xref: /illumos-gate/usr/src/cmd/krb5/kadmin/kdcmgr/kdcmgr.sh (revision 2707a226168717ec0ca29abd7fef59989493d3d4) 
1#!/usr/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25# ident	"%Z%%M%	%I%	%E% SMI"
26
27#
28# This command provides an simple interface to configure, destroy, and to obtain
29# the status of a master or slave Kerberos KDC server.
30#
31
32function usage {
33
34	app=`basename $0`
35
36	printf "\n$(gettext "Usage: %s [ -a admprincipal ] [ -e enctype ] [ -h ]")\n" $app
37	printf "\t$(gettext "[ -p pwfile ] [ -r realm ] subcommand")\n\n"
38
39	printf "\t$(gettext "-a: Create non-default admin principal.")\n"
40	printf "\t$(gettext "-e: Encryption type used to encrypt the master key")\n"
41	printf "\t$(gettext "-h: This help message.")\n"
42	printf "\t$(gettext "-p: File that contains the admin principal and master key password.")\n"
43	printf "\t$(gettext "-r: Set the default realm for this server.")\n\n"
44
45	printf "\t$(gettext "where 'subcommand' is one of the following:")\n\n"
46
47	printf "\t$(gettext "create [ master ]")\n"
48	printf "\t$(gettext "create [ -m masterkdc ] slave")\n"
49	printf "\t$(gettext "destroy")\n"
50	printf "\t$(gettext "status")\n\n"
51
52	cleanup
53}
54
55function ask {
56
57	# ask question, set global answer
58	typeset question=$1 default_answer=$2
59	if [[ -z $default_answer ]]; then
60		print "$question \c"
61	else
62		print "$question [$default_answer]: \c"
63	fi
64	read answer
65	[ -z "$answer" ] && answer="$default_answer"
66}
67
68function yesno {
69
70	typeset question="$1"
71	# answer is a global set by ask
72	answer=
73	yn=`printf "$(gettext "y/n")"`
74	y=`printf "$(gettext "y")"`
75	n=`printf "$(gettext "n")"`
76	yes=`printf "$(gettext "yes")"`
77	no=`printf "$(gettext "no")"`
78
79	while [[ -z $answer ]]; do
80		ask "$question" $yn
81		case $answer in
82			$y|$yes)	answer=yes;;
83			$n|$no)		answer=no;;
84			*)		answer=;;
85		esac
86	done
87}
88
89function query {
90
91	yesno "$*"
92	if [[ $answer = no ]]; then
93		printf "\t$(gettext "No action performed").\n"
94	fi
95}
96
97function cleanup {
98
99	kdestroy -q -c $TMP_CCACHE 1>$TMP_FILE 2>&1
100        rm -f $TMP_FILE
101        exit 1
102}
103
104function error_message {
105
106        printf "---------------------------------------------------\n"
107        printf "$(gettext "Setup FAILED").\n\n"
108
109	cleanup
110}
111
112function check_bin {
113
114	bin=$1
115
116	if [[ ! -x $bin ]]; then
117		printf "$(gettext "Could not access/execute %s").\n" $bin
118		error_message
119	fi
120}
121
122function check_ret {
123
124	integer ret=$1
125	prog=$2
126
127	if [[ $ret -ne 0 ]]; then
128		printf "\n$(gettext "%s failed with return value %d, exiting").\n\n" $prog $ret
129		error_message
130	fi
131}
132
133
134function ok_to_proceed {
135
136	yesno "$@"
137
138	if [[ $answer = no ]]; then
139		printf "\n$(gettext "Exiting, no action performed")\n\n"
140		cleanup
141	fi
142}
143
144function check_value {
145
146	typeset arg="$1"
147
148	if [[ -z $arg ]]; then
149		printf "\n$(gettext "No input obtained for %s, exiting").\n" $checkval
150		error_message
151	else
152		echo "$arg">$TMP_FILE
153		if egrep -s '[*$^#!]+' $TMP_FILE; then
154			printf "\n$(gettext "Invalid input obtained for %s, exiting").\n" $checkval
155			error_message
156		fi
157	fi
158}
159
160function setup_kdc_conf {
161
162	printf "\n$(gettext "Setting up %s").\n" $KRB5_KDC_CONF
163
164	if [[ -r $KRB5_KDC_CONF ]]; then
165		cat $KRB5_KDC_CONF > $KRB5_KDC_CONF.sav
166		cannot_create $KRB5_KDC_CONF.sav $?
167	fi
168
169	exec 3>$KRB5_KDC_CONF
170	if [[ $? -ne 0 ]]; then
171		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KRB5_KDC_CONF
172		error_message
173	fi
174
175	printf "\n[kdcdefaults]\n\tkdc_ports = 88,750\n\n" 1>&3
176	printf "[realms]\n\t$REALM = {\n" 1>&3
177	printf "\t\tprofile = $KRB5_KRB_CONF\n" 1>&3
178	printf "\t\tdatabase_name = $PRINCDB\n" 1>&3
179	printf "\t\tmaster_key_type = $ENCTYPE\n" 1>&3
180	printf "\t\tadmin_keytab = $KADM5KT\n" 1>&3
181	printf "\t\tacl_file = $KADM5ACL\n" 1>&3
182	printf "\t\tkadmind_port = 749\n" 1>&3
183	printf "\t\tmax_life = 8h 0m 0s\n" 1>&3
184	printf "\t\tmax_renewable_life = 7d 0h 0m 0s\n" 1>&3
185	printf "\t\tdefault_principal_flags = +preauth\n" 1>&3
186
187	printf "\t\tsunw_dbprop_enable = true\n" 1>&3
188	if [[ $master = yes ]]; then
189		printf "\t\tsunw_dbprop_master_ulogsize = 1000\n" 1>&3
190	fi
191	if [[ $slave = yes ]]; then
192		printf "\t\tsunw_dbprop_slave_poll = 2m\n" 1>&3
193	fi
194
195	printf "\t}\n" 1>&3
196}
197
198function setup_krb_conf {
199
200	printf "\n$(gettext "Setting up %s").\n" $KRB5_KRB_CONF
201
202	if [[ -r $KRB5_KRB_CONF ]]; then
203		cat $KRB5_KRB_CONF > $KRB5_KRB_CONF.sav
204		cannot_create $KRB5_KRB_CONF.sav $?
205	fi
206
207	exec 3>$KRB5_KRB_CONF
208	if [[ $? -ne 0 ]]; then
209		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KRB5_KRB_CONF
210		error_message
211	fi
212
213	printf "[libdefaults]\n" 1>&3
214	printf "\tdefault_realm = $REALM\n\n" 1>&3
215
216	printf "[realms]\n" 1>&3
217	printf "\t$REALM = {\n" 1>&3
218	if [[ $slave = yes ]]; then
219		printf "\t\tkdc = $master_hn\n" 1>&3
220	fi
221	printf "\t\tkdc = $fqhn\n" 1>&3
222	if [[ $master = yes ]]; then
223		printf "\t\tadmin_server = $fqhn\n" 1>&3
224	else
225		printf "\t\tadmin_server = $master_hn\n" 1>&3
226	fi
227	printf "\t}\n\n" 1>&3
228
229	printf "[domain_realm]\n" 1>&3
230	printf "\t.$domain = $REALM\n\n" 1>&3
231
232	printf "[logging]\n" 1>&3
233	printf "\tdefault = FILE:/var/krb5/kdc.log\n" 1>&3
234	printf "\tkdc = FILE:/var/krb5/kdc.log\n" 1>&3
235	printf "\tkdc_rotate = {\n\t\tperiod = 1d\n\t\tversions = 10\n\t}\n\n" 1>&3
236
237	printf "[appdefaults]\n" 1>&3
238	printf "\tkinit = {\n\t\trenewable = true\n\t\tforwardable = true\n" 1>&3
239	printf "\t}\n" 1>&3
240}
241
242function cannot_create {
243
244	typeset filename="$1"
245	typeset stat="$2"
246	if [[ $stat -ne 0 ]]; then
247		printf "\n$(gettext "Cannot create/edit %s, exiting").\n" $filename
248		error_message
249	fi
250}
251
252function check_admin {
253
254	message=$1
255
256	if [[ -z $ADMIN_PRINC ]]; then
257		printf "$message"
258		read ADMIN_PRINC
259		checkval="ADMIN_PRINC"; check_value $ADMIN_PRINC
260	fi
261
262	echo "$ADMIN_PRINC">$TMP_FILE
263
264	if egrep -s '\/admin' $TMP_FILE; then
265		# Already in "/admin" format, do nothing
266		:
267	else
268		if egrep -s '\/' $TMP_FILE; then
269			printf "\n$(gettext "Improper entry for krb5 admin principal, exiting").\n"
270			error_message
271		else
272			ADMIN_PRINC=$(echo "$ADMIN_PRINC/admin")
273		fi
274	fi
275
276}
277
278function ping_check {
279
280	typeset machine="$1"
281
282	if $PING $machine > /dev/null 2>&1; then
283		:
284	else
285		printf "\n$(gettext "%s %s is unreachable, exiting").\n" $string $machine
286		error_message
287	fi
288}
289
290function check_host {
291
292	host=$(echo "$host"|tr '[A-Z]' '[a-z]')
293
294	echo "$host">$TMP_FILE
295	if egrep -s '[^.]\.[^.]+$' $TMP_FILE; then
296		# do nothing, host is in fqhn format
297		:
298	else
299		if egrep -s '\.+' $TMP_FILE; then
300			printf "\n$(gettext "Improper format of host name: '%s'").\n"
301			printf "$(gettext "Expecting the following format: 'somehost.example.com' or 'somehost', exiting").\n"
302			error_message
303		else
304			# Attach fqdn to host, to get the Fully Qualified Domain
305			# Name of the host requested
306			host=$(echo "$host.$domain")
307		fi
308	fi
309
310	#
311	# Ping to see if the host is alive!
312	#
313	ping_check $host
314}
315
316function kill_daemons {
317
318	# Kill daemons so they won't go into maintenance mode
319	$SVCADM disable -s krb5kdc
320	if [[ $? -ne 0 ]]; then
321		printf "\n$(gettext "Error in disabling krb5kdc, exiting").\n"
322		error_message
323	fi
324	$SVCADM disable -s kadmin
325	if [[ $? -ne 0 ]]; then
326		printf "\n$(gettext "Error in disabling kadmind, exiting").\n"
327		error_message
328	fi
329	$SVCADM disable -s krb5_prop
330	if [[ $? -ne 0 ]]; then
331		printf "\n$(gettext "Error in disabling kpropd, exiting").\n"
332		error_message
333	fi
334
335	# Make sure that none of the daemons outside of SMF are running either
336	pkill kadmind
337	if [[ $? -gt 1 ]]; then
338		printf "\n$(gettext "Error in killing kadmind, exiting").\n"
339		error_message
340	fi
341	pkill krb5kdc
342	if [[ $? -gt 1 ]]; then
343		printf "\n$(gettext "Error in killing krb5kdc, exiting").\n"
344		error_message
345	fi
346	pkill kpropd
347	if [[ $? -gt 1 ]]; then
348		printf "\n$(gettext "Error in killing kpropd, exiting").\n"
349		error_message
350	fi
351}
352
353function setup_mkeytab {
354
355	check_admin "\n$(gettext "Enter the krb5 administrative principal to be created"): \c"
356
357	if [[ -z $PWFILE ]]; then
358		echo
359		$KADMINL -q "ank $ADMIN_PRINC"
360		check_ret $? $KADMINL
361	else
362		cat $PWFILE $PWFILE | $KADMINL -q "ank $ADMIN_PRINC" > /dev/null 2>&1
363		check_ret $? $KADMINL
364	fi
365
366	$KADMINL -q "ktadd -k $KADM5KT kadmin/$fqhn" 1>$TMP_FILE 2>&1
367	check_ret $? $KADMINL
368	$KADMINL -q "ktadd -k $KADM5KT changepw/$fqhn" 1>$TMP_FILE 2>&1
369	check_ret $? $KADMINL
370
371	# To support Horowitz change password protocol
372	$KADMINL -q "ktadd -k $KADM5KT kadmin/changepw" 1>$TMP_FILE 2>&1
373	check_ret $? $KADMINL
374
375	$KADMINL -q "ktadd -k $KADM5KT kiprop/$fqhn" 1>$TMP_FILE 2>&1
376	check_ret $? $KADMINL
377
378	$KADMINL -q "ank -randkey host/$fqhn" 1>$TMP_FILE 2>&1
379	check_ret $? $KADMINL
380	$KADMINL -q "ktadd host/$fqhn" 1>$TMP_FILE 2>&1
381	check_ret $? $KADMINL
382}
383
384function setup_skeytab {
385
386	check_admin "\n$(gettext "Enter the krb5 administrative principal to be used"): \c"
387
388	printf "$(gettext "Obtaining TGT for %s") ...\n" $ADMIN_PRINC
389
390	if [[ -z $PWFILE ]]; then
391		kinit -c $TMP_CCACHE -S kadmin/$master_hn $ADMIN_PRINC
392		check_ret $? kinit
393	else
394		cat $PWFILE | kinit -c $TMP_CCACHE -S kadmin/$master_hn \
395			$ADMIN_PRINC > /dev/null 2>&1
396	fi
397	klist -c $TMP_CCACHE 1>$TMP_FILE 2>&1
398	if egrep -s "$(gettext "Valid starting")" $TMP_FILE && \
399	   egrep -s "kadmin/$master_hn@$REALM" $TMP_FILE; then
400		:
401	else
402		printf "\n$(gettext "kinit of %s failed, exiting").\n" $ADMIN_PRINC
403		error_message
404	fi
405
406	$KADMIN -c $TMP_CCACHE -q "ank -randkey kiprop/$fqhn" 1>$TMP_FILE 2>&1
407	check_ret $? $KADMIN
408	$KADMIN -c $TMP_CCACHE -q "ktadd kiprop/$fqhn" 1>$TMP_FILE 2>&1
409	check_ret $? $KADMIN
410
411	$KADMIN -c $TMP_CCACHE -q "ank -randkey host/$fqhn" 1>$TMP_FILE 2>&1
412	check_ret $? $KADMIN
413	$KADMIN -c $TMP_CCACHE -q "ktadd host/$fqhn" 1>$TMP_FILE 2>&1
414	check_ret $? $KADMIN
415
416	kdestroy -q -c $TMP_CCACHE 1>$TMP_FILE 2>&1
417	check_ret $? $kdestroy
418}
419
420function setup_kadm5acl {
421
422	printf "\n$(gettext "Setting up %s").\n" $KADM5ACL
423
424	if [[ -r $KADM5ACL ]]; then
425		cat $KADM5ACL > $KADM5ACL.sav
426		cannot_create $KADM5ACL.sav $?
427	fi
428
429	exec 3>$KADM5ACL
430	if [[ $? -ne 0 ]]; then
431		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KADM5ACL
432		error_message
433	fi
434
435	if [[ $master = yes ]]; then
436		printf "\n$ADMIN_PRINC@$REALM\t\tacmil\n" 1>&3
437		printf "\nkiprop/*@$REALM\t\tp\n" 1>&3
438	else
439		printf "\n*/admin@___default_realm___\t\t*\n" 1>&3
440	fi
441}
442
443function setup_kpropdacl {
444
445	printf "\n$(gettext "Setting up %s").\n\n" $KPROPACL
446
447	if [[ -r $KPROPACL ]]; then
448		cat $KPROPACL > $KPROPACL.sav
449		cannot_create $KPROPACL.sav $?
450	fi
451
452	exec 3>$KPROPACL
453	if [[ $? -ne 0 ]]; then
454		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KPROPACL
455		error_message
456	fi
457	printf "\nhost/$master_hn@$REALM\n" 1>&3
458}
459
460function setup_master {
461
462	# create principal DB (KDB)
463	if [[ -z $PWFILE ]]; then
464		echo
465		kdb5_util create
466		check_ret $? kdb5_util
467	else
468		cat $PWFILE $PWFILE | kdb5_util create > /dev/null
469		check_ret $? kdb5_util
470	fi
471
472	setup_mkeytab
473	setup_kadm5acl
474
475	$SVCADM enable -r -s krb5kdc
476	$SVCADM enable -r -s kadmin
477}
478
479function setup_slave {
480
481	integer count=1
482
483	setup_skeytab
484
485	# Clear the kadm5acl, since the start methods look at this file
486	# to see if the server has been configured as a master server
487	setup_kadm5acl
488
489	setup_kpropdacl
490
491	$SVCADM enable -r -s krb5_prop
492
493	# Wait for full propagation of the database, in some environments
494	# this could take a few seconds
495	while [[ ! -f /var/krb5/principal ]]; do
496		if [[ count -gt $LOOPCNT ]]; then
497			printf "\n$(gettext "Could not receive updates from the master").\n"
498                        error_message
499			((count = count + 1))
500		fi
501		printf "$(gettext "Waiting for database from master")...\n"
502		sleep $SLEEPTIME
503	done
504
505	# The database is propagated now we need to create the stash file
506	if [[ -z $PWFILE ]]; then
507		kdb5_util stash
508		check_ret $? kdb5_util
509	else
510		cat $PWFILE | kdb5_util stash > /dev/null 2>&1
511		check_ret $? kdb5_util
512	fi
513
514	$SVCADM enable -r -s krb5kdc
515}
516
517function destroy_kdc {
518
519	# Check first to see if this is an existing KDC or server
520	if [[ -f $KRB5KT || -f $KADM5KT || -f $PRINCDB || -f $OLDPRINCDB ]]
521	then
522		if [[ -z $PWFILE ]]; then
523			printf "\n$(gettext "Some of the following files are present on this system"):\n"
524			echo "\t$KRB5KT\n\t$KADM5KT\n\t$PRINCDB\n\t$OLDPRINCDB\n\t$STASH\n"
525			if [[ -z $d_option ]]; then
526				printf "$(gettext "You must first run 'kdcmgr destroy' to remove all of these files before creating a KDC server").\n\n"
527				exit 1
528			else
529				ok_to_proceed "$(gettext "All of these files will be removed, okay to proceed?")"
530			fi
531		fi
532	else
533		if [[ -n $d_option ]]; then
534			printf "\n$(gettext "No KDC related files exist, exiting").\n\n"
535			exit 0
536		fi
537		return
538	fi
539
540	printf "$(gettext "yes")\n" | kdb5_util destroy > /dev/null 2>&1
541	rm -f $KRB5KT $KADM5KT
542}
543
544function kadm5_acl_configed {
545
546	if [[ -s $KADM5ACL ]]; then
547		grep -v '^[    ]*#' $KADM5ACL | \
548			egrep '_default_realm_' > /dev/null 2>&1
549		if [[ $? -gt 0 ]]; then
550			return 0
551		fi
552	fi
553
554	return 1
555}
556
557function status_kdc {
558
559	integer is_master=0
560
561	printf "\n$(gettext "KDC Status Information")\n"
562	echo "--------------------------------------------"
563	svcs -xv svc:/network/security/krb5kdc:default
564
565	if kadm5_acl_configed; then
566		is_master=1
567		printf "\n$(gettext "KDC Master Status Information")\n"
568		echo "--------------------------------------------"
569		svcs -xv svc:/network/security/kadmin:default
570	else
571		printf "\n$(gettext "KDC Slave Status Information")\n"
572		echo "--------------------------------------------"
573		svcs -xv svc:/network/security/krb5_prop:default
574	fi
575
576	printf "\n$(gettext "Transaction Log Information")\n"
577	echo "--------------------------------------------"
578	/usr/sbin/kproplog -h
579
580	printf "$(gettext "Kerberos Related File Information")\n"
581	echo "--------------------------------------------"
582	printf "$(gettext "(will display any missing files below)")\n"
583	FILELIST="$KRB5_KDC_CONF $KRB5_KRB_CONF $KADM5ACL $KRB5KT $PRINCDB "
584	for file in $FILELIST; do
585		if [[ ! -s $file ]]; then
586			printf "$(gettext "%s not found").\n" $file
587		fi
588	done
589	if [[ $is_master -eq 0 && ! -s $KPROPACL ]]; then
590		printf "$(gettext "%s not found").\n" $KPROPACL
591	fi
592	if [[ $is_master -eq 1 && ! -s $KADM5KT ]]; then
593		printf "$(gettext "%s not found").\n" $KADM5KT
594	fi
595	test ! -s $STASH &&
596	    printf "$(gettext "Stash file not found") (/var/krb5/.k5.*).\n"
597	echo
598
599	exit 0
600}
601
602# Start of Main script
603
604# Defaults
605KRB5_KDC_CONF=/etc/krb5/kdc.conf
606KRB5_KRB_CONF=/etc/krb5/krb5.conf
607KADM5ACL=/etc/krb5/kadm5.acl
608KPROPACL=/etc/krb5/kpropd.acl
609
610KRB5KT=/etc/krb5/krb5.keytab
611KADM5KT=/etc/krb5/kadm5.keytab
612PRINCDB=/var/krb5/principal
613OLDPRINCDB=/var/krb5/principal.old
614STASH=/var/krb5/.k5.*
615
616KADMINL=/usr/sbin/kadmin.local;	check_bin $KADMINL
617KADMIN=/usr/sbin/kadmin;	check_bin $KADMIN
618KDCRES=/usr/lib/krb5/klookup;	check_bin $KDCRES
619SVCADM=/usr/sbin/svcadm;	check_bin $SVCADM
620PING=/usr/sbin/ping;		check_bin $PING
621
622ENCTYPE=aes128-cts-hmac-sha1-96
623LOOPCNT=10
624SLEEPTIME=5
625
626if [[ -x /usr/bin/mktemp ]]; then
627	TMP_FILE=$(/usr/bin/mktemp /etc/krb5/krb5tmpfile.XXXXXX)
628	TMP_CCACHE=$(/usr/bin/mktemp /etc/krb5/krb5tmpccache.XXXXXX)
629else
630	TMP_FILE="/etc/krb5/krb5tmpfile.$$"
631	TMP_CCACHE="/etc/krb5/krb5tmpccache.$$"
632fi
633
634if [[ ! -f /etc/resolv.conf ]]; then
635	printf "$(gettext "Error: need to configure /etc/resolv.conf").\n"
636	exit 1
637fi
638
639if [[ ! -x $KDCRES ]]; then
640	printf "$(gettext "Error: %s does not exist or not executable").\n" $KDCRES
641	exit 1
642fi
643
644fqhn=`$KDCRES`
645if [[ -n "$fqhn" ]]; then
646	:
647elif [[ -n $(hostname) && -n $(domainname) ]]; then
648	fqhn=$(hostname|cut -f1 -d'.').$(domainname|cut -f2- -d'.'|/usr/ucb/tr 'A-Z' 'a-z')
649else
650	printf "$(gettext "Error: can not determine full hostname (FQHN).  Aborting")\n"
651	printf "$(gettext "Note, trying to use hostname and domainname to get FQHN").\n"
652	exit 1
653fi
654
655ping_check $fqhn
656
657domain=${fqhn#*.} # remove host part
658
659exitmsg=`printf "$(gettext "Exiting...")"`
660
661trap "echo $exitmsg; rm -f $TMP_FILE $TMP_CCACHE; exit 1" HUP INT QUIT TERM
662
663while getopts :a:e:hp:r:s flag
664do
665	case "$flag" in
666		a)	ADMIN_PRINC=$OPTARG;;
667		e)	ENCTYPE=$OPTARG;;
668		h)	usage;;
669		p)	PWFILE=$OPTARG
670			if [[ ! -r $PWFILE ]]; then
671				printf "\n$(gettext "Password file %s does not exist, exiting").\n\n" $PWFILE
672				exit 1
673			fi
674			;;
675		r)	REALM=$OPTARG;;
676		*)	usage;;
677	esac
678done
679shift $(($OPTIND - 1))
680
681case "$*" in
682	create)			master=yes;;
683	"create master")	master=yes;;
684	"create -m "*)		host=$3
685				checkval="MASTER"; check_value $host
686				check_host
687				master_hn=$host
688				if [[ $4 != slave ]]; then
689					usage
690				fi;&
691	"create slave")		slave=yes;;
692	destroy)		d_option=yes
693				kill_daemons
694				destroy_kdc
695				exit 0;;
696	status)			status_kdc;;
697	*)			usage;;
698esac
699
700kill_daemons
701
702printf "\n$(gettext "Starting server setup")\n"
703printf "---------------------------------------------------\n"
704
705# Checks for existing kdb and destroys if desired
706destroy_kdc
707
708if [[ -z $REALM ]]; then
709	printf "$(gettext "Enter the Kerberos realm"): \c"
710	read REALM
711	checkval="REALM"; check_value $REALM
712fi
713REALM=$(echo "$REALM"|tr '[a-z]' '[A-Z]')
714
715if [[ -z $master && -z $slave ]]; then
716	query "$(gettext "Is this machine to be configured as a master?"): \c"
717	master=$answer
718
719	if [[ $answer = no ]]; then
720		query "$(gettext "Is this machine to be configured as a slave?"): \c"
721		slave=$answer
722		if [[ $answer = no ]]; then
723			printf "\n$(gettext "Machine must either be a master or a slave KDC server").\n"
724			error_message
725		fi
726	fi
727fi
728
729if [[ $slave = yes && -z $master_hn ]]; then
730	printf "$(gettext "What is the master KDC's host name?"): \c"
731	read host
732	checkval="MASTER"; check_value $host
733	check_host
734	master_hn=$host
735fi
736
737setup_kdc_conf
738
739setup_krb_conf
740
741if [[ $master = yes ]]; then
742	setup_master
743else
744	setup_slave
745fi
746
747printf "\n---------------------------------------------------\n"
748printf "$(gettext "Setup COMPLETE").\n\n"
749
750rm -f $TMP_FILE
751
752exit 0
753