summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Barrett <tom@tombarrett.xyz>2020-02-14 07:50:37 -0600
committerTom Barrett <tom@tombarrett.xyz>2020-02-14 07:50:37 -0600
commitf76e2522464f2ddeb16aa01c9487b36e6aa70a94 (patch)
tree9b82f261d49743faf721363a7ec72ad572709a99
parent8ca998d9c27188e491761c3b99a222e842d6e44e (diff)
adding admin users
-rw-r--r--configs/kerberos/kadm5.acl6
-rw-r--r--configs/kerberos/krb5.conf10
-rwxr-xr-xscripts/kerberos6
3 files changed, 13 insertions, 9 deletions
diff --git a/configs/kerberos/kadm5.acl b/configs/kerberos/kadm5.acl
new file mode 100644
index 0000000..76df603
--- /dev/null
+++ b/configs/kerberos/kadm5.acl
@@ -0,0 +1,6 @@
+# This file Is the access control list for krb5 administration.
+# When this file is edited run service krb5-admin-server restart to activate
+# One common way to set up Kerberos administration is to allow any principal
+# ending in /admin is given full administrative rights.
+# To enable this, uncomment the following line:
+*/admin *
diff --git a/configs/kerberos/krb5.conf b/configs/kerberos/krb5.conf
index 61f51c1..c78717b 100644
--- a/configs/kerberos/krb5.conf
+++ b/configs/kerberos/krb5.conf
@@ -1,19 +1,11 @@
[libdefaults]
default_realm = HADES.HR
- # The following krb5.conf variables are only for MIT Kerberos.
- kdc_timesync = 1
- ccache_type = 4
- forwardable = true
- proxiable = true
-
- # The following libdefaults parameters are only for Heimdal Kerberos.
- fcc-mit-ticketflags = true
-
[realms]
HADES.HR = {
kdc = krb.hades.hr
admin_server = krb.hades.hr
+ default_domain = hades.hr
}
[domain_realm]
diff --git a/scripts/kerberos b/scripts/kerberos
index 8ecfde4..8948b22 100755
--- a/scripts/kerberos
+++ b/scripts/kerberos
@@ -3,6 +3,7 @@ set -e
ROOT_PASS=root
KRB5_PASS=krb5
+KRB5_ADMIN_PASS=pass
scripts/debian_roll kerberos
lxc-attach -n kerberos -v DEBIAN_FRONTEND=noninteractive -- apt-get -y install krb5-admin-server
@@ -12,8 +13,13 @@ IP="$(lxc-info -n kerberos | grep IP | tr -s ' ' | cut -d ' ' -f 2)"
sshpass -p $ROOT_PASS ssh-copy-id -o "StrictHostKeyChecking=no" root@$IP
scp configs/kerberos/krb5.conf root@$IP:/etc/
scp configs/kerberos/kdc.conf root@$IP:/etc/krb5kdc/
+scp configs/kerberos/kadm5.acl root@$IP:/etc/krb5kdc/
lxc-attach -n kerberos -- bash -c 'echo -e "'$KRB5_PASS'\n'$KRB5_PASS'" | krb5_newrealm'
lxc-attach -n kerberos -- systemctl restart krb5-admin-server
lxc-attach -n kerberos -- systemctl restart krb5-kdc
+
+lxc-attach -n kerberos -- bash -c 'echo -e "'$KRB5_ADMIN_PASS'\n'$KRB5_ADMIN_PASS'" | kadmin.local addprinc root/admin'
+
+# should be able to now use kadmin, but cannot ?