xref: /titanic_41/usr/src/cmd/krb5/kadmin/kdcmgr/kdcmgr.sh (revision 721df37ded2cce623b0249cc35a872c3ce291b9b) 
1#!/usr/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25
26#
27# This command provides an simple interface to configure, destroy, and to obtain
28# the status of a master or slave Kerberos KDC server.
29#
30
31function usage {
32
33	app=`basename $0`
34
35	printf "\n$(gettext "Usage: %s [ -a admprincipal ] [ -e enctype ] [ -h ]")\n" $app
36	printf "\t$(gettext "[ -p pwfile ] [ -r realm ] subcommand")\n\n"
37
38	printf "\t$(gettext "-a: Create non-default admin principal.")\n"
39	printf "\t$(gettext "-e: Encryption type used to encrypt the master key")\n"
40	printf "\t$(gettext "-h: This help message.")\n"
41	printf "\t$(gettext "-p: File that contains the admin principal and master key password.")\n"
42	printf "\t$(gettext "-r: Set the default realm for this server.")\n\n"
43
44	printf "\t$(gettext "where 'subcommand' is one of the following:")\n\n"
45
46	printf "\t$(gettext "create [ master ]")\n"
47	printf "\t$(gettext "create [ -m masterkdc ] slave")\n"
48	printf "\t$(gettext "destroy")\n"
49	printf "\t$(gettext "status")\n\n"
50
51	cleanup 1
52}
53
54function ask {
55
56	# ask question, set global answer
57	typeset question=$1 default_answer=$2
58	if [[ -z $default_answer ]]; then
59		print "$question \c"
60	else
61		print "$question [$default_answer]: \c"
62	fi
63	read answer
64	[ -z "$answer" ] && answer="$default_answer"
65}
66
67function yesno {
68
69	typeset question="$1"
70	# answer is a global set by ask
71	answer=
72	yn=`printf "$(gettext "y/n")"`
73	y=`printf "$(gettext "y")"`
74	n=`printf "$(gettext "n")"`
75	yes=`printf "$(gettext "yes")"`
76	no=`printf "$(gettext "no")"`
77
78	while [[ -z $answer ]]; do
79		ask "$question" $yn
80		case $answer in
81			$y|$yes)	answer=yes;;
82			$n|$no)		answer=no;;
83			*)		answer=;;
84		esac
85	done
86}
87
88function query {
89
90	yesno "$*"
91	if [[ $answer = no ]]; then
92		printf "\t$(gettext "No action performed").\n"
93	fi
94}
95
96function cleanup {
97
98	integer ret=$1
99
100	kdestroy -q -c $TMP_CCACHE 1>$TMP_FILE 2>&1
101        rm -f $TMP_FILE
102
103        exit $ret
104}
105
106function error_message {
107
108        printf "---------------------------------------------------\n"
109        printf "$(gettext "Setup FAILED").\n\n"
110
111	cleanup 1
112}
113
114function check_bin {
115
116	bin=$1
117
118	if [[ ! -x $bin ]]; then
119		printf "$(gettext "Could not access/execute %s").\n" $bin
120		error_message
121	fi
122}
123
124function check_ret {
125
126	integer ret=$1
127	prog=$2
128
129	if [[ $ret -ne 0 ]]; then
130		printf "\n$(gettext "%s failed with return value %d, exiting").\n\n" $prog $ret
131		error_message
132	fi
133}
134
135
136function ok_to_proceed {
137
138	yesno "$@"
139
140	if [[ $answer = no ]]; then
141		printf "\n$(gettext "Exiting, no action performed")\n\n"
142		cleanup 0
143	fi
144}
145
146function check_value {
147
148	typeset arg="$1"
149
150	if [[ -z $arg ]]; then
151		printf "\n$(gettext "No input obtained for %s, exiting").\n" $checkval
152		error_message
153	else
154		echo "$arg">$TMP_FILE
155		if egrep -s '[*$^#!]+' $TMP_FILE; then
156			printf "\n$(gettext "Invalid input obtained for %s, exiting").\n" $checkval
157			error_message
158		fi
159	fi
160}
161
162function setup_kdc_conf {
163
164	printf "\n$(gettext "Setting up %s").\n" $KRB5_KDC_CONF
165
166	if [[ -r $KRB5_KDC_CONF ]]; then
167		cat $KRB5_KDC_CONF > $KRB5_KDC_CONF.sav
168		cannot_create $KRB5_KDC_CONF.sav $?
169	fi
170
171	exec 3>$KRB5_KDC_CONF
172	if [[ $? -ne 0 ]]; then
173		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KRB5_KDC_CONF
174		error_message
175	fi
176
177	printf "\n[kdcdefaults]\n\tkdc_ports = 88,750\n\n" 1>&3
178	printf "[realms]\n\t$REALM = {\n" 1>&3
179	printf "\t\tprofile = $KRB5_KRB_CONF\n" 1>&3
180	printf "\t\tdatabase_name = $PRINCDB\n" 1>&3
181	printf "\t\tmaster_key_type = $ENCTYPE\n" 1>&3
182	printf "\t\tacl_file = $KADM5ACL\n" 1>&3
183	printf "\t\tkadmind_port = 749\n" 1>&3
184	printf "\t\tmax_life = 8h 0m 0s\n" 1>&3
185	printf "\t\tmax_renewable_life = 7d 0h 0m 0s\n" 1>&3
186	printf "\t\tdefault_principal_flags = +preauth\n" 1>&3
187
188	printf "\t\tsunw_dbprop_enable = true\n" 1>&3
189	if [[ $master = yes ]]; then
190		printf "\t\tsunw_dbprop_master_ulogsize = 1000\n" 1>&3
191	fi
192	if [[ $slave = yes ]]; then
193		printf "\t\tsunw_dbprop_slave_poll = 2m\n" 1>&3
194	fi
195
196	printf "\t}\n" 1>&3
197}
198
199function setup_krb_conf {
200
201	printf "\n$(gettext "Setting up %s").\n" $KRB5_KRB_CONF
202
203	if [[ -r $KRB5_KRB_CONF ]]; then
204		cat $KRB5_KRB_CONF > $KRB5_KRB_CONF.sav
205		cannot_create $KRB5_KRB_CONF.sav $?
206	fi
207
208	exec 3>$KRB5_KRB_CONF
209	if [[ $? -ne 0 ]]; then
210		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KRB5_KRB_CONF
211		error_message
212	fi
213
214	printf "[libdefaults]\n" 1>&3
215	printf "\tdefault_realm = $REALM\n\n" 1>&3
216
217	printf "[realms]\n" 1>&3
218	printf "\t$REALM = {\n" 1>&3
219	if [[ $slave = yes ]]; then
220		printf "\t\tkdc = $master_hn\n" 1>&3
221	fi
222	printf "\t\tkdc = $fqhn\n" 1>&3
223	if [[ $master = yes ]]; then
224		printf "\t\tadmin_server = $fqhn\n" 1>&3
225	else
226		printf "\t\tadmin_server = $master_hn\n" 1>&3
227	fi
228	printf "\t}\n\n" 1>&3
229
230	printf "[domain_realm]\n" 1>&3
231	printf "\t.$domain = $REALM\n\n" 1>&3
232
233	printf "[logging]\n" 1>&3
234	printf "\tdefault = FILE:/var/krb5/kdc.log\n" 1>&3
235	printf "\tkdc = FILE:/var/krb5/kdc.log\n" 1>&3
236	printf "\tkdc_rotate = {\n\t\tperiod = 1d\n\t\tversions = 10\n\t}\n\n" 1>&3
237
238	printf "[appdefaults]\n" 1>&3
239	printf "\tkinit = {\n\t\trenewable = true\n\t\tforwardable = true\n" 1>&3
240	printf "\t}\n" 1>&3
241}
242
243function cannot_create {
244
245	typeset filename="$1"
246	typeset stat="$2"
247	if [[ $stat -ne 0 ]]; then
248		printf "\n$(gettext "Cannot create/edit %s, exiting").\n" $filename
249		error_message
250	fi
251}
252
253function check_admin {
254
255	message=$1
256
257	if [[ -z $ADMIN_PRINC ]]; then
258		printf "$message"
259		read ADMIN_PRINC
260		checkval="ADMIN_PRINC"; check_value $ADMIN_PRINC
261	fi
262
263	echo "$ADMIN_PRINC">$TMP_FILE
264
265	if egrep -s '\/admin' $TMP_FILE; then
266		# Already in "/admin" format, do nothing
267		:
268	else
269		if egrep -s '\/' $TMP_FILE; then
270			printf "\n$(gettext "Improper entry for krb5 admin principal, exiting").\n"
271			error_message
272		else
273			ADMIN_PRINC=$(echo "$ADMIN_PRINC/admin")
274		fi
275	fi
276
277}
278
279function ping_check {
280
281	typeset machine="$1"
282
283	if $PING $machine > /dev/null 2>&1; then
284		:
285	else
286		printf "\n$(gettext "%s %s is unreachable, exiting").\n" $string $machine
287		error_message
288	fi
289}
290
291function check_host {
292
293	echo "$host">$TMP_FILE
294	if egrep -s '[^.]\.[^.]+$' $TMP_FILE; then
295		# do nothing, host is in fqhn format
296		:
297	else
298		if egrep -s '\.+' $TMP_FILE; then
299			printf "\n$(gettext "Improper format of host name: '%s'").\n"
300			printf "$(gettext "Expecting the following format: 'somehost.example.com' or 'somehost', exiting").\n"
301			error_message
302		else
303			# Attach fqdn to host, to get the Fully Qualified Domain
304			# Name of the host requested
305			host=$(echo "$host.$domain")
306		fi
307	fi
308
309	#
310	# Ping to see if the host is alive!
311	#
312	ping_check $host
313}
314
315function kill_daemons {
316
317	# Kill daemons so they won't go into maintenance mode
318	$SVCADM disable -s krb5kdc
319	if [[ $? -ne 0 ]]; then
320		printf "\n$(gettext "Error in disabling krb5kdc, exiting").\n"
321		error_message
322	fi
323	$SVCADM disable -s kadmin
324	if [[ $? -ne 0 ]]; then
325		printf "\n$(gettext "Error in disabling kadmind, exiting").\n"
326		error_message
327	fi
328	$SVCADM disable -s krb5_prop
329	if [[ $? -ne 0 ]]; then
330		printf "\n$(gettext "Error in disabling kpropd, exiting").\n"
331		error_message
332	fi
333
334	# Make sure that none of the daemons outside of SMF are running either
335	pkill kadmind
336	if [[ $? -gt 1 ]]; then
337		printf "\n$(gettext "Error in killing kadmind, exiting").\n"
338		error_message
339	fi
340	pkill krb5kdc
341	if [[ $? -gt 1 ]]; then
342		printf "\n$(gettext "Error in killing krb5kdc, exiting").\n"
343		error_message
344	fi
345	pkill kpropd
346	if [[ $? -gt 1 ]]; then
347		printf "\n$(gettext "Error in killing kpropd, exiting").\n"
348		error_message
349	fi
350}
351
352function setup_mkeytab {
353
354	check_admin "\n$(gettext "Enter the krb5 administrative principal to be created"): \c"
355
356	if [[ -z $PWFILE ]]; then
357		echo
358		$KADMINL -q "ank $ADMIN_PRINC"
359		check_ret $? $KADMINL
360	else
361		cat $PWFILE $PWFILE | $KADMINL -q "ank $ADMIN_PRINC" > /dev/null 2>&1
362		check_ret $? $KADMINL
363	fi
364
365	$KADMINL -q "ank -randkey host/$fqhn" 1>$TMP_FILE 2>&1
366	check_ret $? $KADMINL
367	$KADMINL -q "ktadd host/$fqhn" 1>$TMP_FILE 2>&1
368	check_ret $? $KADMINL
369}
370
371function setup_skeytab {
372
373	check_admin "\n$(gettext "Enter the krb5 administrative principal to be used"): \c"
374
375	printf "$(gettext "Obtaining TGT for %s") ...\n" $ADMIN_PRINC
376
377	if [[ -z $PWFILE ]]; then
378		kinit -c $TMP_CCACHE -S kadmin/$master_hn $ADMIN_PRINC
379		check_ret $? kinit
380	else
381		cat $PWFILE | kinit -c $TMP_CCACHE -S kadmin/$master_hn \
382			$ADMIN_PRINC > /dev/null 2>&1
383	fi
384	klist -c $TMP_CCACHE 1>$TMP_FILE 2>&1
385	if egrep -s "$(gettext "Valid starting")" $TMP_FILE && \
386	   egrep -s "kadmin/$master_hn@$REALM" $TMP_FILE; then
387		:
388	else
389		printf "\n$(gettext "kinit of %s failed, exiting").\n" $ADMIN_PRINC
390		error_message
391	fi
392
393	$KADMIN -c $TMP_CCACHE -q "ank -randkey kiprop/$fqhn" 1>$TMP_FILE 2>&1
394	check_ret $? $KADMIN
395	$KADMIN -c $TMP_CCACHE -q "ktadd kiprop/$fqhn" 1>$TMP_FILE 2>&1
396	check_ret $? $KADMIN
397
398	$KADMIN -c $TMP_CCACHE -q "ank -randkey host/$fqhn" 1>$TMP_FILE 2>&1
399	check_ret $? $KADMIN
400	$KADMIN -c $TMP_CCACHE -q "ktadd host/$fqhn" 1>$TMP_FILE 2>&1
401	check_ret $? $KADMIN
402
403	kdestroy -q -c $TMP_CCACHE 1>$TMP_FILE 2>&1
404	check_ret $? $kdestroy
405}
406
407function setup_kadm5acl {
408
409	printf "\n$(gettext "Setting up %s").\n" $KADM5ACL
410
411	if [[ -r $KADM5ACL ]]; then
412		cat $KADM5ACL > $KADM5ACL.sav
413		cannot_create $KADM5ACL.sav $?
414	fi
415
416	exec 3>$KADM5ACL
417	if [[ $? -ne 0 ]]; then
418		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KADM5ACL
419		error_message
420	fi
421
422	if [[ $master = yes ]]; then
423		printf "\n$ADMIN_PRINC@$REALM\t\tacmil\n" 1>&3
424		printf "\nkiprop/*@$REALM\t\tp\n" 1>&3
425	else
426		printf "\n*/admin@___default_realm___\t\t*\n" 1>&3
427	fi
428}
429
430function setup_kpropdacl {
431
432	printf "\n$(gettext "Setting up %s").\n\n" $KPROPACL
433
434	if [[ -r $KPROPACL ]]; then
435		cat $KPROPACL > $KPROPACL.sav
436		cannot_create $KPROPACL.sav $?
437	fi
438
439	exec 3>$KPROPACL
440	if [[ $? -ne 0 ]]; then
441		printf "\n$(gettext "Cannot write to %s, exiting").\n" $KPROPACL
442		error_message
443	fi
444	printf "\nhost/$master_hn@$REALM\n" 1>&3
445}
446
447function setup_master {
448
449	# create principal DB (KDB)
450	if [[ -z $PWFILE ]]; then
451		echo
452		kdb5_util create
453		check_ret $? kdb5_util
454	else
455		cat $PWFILE $PWFILE | kdb5_util create > /dev/null
456		check_ret $? kdb5_util
457	fi
458
459	setup_mkeytab
460	setup_kadm5acl
461
462	$SVCADM enable -r -s krb5kdc
463	$SVCADM enable -r -s kadmin
464}
465
466function setup_slave {
467
468	integer count=1
469
470	setup_skeytab
471
472	# Clear the kadm5acl, since the start methods look at this file
473	# to see if the server has been configured as a master server
474	setup_kadm5acl
475
476	setup_kpropdacl
477
478	$SVCADM enable -r -s krb5_prop
479
480	# Wait for full propagation of the database, in some environments
481	# this could take a few seconds
482	while [[ ! -f /var/krb5/principal ]]; do
483		if [[ count -gt $LOOPCNT ]]; then
484			printf "\n$(gettext "Could not receive updates from the master").\n"
485                        error_message
486			((count = count + 1))
487		fi
488		printf "$(gettext "Waiting for database from master")...\n"
489		sleep $SLEEPTIME
490	done
491
492	# The database is propagated now we need to create the stash file
493	if [[ -z $PWFILE ]]; then
494		kdb5_util stash
495		check_ret $? kdb5_util
496	else
497		cat $PWFILE | kdb5_util stash > /dev/null 2>&1
498		check_ret $? kdb5_util
499	fi
500
501	$SVCADM enable -r -s krb5kdc
502}
503
504function kdb5_destroy {
505	typeset status=0
506	typeset arg=
507
508	[[ -n $REALM ]] && arg="-r $REALM"
509	printf "$(gettext "yes")\n" | kdb5_util $arg destroy > /dev/null 2>&1
510
511	status=$?
512	[[ $status -eq 0 ]] && return $status
513
514	# Could mean that the admin could have already removed part of the
515	# configuration.  Better to check to see if anything else should be
516	# destroyed.  We check by looking at any other stash files in /var/krb5
517	stashfiles=`ls $STASH`
518	for stash in $stashfiles
519	do
520		realm=${stash#*.k5.}
521		[[ -z $realm ]] && continue
522
523		printf "$(gettext "Found non-default realm: %s")\n" $realm
524		query "$(gettext "Do you wish to destroy realm"): $realm ?"
525		if [[ $answer == yes ]]; then
526			printf "$(gettext "yes")\n" | kdb5_util -r $realm destroy > /dev/null 2>&1
527			status=$?
528			if [[ $status -ne 0 ]]; then
529				printf "$(gettext "Could not destroy realm: %s")\n" $realm
530				return $status
531			fi
532		else
533			printf "$(gettext "%s will not be destroyed").\n" $realm
534			status=0
535		fi
536	done
537
538	return $status
539}
540
541function destroy_kdc {
542	typeset status
543
544	# Check first to see if this is an existing KDC or server
545	if [[ -f $KRB5KT || -f $PRINCDB || -f $OLDPRINCDB ]]
546	then
547		if [[ -z $PWFILE ]]; then
548			printf "\n$(gettext "Some of the following files are present on this system"):\n"
549			echo "\t$KRB5KT\n\t$PRINCDB\n\t$OLDPRINCDB\n\t$STASH\n"
550			if [[ -z $d_option ]]; then
551				printf "$(gettext "You must first run 'kdcmgr destroy' to remove all of these files before creating a KDC server").\n\n"
552				cleanup 1
553			else
554				ok_to_proceed "$(gettext "All of these files will be removed, okay to proceed?")"
555			fi
556		fi
557	else
558		if [[ -n $d_option ]]; then
559			printf "\n$(gettext "No KDC related files exist, exiting").\n\n"
560			cleanup 0
561		fi
562		return
563	fi
564
565	kdb5_destroy
566	status=$?
567
568	rm -f $KRB5KT
569
570	[[ $status -ne 0 ]] && cleanup 1
571}
572
573function kadm5_acl_configed {
574
575	if [[ -s $KADM5ACL ]]; then
576		grep -v '^[    ]*#' $KADM5ACL | \
577			egrep '_default_realm_' > /dev/null 2>&1
578		if [[ $? -gt 0 ]]; then
579			return 0
580		fi
581	fi
582
583	return 1
584}
585
586function status_kdc {
587
588	integer is_master=0
589
590	printf "\n$(gettext "KDC Status Information")\n"
591	echo "--------------------------------------------"
592	svcs -xv svc:/network/security/krb5kdc:default
593
594	if kadm5_acl_configed; then
595		is_master=1
596		printf "\n$(gettext "KDC Master Status Information")\n"
597		echo "--------------------------------------------"
598		svcs -xv svc:/network/security/kadmin:default
599	else
600		printf "\n$(gettext "KDC Slave Status Information")\n"
601		echo "--------------------------------------------"
602		svcs -xv svc:/network/security/krb5_prop:default
603	fi
604
605	printf "\n$(gettext "Transaction Log Information")\n"
606	echo "--------------------------------------------"
607	/usr/sbin/kproplog -h
608
609	printf "$(gettext "Kerberos Related File Information")\n"
610	echo "--------------------------------------------"
611	printf "$(gettext "(will display any missing files below)")\n"
612	FILELIST="$KRB5_KDC_CONF $KRB5_KRB_CONF $KADM5ACL $KRB5KT $PRINCDB "
613	for file in $FILELIST; do
614		if [[ ! -s $file ]]; then
615			printf "$(gettext "%s not found").\n" $file
616		fi
617	done
618	if [[ $is_master -eq 0 && ! -s $KPROPACL ]]; then
619		printf "$(gettext "%s not found").\n" $KPROPACL
620	fi
621
622	test ! -s $STASH &&
623	    printf "$(gettext "Stash file not found") (/var/krb5/.k5.*).\n"
624	echo
625
626	cleanup 0
627}
628
629# Start of Main script
630
631typeset -u REALM
632typeset -l host
633typeset -l fqhn
634
635# Defaults
636KRB5_KDC_CONF=/etc/krb5/kdc.conf
637KRB5_KRB_CONF=/etc/krb5/krb5.conf
638KADM5ACL=/etc/krb5/kadm5.acl
639KPROPACL=/etc/krb5/kpropd.acl
640
641KRB5KT=/etc/krb5/krb5.keytab
642PRINCDB=/var/krb5/principal
643OLDPRINCDB=/var/krb5/principal.old
644STASH=/var/krb5/.k5.*
645
646KADMINL=/usr/sbin/kadmin.local;	check_bin $KADMINL
647KADMIN=/usr/sbin/kadmin;	check_bin $KADMIN
648KDCRES=/usr/lib/krb5/klookup;	check_bin $KDCRES
649SVCADM=/usr/sbin/svcadm;	check_bin $SVCADM
650PING=/usr/sbin/ping;		check_bin $PING
651
652ENCTYPE=aes128-cts-hmac-sha1-96
653LOOPCNT=10
654SLEEPTIME=5
655
656if [[ -x /usr/bin/mktemp ]]; then
657	TMP_FILE=$(/usr/bin/mktemp /etc/krb5/krb5tmpfile.XXXXXX)
658	TMP_CCACHE=$(/usr/bin/mktemp /etc/krb5/krb5tmpccache.XXXXXX)
659else
660	TMP_FILE="/etc/krb5/krb5tmpfile.$$"
661	TMP_CCACHE="/etc/krb5/krb5tmpccache.$$"
662fi
663
664if [[ ! -f /etc/resolv.conf ]]; then
665	printf "$(gettext "Error: need to configure /etc/resolv.conf").\n"
666
667	cleanup 1
668fi
669
670fqhn=`$KDCRES`
671if [[ -n "$fqhn" ]]; then
672	:
673elif [[ -n $(hostname) && -n $(domainname) ]]; then
674	fqhn=$(hostname|cut -f1 -d'.').$(domainname|cut -f2- -d'.')
675else
676	printf "$(gettext "Error: can not determine full hostname (FQHN).  Aborting")\n"
677	printf "$(gettext "Note, trying to use hostname and domainname to get FQHN").\n"
678
679	cleanup 1
680fi
681
682ping_check $fqhn
683
684domain=${fqhn#*.} # remove host part
685
686exitmsg=`printf "$(gettext "Exiting...")"`
687
688trap "echo $exitmsg; rm -f $TMP_FILE $TMP_CCACHE; exit 1" HUP INT QUIT TERM
689
690while getopts :a:e:hp:r:s flag
691do
692	case "$flag" in
693		a)	ADMIN_PRINC=$OPTARG;;
694		e)	ENCTYPE=$OPTARG;;
695		h)	usage;;
696		p)	PWFILE=$OPTARG
697			if [[ ! -r $PWFILE ]]; then
698				printf "\n$(gettext "Password file %s does not exist, exiting").\n\n" $PWFILE
699				cleanup 1
700			fi
701			;;
702		r)	REALM=$OPTARG;;
703		*)	usage;;
704	esac
705done
706shift $(($OPTIND - 1))
707
708case "$*" in
709	create)			master=yes;;
710	"create master")	master=yes;;
711	"create -m "*)		host=$3
712				checkval="MASTER"; check_value $host
713				check_host
714				master_hn=$host
715				if [[ $4 != slave ]]; then
716					usage
717				fi;&
718	"create slave")		slave=yes;;
719	destroy)		d_option=yes
720				kill_daemons
721				destroy_kdc
722				cleanup 0;;
723	status)			status_kdc;;
724	*)			usage;;
725esac
726
727kill_daemons
728
729printf "\n$(gettext "Starting server setup")\n"
730printf "---------------------------------------------------\n"
731
732# Checks for existing kdb and destroys if desired
733destroy_kdc
734
735if [[ -z $REALM ]]; then
736	printf "$(gettext "Enter the Kerberos realm"): \c"
737	read REALM
738	checkval="REALM"; check_value $REALM
739fi
740
741if [[ -z $master && -z $slave ]]; then
742	query "$(gettext "Is this machine to be configured as a master?"): \c"
743	master=$answer
744
745	if [[ $answer = no ]]; then
746		query "$(gettext "Is this machine to be configured as a slave?"): \c"
747		slave=$answer
748		if [[ $answer = no ]]; then
749			printf "\n$(gettext "Machine must either be a master or a slave KDC server").\n"
750			error_message
751		fi
752	fi
753fi
754
755if [[ $slave = yes && -z $master_hn ]]; then
756	printf "$(gettext "What is the master KDC's host name?"): \c"
757	read host
758	checkval="MASTER"; check_value $host
759	check_host
760	master_hn=$host
761fi
762
763setup_kdc_conf
764
765setup_krb_conf
766
767if [[ $master = yes ]]; then
768	setup_master
769else
770	setup_slave
771fi
772
773printf "\n---------------------------------------------------\n"
774printf "$(gettext "Setup COMPLETE").\n\n"
775
776cleanup 0
777