"
1459		printf "$(gettext "Please enable arcfour or 1DES, then re-join; see cryptoadm(1M)").\n" >&2
1460		error_message
1461	fi
1462
1463	# If domain crontroller is Longhorn or above then set new supported
1464	# encryption type attributes.
1465	if [[ $level -gt 2 ]]; then
1466		cat > "$object" <<EOF
1467dn: $dn
1468changetype: modify
1469replace: msDS-SupportedEncryptionTypes
1470msDS-SupportedEncryptionTypes: $val
1471EOF
1472		ldapmodify -h "$dc" $ldap_args -f "$object" >/dev/null 2>&1
1473		if [[ $? -ne 0 ]]; then
1474			printf "$(gettext "Warning: Could not set the supported encryption type for computer account").\n"
1475		fi
1476	fi
1477
1478	# We should probably check whether arcfour is available, and if not,
1479	# then set the 1DES only flag, but whatever, it's not likely NOT to be
1480	# available on S10/Nevada!
1481
1482	# Reset userAccountControl
1483	#
1484	#  NORMAL_ACCOUNT (512) | DONT_EXPIRE_PASSWORD (65536) |
1485	#  TRUSTED_FOR_DELEGATION (524288)
1486	#
1487	# and possibly UseDesOnly (2097152) (see above)
1488	#
1489	cat > "$object" <<EOF
1490dn: $dn
1491changetype: modify
1492replace: userAccountControl
1493userAccountControl: $userAccountControl
1494EOF
1495	ldapmodify -h "$dc" $ldap_args -f "$object" >/dev/null 2>&1
1496	if [[ $? -ne 0 ]]; then
1497		printf "$(gettext "ldapmodify failed to modify account attribute").\n" >&2
1498		error_message
1499	fi
1500
1501	# Setup a keytab file
1502	set -A args --
1503	for enctype in "${enctypes[@]}"
1504	do
1505		args[${#args[@]}]=-e
1506		args[${#args[@]}]=$enctype
1507	done
1508
1509	rm $new_keytab > /dev/null 2>&1
1510
1511	cat > "$object" <<EOF
1512dn: $dn
1513changetype: modify
1514add: servicePrincipalName
1515servicePrincipalName: nfs/${fqdn}
1516servicePrincipalName: HTTP/${fqdn}
1517servicePrincipalName: root/${fqdn}
1518servicePrincipalName: cifs/${fqdn}
1519servicePrincipalName: host/${upcase_nodename}
1520EOF
1521	ldapmodify -h "$dc" $ldap_args -f "$object" >/dev/null 2>&1
1522	if [[ $? -ne 0 ]]; then
1523		printf "$(gettext "ldapmodify failed to modify account attribute").\n" >&2
1524		error_message
1525	fi
1526
1527	#
1528	# In Windows, unlike MIT based implementations we salt the keys with
1529	# the UPN, which is based on the host/string15@realm elements, not
1530	# with the individual SPN strings.
1531	#
1532	salt=host/${locase_nodename}.${domain}@${realm}
1533
1534	skeys=(host/${fqdn}@${realm} nfs/${fqdn}@${realm} HTTP/${fqdn}@${realm})
1535	skeys+=(root/${fqdn}@${realm} cifs/${fqdn}@${realm})
1536	skeys+=(${netbios_nodename}@${realm} host/${upcase_nodename}@${realm})
1537	skeys+=(cifs/${upcase_nodename}@${realm})
1538
1539	ks_args="-n -s $salt -v $kvno -k $new_keytab ${args[@]}"
1540
1541	for skey in ${skeys[@]}
1542	do
1543		printf "%s" "$newpw" | $KSETPW $ks_args $skey > /dev/null 2>&1
1544		if [[ $? -ne 0 ]]
1545		then
1546			printf "$(gettext "Failed to set password").\n" >&2
1547			error_message
1548		fi
1549	done
1550
1551	doKRB5config
1552
1553	addDNSRR $dom
1554
1555	setSMB $dom $dc
1556
1557	printf -- "---------------------------------------------------\n"
1558	printf "$(gettext "Setup COMPLETE").\n\n"
1559
1560	kdestroy -q 1>$TMP_FILE 2>&1
1561	rm -f $TMP_FILE
1562	rm -rf $TMPDIR > /dev/null 2>&1
1563
1564	exit 0
1565}
1566
1567###########################
1568#	Main section	  #
1569###########################
1570#
1571# Set the Kerberos config file and some default strings/files
1572#
1573KRB5_CONFIG_FILE=/etc/krb5/krb5.conf
1574KRB5_KEYTAB_FILE=/etc/krb5/krb5.keytab
1575RESOLV_CONF_FILE=/etc/resolv.conf
1576
1577KLOOKUP=/usr/lib/krb5/klookup;	check_bin $KLOOKUP
1578KSETPW=/usr/lib/krb5/ksetpw;	check_bin $KSETPW
1579KSMB=/usr/lib/krb5/ksmb;	check_bin $KSMB
1580KDYNDNS=/usr/lib/krb5/kdyndns;	check_bin $KDYNDNS
1581KCONF=/usr/lib/krb5/kconf;	check_bin $KCONF
1582
1583dns_lookup=no
1584ask_fqdns=no
1585adddns=no
1586no_keytab=no
1587checkval=""
1588profile=""
1589typeset -u realm
1590typeset -l hostname KDC
1591
1592export TMPDIR="/var/run/kclient"
1593
1594mkdir $TMPDIR > /dev/null 2>&1
1595if [[ $? -ne 0 ]]; then
1596	printf "\n$(gettext "Can not create directory: %s")\n\n" $TMPDIR >&2
1597	exit 1
1598fi
1599
1600TMP_FILE=$(mktemp -q -t kclient-tmpfile.XXXXXX)
1601export KRB5_CONFIG=$(mktemp -q -t kclient-krb5conf.XXXXXX)
1602export KRB5CCNAME=$(mktemp -q -t kclient-krb5ccache.XXXXXX)
1603new_keytab=$(mktemp -q -t kclient-krb5keytab.XXXXXX)
1604if [[ -z $TMP_FILE || -z $KRB5_CONFIG || -z $KRB5CCNAME || -z $new_keytab ]]
1605then
1606	printf "\n$(gettext "Can not create temporary files, exiting").\n\n" >&2
1607	exit 1
1608fi
1609
1610#
1611# If we are interrupted, cleanup after ourselves
1612#
1613trap "exiting 1" HUP INT QUIT TERM
1614
1615if [[ -d /usr/bin ]]; then
1616	if [[ -d /usr/sbin ]]; then
1617		PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH
1618		export PATH
1619	else
1620		printf "\n$(gettext "Directory /usr/sbin not found, exiting").\n" >&2
1621		exit 1
1622	fi
1623else
1624	printf "\n$(gettext "Directory /usr/bin not found, exiting").\n" >&2
1625	exit 1
1626fi
1627
1628printf "\n$(gettext "Starting client setup")\n\n"
1629printf -- "---------------------------------------------------\n"
1630
1631#
1632# Check for uid 0, disallow otherwise
1633#
1634id 1>$TMP_FILE 2>&1
1635if [[ $? -eq 0 ]]; then
1636	if egrep -s "uid=0\(root\)" $TMP_FILE; then
1637		# uid is 0, go ahead ...
1638		:
1639	else
1640		printf "\n$(gettext "Administrative privileges are required to run this script, exiting").\n" >&2
1641		error_message
1642	fi
1643else
1644	cat $TMP_FILE;
1645	printf "\n$(gettext "uid check failed, exiting").\n" >&2
1646	error_message
1647fi
1648
1649uname=$(uname -n)
1650hostname=${uname%%.*}
1651
1652#
1653# Process the command-line arguments (if any)
1654#
1655OPTIND=1
1656while getopts nD:Kp:R:k:a:c:d:f:h:m:s:T: OPTIONS
1657do
1658	case $OPTIONS in
1659	    D) options="$options -D"
1660	       domain_list="$OPTARG"
1661	       ;;
1662	    K) options="$options -K"
1663	       no_keytab=yes
1664	       ;;
1665	    R) options="$options -R"
1666	       realm="$OPTARG"
1667	       checkval="REALM"; check_value $realm
1668	       ;;
1669	    T) options="$options -T"
1670	       type="$OPTARG"
1671	       if [[ $type == ms_ad ]]; then
1672		msad=yes
1673		adddns=yes
1674	       else
1675		non_solaris=yes
1676		no_keytab=yes
1677	       fi
1678	       ;;
1679	    a) options="$options -a"
1680	       ADMIN_PRINC="$OPTARG"
1681	       checkval="ADMIN_PRINC"; check_value $ADMIN_PRINC
1682	       ;;
1683	    c) options="$options -c"
1684	       filepath="$OPTARG"
1685	       ;;
1686	    d) options="$options -d"
1687	       dnsarg="$OPTARG"
1688	       checkval="DNS_OPTIONS"; check_value $dnsarg
1689	       ;;
1690	    f) options="$options -f"
1691	       fqdnlist="$OPTARG"
1692 	       ;;
1693	    h) options="$options -h"
1694	       logical_hn="$OPTARG"
1695	       checkval="LOGICAL_HOSTNAME"; check_value $logical_hn
1696	       ;;
1697	    k) options="$options -k"
1698	       kdc_list="$OPTARG"
1699	       ;;
1700	    m) options="$options -m"
1701	       KDC="$OPTARG"
1702	       checkval="KDC"; check_value $KDC
1703	       ;;
1704	    n) options="$options -n"
1705	       add_nfs=yes
1706	       ;;
1707	    p) options="$options -p"
1708	       profile="$OPTARG"
1709	       read_profile $profile
1710	       ;;
1711	    s) options="$options -s"
1712	       svc_list="$OPTARG"
1713	       SVCs=${svc_list//,/ }
1714 	       ;;
1715	    \?) usage
1716	       ;;
1717	    *) usage
1718	       ;;
1719	esac
1720done
1721
1722#correct argument count after options
1723shift `expr $OPTIND - 1`
1724
1725if [[ -z $options ]]; then
1726	:
1727else
1728	if [[ $# -ne 0 ]]; then
1729		usage
1730	fi
1731fi
1732
1733#
1734# Check to see if we will be a client of a MIT, Heimdal, Shishi, etc.
1735#
1736if [[ -z $options ]]; then
1737	query "$(gettext "Is this a client of a non-Solaris KDC") ?"
1738	non_solaris=$answer
1739	if [[ $non_solaris == yes ]]; then
1740		printf "$(gettext "Which type of KDC is the server"):\n"
1741		printf "\t$(gettext "ms_ad: Microsoft Active Directory")\n"
1742		printf "\t$(gettext "mit: MIT KDC server")\n"
1743		printf "\t$(gettext "heimdal: Heimdal KDC server")\n"
1744		printf "\t$(gettext "shishi: Shishi KDC server")\n"
1745		printf "$(gettext "Enter required KDC type"): "
1746		read kdctype
1747		if [[ $kdctype == ms_ad ]]; then
1748			msad=yes
1749		elif [[ $kdctype == mit || $kdctype == heimdal || \
1750		    $kdctype == shishi ]]; then
1751			no_keytab=yes
1752		else
1753			printf "\n$(gettext "Invalid KDC type option, valid types are ms_ad, mit, heimdal, or shishi, exiting").\n" >&2
1754			error_message
1755		fi
1756	fi
1757fi
1758
1759[[ $msad == yes ]] && join_domain
1760
1761#
1762# Check for /etc/resolv.conf
1763#
1764if [[ -r $RESOLV_CONF_FILE ]]; then
1765	client_machine=`$KLOOKUP`
1766
1767	if [[ $? -ne 0 ]]; then
1768		if [[ $adddns == no ]]; then
1769			printf "\n$(gettext "%s does not have a DNS record and is required for Kerberos setup")\n" $hostname >&2
1770			error_message
1771		fi
1772
1773	else
1774		#
1775		# If client entry already exists then do not recreate it
1776		#
1777		adddns=no
1778
1779		hostname=${client_machine%%.*}
1780		domain=${client_machine#*.}
1781	fi
1782
1783	short_fqdn=${domain#*.*}
1784	short_fqdn=$(echo $short_fqdn | grep "\.")
1785else
1786	#
1787	# /etc/resolv.conf not present, exit ...
1788	#
1789	printf "\n$(gettext "%s does not exist and is required for Kerberos setup")\n" $RESOLV_CONF_FILE >&2
1790	printf "$(gettext "Refer to resolv.conf(4), exiting").\n" >&2
1791	error_message
1792fi
1793
1794check_nss_conf || printf "$(gettext "/etc/nsswitch.conf does not make use of DNS for hosts and/or ipnodes").\n"
1795
1796[[ -n $fqdnlist ]] && verify_fqdnlist "$fqdnlist"
1797
1798if [[ -z $dnsarg && (-z $options || -z $filepath) ]]; then
1799	query "$(gettext "Do you want to use DNS for kerberos lookups") ?"
1800	if [[ $answer == yes ]]; then
1801		printf "\n$(gettext "Valid DNS lookup options are dns_lookup_kdc, dns_lookup_realm,\nand dns_fallback. Refer krb5.conf(4) for further details").\n"
1802		printf "\n$(gettext "Enter required DNS option"): "
1803		read dnsarg
1804		checkval="DNS_OPTIONS"; check_value $dnsarg
1805		set_dns_value $dnsarg
1806	fi
1807else
1808	[[ -z $dnsarg ]] && dnsarg=none
1809	set_dns_value $dnsarg
1810fi
1811
1812if [[ -n $kdc_list ]]; then
1813	if [[ -z $KDC ]]; then
1814		for kdc in $kdc_list; do
1815			break
1816		done
1817		KDC="$kdc"
1818	fi
1819fi
1820
1821if [[ -z $realm ]]; then
1822	printf "$(gettext "Enter the Kerberos realm"): "
1823	read realm
1824	checkval="REALM"; check_value $realm
1825fi
1826if [[ -z $KDC ]]; then
1827	printf "$(gettext "Specify the master KDC hostname for the above realm"): "
1828	read KDC
1829	checkval="KDC"; check_value $KDC
1830fi
1831
1832FKDC=`$KLOOKUP $KDC`
1833
1834#
1835# Ping to see if the kdc is alive !
1836#
1837ping_check $FKDC "KDC"
1838
1839if [[ -z $kdc_list && (-z $options || -z $filepath) ]]; then
1840	query "$(gettext "Do you have any slave KDC(s)") ?"
1841	if [[ $answer == yes ]]; then
1842		printf "$(gettext "Enter a comma-separated list of slave KDC host names"): "
1843		read kdc_list
1844	fi
1845fi
1846
1847[[ -n $kdc_list ]] && verify_kdcs "$kdc_list"
1848
1849#
1850# Check to see if we will have a dynamic presence in the realm
1851#
1852if [[ -z $options ]]; then
1853	query "$(gettext "Will this client need service keys") ?"
1854	if [[ $answer == no ]]; then
1855		no_keytab=yes
1856	fi
1857fi
1858
1859#
1860# Check to see if we are configuring the client to use a logical host name
1861# of a cluster environment
1862#
1863if [[ -z $options ]]; then
1864	query "$(gettext "Is this client a member of a cluster that uses a logical host name") ?"
1865	if [[ $answer == yes ]]; then
1866		printf "$(gettext "Specify the logical hostname of the cluster"): "
1867		read logical_hn
1868		checkval="LOGICAL_HOSTNAME"; check_value $logical_hn
1869		setup_lhn
1870	fi
1871fi
1872
1873if [[ -n $domain_list && (-z $options || -z $filepath) ]]; then
1874	query "$(gettext "Do you have multiple domains/hosts to map to realm %s"
1875) ?" $realm
1876	if [[ $answer == yes ]]; then
1877		printf "$(gettext "Enter a comma-separated list of domain/hosts
1878to map to the default realm"): "
1879		read domain_list
1880	fi
1881fi
1882[[ -n domain_list ]] && domain_list=${domain_list//,/ }
1883
1884#
1885# Start writing up the krb5.conf file, save the existing one
1886# if already present
1887#
1888writeup_krb5_conf
1889
1890#
1891# Is this client going to use krb-nfs?  If so then we need to at least
1892# uncomment the krb5* sec flavors in nfssec.conf.
1893#
1894if [[ -z $options ]]; then
1895	query "$(gettext "Do you plan on doing Kerberized nfs") ?"
1896	add_nfs=$answer
1897fi
1898
1899if [[ $add_nfs == yes ]]; then
1900	modify_nfssec_conf
1901
1902	#
1903	# We also want to enable gss as we now live in a SBD world
1904	#
1905	svcadm enable svc:/network/rpc/gss:default
1906	[[ $? -ne 0 ]] && printf "$(gettext "Warning: could not enable gss service").\n"
1907fi
1908
1909if [[ -z $options ]]; then
1910	query "$(gettext "Do you want to update /etc/pam.conf") ?"
1911	if [[ $answer == yes ]]; then
1912		printf "$(gettext "Enter a list of PAM service names in the following format: service:{first|only|optional}[,..]"): "
1913		read svc_list
1914		SVCs=${svc_list//,/ }
1915	fi
1916fi
1917[[ -n $svc_list ]] && update_pam_conf
1918
1919#
1920# Copy over krb5.conf master copy from filepath
1921#
1922if [[ -z $options || -z $filepath ]]; then
1923	query "$(gettext "Do you want to copy over the master krb5.conf file") ?"
1924	if [[ $answer == yes ]]; then
1925		printf "$(gettext "Enter the pathname of the file to be copied"): "
1926		read filepath
1927	fi
1928fi
1929
1930if [[ -n $filepath && -r $filepath ]]; then
1931	cp $filepath $KRB5_CONFIG
1932	if [[ $? -eq 0 ]]; then
1933		printf "$(gettext "Copied %s to %s").\n" $filepath $KRB5_CONFIG
1934	else
1935		printf "$(gettext "Copy of %s failed, exiting").\n" $filepath >&2
1936		error_message
1937	fi
1938elif [[ -n $filepath ]]; then
1939	printf "\n$(gettext "%s not found, exiting").\n" $filepath >&2
1940	error_message
1941fi
1942
1943doKRB5config
1944
1945#
1946# Populate any service keys needed for the client in the keytab file
1947#
1948if [[ $no_keytab != yes ]]; then
1949	setup_keytab
1950else
1951	printf "\n$(gettext "Note: %s file not created, please refer to verify_ap_req_nofail in krb5.conf(4) for the implications").\n" $KRB5_KEYTAB_FILE
1952	printf "$(gettext "Client will also not be able to host services that use Kerberos").\n"
1953fi
1954
1955printf -- "\n---------------------------------------------------\n"
1956printf "$(gettext "Setup COMPLETE").\n\n"
1957
1958#
1959# If we have configured the client in a cluster we need to remind the user
1960# to propagate the keytab and configuration files to the other members.
1961#
1962if [[ -n $logical_hn ]]; then
1963	printf "\n$(gettext "Note, you will need to securely transfer the /etc/krb5/krb5.keytab and /etc/krb5/krb5.conf files to all the other members of your cluster").\n"
1964fi
1965
1966#
1967# Cleanup.
1968#
1969kdestroy -q 1>$TMP_FILE 2>&1
1970rm -f $TMP_FILE
1971rm -rf $TMPDIR > /dev/null 2>&1
1972exit 0
1973