diff options
author | Tom Barrett <tom@tombarrett.xyz> | 2020-02-14 07:50:37 -0600 |
---|---|---|
committer | Tom Barrett <tom@tombarrett.xyz> | 2020-02-14 07:50:37 -0600 |
commit | f76e2522464f2ddeb16aa01c9487b36e6aa70a94 (patch) | |
tree | 9b82f261d49743faf721363a7ec72ad572709a99 | |
parent | 8ca998d9c27188e491761c3b99a222e842d6e44e (diff) |
adding admin users
-rw-r--r-- | configs/kerberos/kadm5.acl | 6 | ||||
-rw-r--r-- | configs/kerberos/krb5.conf | 10 | ||||
-rwxr-xr-x | scripts/kerberos | 6 |
3 files changed, 13 insertions, 9 deletions
diff --git a/configs/kerberos/kadm5.acl b/configs/kerberos/kadm5.acl new file mode 100644 index 0000000..76df603 --- /dev/null +++ b/configs/kerberos/kadm5.acl @@ -0,0 +1,6 @@ +# This file Is the access control list for krb5 administration. +# When this file is edited run service krb5-admin-server restart to activate +# One common way to set up Kerberos administration is to allow any principal +# ending in /admin is given full administrative rights. +# To enable this, uncomment the following line: +*/admin * diff --git a/configs/kerberos/krb5.conf b/configs/kerberos/krb5.conf index 61f51c1..c78717b 100644 --- a/configs/kerberos/krb5.conf +++ b/configs/kerberos/krb5.conf @@ -1,19 +1,11 @@ [libdefaults] default_realm = HADES.HR - # The following krb5.conf variables are only for MIT Kerberos. - kdc_timesync = 1 - ccache_type = 4 - forwardable = true - proxiable = true - - # The following libdefaults parameters are only for Heimdal Kerberos. - fcc-mit-ticketflags = true - [realms] HADES.HR = { kdc = krb.hades.hr admin_server = krb.hades.hr + default_domain = hades.hr } [domain_realm] diff --git a/scripts/kerberos b/scripts/kerberos index 8ecfde4..8948b22 100755 --- a/scripts/kerberos +++ b/scripts/kerberos @@ -3,6 +3,7 @@ set -e ROOT_PASS=root KRB5_PASS=krb5 +KRB5_ADMIN_PASS=pass scripts/debian_roll kerberos lxc-attach -n kerberos -v DEBIAN_FRONTEND=noninteractive -- apt-get -y install krb5-admin-server @@ -12,8 +13,13 @@ IP="$(lxc-info -n kerberos | grep IP | tr -s ' ' | cut -d ' ' -f 2)" sshpass -p $ROOT_PASS ssh-copy-id -o "StrictHostKeyChecking=no" root@$IP scp configs/kerberos/krb5.conf root@$IP:/etc/ scp configs/kerberos/kdc.conf root@$IP:/etc/krb5kdc/ +scp configs/kerberos/kadm5.acl root@$IP:/etc/krb5kdc/ lxc-attach -n kerberos -- bash -c 'echo -e "'$KRB5_PASS'\n'$KRB5_PASS'" | krb5_newrealm' lxc-attach -n kerberos -- systemctl restart krb5-admin-server lxc-attach -n kerberos -- systemctl restart krb5-kdc + +lxc-attach -n kerberos -- bash -c 'echo -e "'$KRB5_ADMIN_PASS'\n'$KRB5_ADMIN_PASS'" | kadmin.local addprinc root/admin' + +# should be able to now use kadmin, but cannot ? |