blob: abe040ae4afb0a755246a2d664ccb570acb19df6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
#!/bin/sh
kdc_conf_dir=/usr/local/var/krb5kdc
kdc_master_key_path="${kdc_conf_dir}/master_key"
: ${kdc_max_life:='24h'}
: ${kdc_max_renewable_life:='7d'}
# Install MIT kerberos.
pkg install -y krb5
# Generate the system kerberos configuration.
install_template -m 0644 /etc/krb5.conf
ln -snfv /etc/krb5.conf /usr/local/etc/krb5.conf
# Generate KDC configuration files.
install_template -m 0644 \
"${kdc_conf_dir}/kdc.conf" \
"${kdc_conf_dir}/kadm5.acl"
# If the realm does not exist in LDAP, create it. Otherwise, stash the master key.
if is_primary_server && ! ldap_dn_exists "$kdc_basedn"; then
kdb5_ldap_util -P "$kdc_master_key" create -subtrees "$accounts_basedn" -sscope SUB -s
elif ! [ -f "$kdc_master_key_path" ]; then
kdb5_util -P "$kdc_master_key" stash
fi
# Start the KDC and kadmind.
sysrc -v \
kdc_program=/usr/local/sbin/krb5kdc \
kadmind_program=/usr/local/sbin/kadmind \
kdc_flags="" \
kdc_enable=YES \
kadmind_enable=YES
service kdc restart
service kadmind restart
# Create the boxconf administrative user.
if is_primary_server; then
kadmin.local get_principal -terse "$boxconf_username" \
|| kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username"
fi
|
