diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-09-26 09:02:34 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-09-26 09:02:34 -0400 |
| commit | ee583b5929925b2e9658385430da4f73b4883287 (patch) | |
| tree | 30e272e6b30b6fefd93a73e16624a5fdc0287735 | |
| parent | 6c2b83ba262c18109612ad98deb4adf535eab724 (diff) | |
| download | infrastructure-ee583b5929925b2e9658385430da4f73b4883287.tar.gz | |
update default keytab locations
| -rw-r--r-- | files/etc/krb5.conf.common | 3 | ||||
| -rw-r--r-- | scripts/os/freebsd/50-idm | 21 |
2 files changed, 18 insertions, 6 deletions
diff --git a/files/etc/krb5.conf.common b/files/etc/krb5.conf.common index 3274deb..7eed6d2 100644 --- a/files/etc/krb5.conf.common +++ b/files/etc/krb5.conf.common @@ -4,7 +4,8 @@ dns_lookup_realm = false allow_weak_crypto = false permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 - default_client_keytab_name = /var/db/keytabs/%{euid}.keytab + default_keytab_name = FILE:/var/krb5/user/%{euid}/keytab + default_client_keytab_name = FILE:/var/krb5/user/%{euid}/client.keytab [appdefaults] pam = { diff --git a/scripts/os/freebsd/50-idm b/scripts/os/freebsd/50-idm index ea94082..d9c2541 100644 --- a/scripts/os/freebsd/50-idm +++ b/scripts/os/freebsd/50-idm @@ -86,17 +86,28 @@ add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}" ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab -# Create symlinks so host keytab can be used to aquire a TGT on-the-fly. -ln -snfv host.keytab "${keytab_dir}/$(id -u "$nslcd_user").keytab" -ln -snfv host.keytab "${keytab_dir}/${ssh_authzkeys_uid}.keytab" -ln -snfv host.keytab "${keytab_dir}/0.keytab" - # Create local group for host keytab access. add_group -g "$host_keytab_gid" "$host_keytab_groupname" chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab" chmod 640 "${keytab_dir}/host.keytab" pw usermod -n "$nslcd_user" -G "$host_keytab_groupname" +# Create symlinks so host keytab can be used to aquire a TGT on-the-fly. +nslcd_uid=$(id -u "$nslcd_user") +install_directory -m 0755 \ + /var/krb5 \ + /var/krb5/user + +install_directory -o "$nslcd_user" -m 0700 "/var/krb5/user/${nslcd_uid}" +ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${nslcd_uid}/client.keytab" + +install_directory -o "$ssh_authzkeys_uid" -m 0700 "/var/krb5/user/${ssh_authzkeys_uid}" +ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${ssh_authzkeys_uid}/client.keytab" + +install_directory -o root -m 0700 /var/krb5/user/0 +ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab +ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab + # Copy IDM helper scripts for SSH. install_file -m 0555 \ /usr/local/libexec/idm-ssh-known-hosts \ |