Ubuntu
sssd package

Merge ~ahasenack/ubuntu/+source/sssd:bionic-sssd-max-id-1807246 into ubuntu/+source/sssd:ubuntu/bionic-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/sssd
  3. bionic-sssd-max-id-1807246
  4. Merge into ubuntu/bionic-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Robie Basak
Approved revision: df51bf9daad357cdecf99d43de3eecc329285095
Merged at revision: df51bf9daad357cdecf99d43de3eecc329285095
Proposed branch: ~ahasenack/ubuntu/+source/sssd:bionic-sssd-max-id-1807246
Merge into: ubuntu/+source/sssd:ubuntu/bionic-devel
Diff against target: 617 lines (+561/-0)
9 files modified
debian/changelog (+11/-0)
debian/patches/fix-id-out-of-range-lookup.patch (+117/-0)
debian/patches/series (+1/-0)
debian/tests/common-tests (+28/-0)
debian/tests/control (+7/-0)
debian/tests/ldap-user-group-krb5-auth (+35/-0)
debian/tests/ldap-user-group-ldap-auth (+29/-0)
debian/tests/login.exp (+74/-0)
debian/tests/util (+259/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Canonical Server Pending
Review via email: mp+361848@code.launchpad.net

Description of the change

Bileto ticket and ppa, with green dep8 tests: https://bileto.ubuntu.com/#/ticket/3594

Upstream fix for bug #1807246. Since sssd always requires a somewhat complicated setup to test, I decided to also include the DEP8 tests we have added to the package in cosmic and later. To that end, I added a bionic task to #1793882 and included them here. I believe this gives more confidence in this particular update for an LTS, and also future updates of sssd.

I debated if I should pick just the one-liner that is the real fix, or the whole upstream commit. I chose the latter, since it applied cleanly, but one could argue that the SRU spirit means I should have picked the one-liner. I can see it getting in the way of future patches because of unecessary noise, but at the same time it is closer to upstream, which is where future patches are developed.

The bug has the SRU template filled out, and the testing instructions can be followed there.

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

dep8 tests are now identical to those on the development release

The new fix-id-out-of-range-lookup.patch is identical to the upstream commit (except for added dep3 headers)

Version string in changelog correct, no collisions

Changelog message looks good with correct bug references.

No other changes.

SRU information prepared and complete

Whitespace changes are great but I agree they're trivial enough that it's cleaner to do this than diverge from the upstream patch. Thank you for explaining your reasoning on this.

The patch itself looks fine.

Upload and SRU +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded, thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index d8193ce..9557805 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
1sssd (1.16.1-1ubuntu1.1) bionic; urgency=medium
2
3 * d/p/fix-id-out-of-range-lookup.patch: CACHE_REQ: Do not fail the domain
4 locator plugin if ID outside the domain range is looked up. Thanks to
5 Jakub Hrozek <jhrozek@redhat.com>. (LP: #1807246)
6 * d/t/common-tests, d/t/control, d/t/ldap-user-group-krb5-auth,
7 d/t/ldap-user-group-ldap-auth, d/t/login.exp, d/t/util: add DEP8
8 tests for kerberos and LDAP (LP: #1793882)
9
10 -- Andreas Hasenack <andreas@canonical.com> Wed, 16 Jan 2019 13:58:03 -0200
11
1sssd (1.16.1-1ubuntu1) bionic; urgency=medium12sssd (1.16.1-1ubuntu1) bionic; urgency=medium
213
3 * Merge from Debian. (LP: #1754746)14 * Merge from Debian. (LP: #1754746)
diff --git a/debian/patches/fix-id-out-of-range-lookup.patch b/debian/patches/fix-id-out-of-range-lookup.patch
4new file mode 10064415new file mode 100644
index 0000000..404479f
--- /dev/null
+++ b/debian/patches/fix-id-out-of-range-lookup.patch
@@ -0,0 +1,117 @@
1From 2952de740f2ec1da9cbd682fb1d9219e5370e6a1 Mon Sep 17 00:00:00 2001
2From: Jakub Hrozek <jhrozek@redhat.com>
3Date: May 03 2018 20:02:44 +0000
4Subject: CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up
5
6
7A fix for upstream bug #3569 and the domain-locator feature were both
8developed in the context of the same upstream version and therefore
9touched the same code, but the domain locator did not account for the
10ERR_ID_OUTSIDE_RANGE error code.
11
12Therefore lookups for IDs that are outside the range for the domain
13caused the whole lookup to fail instead of carrying on to the next
14domain.
15
16This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID
17was not found at all. Also some whitespace errors are fixed.
18
19Resolves:
20https://pagure.io/SSSD/sssd/issue/3728
21
22Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
23Origin: upstream, https://pagure.io/SSSD/sssd/c/2952de7
24Bug: https://pagure.io/SSSD/sssd/issue/3728
25Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1807246
26Last-Update: 2019-01-15
27---
28
29diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
30index 134688b..28b5633 100644
31--- a/src/responder/common/cache_req/cache_req.c
32+++ b/src/responder/common/cache_req/cache_req.c
33@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq)
34 DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n");
35 tevent_req_done(req);
36 return;
37+ case ERR_ID_OUTSIDE_RANGE:
38 case ENOENT:
39 /* Not cached and locator was requested, run the locator
40 * DP request plugin
41diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
42index 2404168..d19ca89 100644
43--- a/src/responder/common/cache_req/plugins/cache_req_common.c
44+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
45@@ -27,7 +27,7 @@
46 #include "responder/common/cache_req/cache_req_plugin.h"
47
48 errno_t cache_req_idminmax_check(struct cache_req_data *data,
49- struct sss_domain_info *domain)
50+ struct sss_domain_info *domain)
51 {
52 if (((domain->id_min != 0) && (data->id < domain->id_min)) ||
53 ((domain->id_max != 0) && (data->id > domain->id_max))) {
54diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
55index 3fb8103..e0c6b65 100644
56--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
57+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
58@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx,
59
60 ret = cache_req_idminmax_check(data, domain);
61 if (ret != EOK) {
62- return ret;
63+ return ret;
64 }
65 return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result);
66 }
67diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
68index 252d89d..45d71b8 100644
69--- a/src/tests/cmocka/test_responder_cache_req.c
70+++ b/src/tests/cmocka/test_responder_cache_req.c
71@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state)
72 assert_true(test_ctx->dp_called);
73 }
74
75+void test_group_by_id_multiple_domains_outside_id_range(void **state)
76+{
77+ struct cache_req_test_ctx *test_ctx = NULL;
78+ struct sss_domain_info *domain = NULL;
79+ struct sss_domain_info *domain_a = NULL;
80+
81+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
82+
83+ domain_a = find_domain_by_name(test_ctx->tctx->dom,
84+ "responder_cache_req_test_a", true);
85+ assert_non_null(domain_a);
86+ domain_a->id_min = 1;
87+ domain_a->id_max = 100;
88+
89+ /* Setup group. */
90+ domain = find_domain_by_name(test_ctx->tctx->dom,
91+ "responder_cache_req_test_d", true);
92+ assert_non_null(domain);
93+ prepare_group(domain, &groups[0], 1000, time(NULL));
94+
95+ /* Mock values. */
96+ will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
97+ will_return_always(sss_dp_req_recv, 0);
98+ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED);
99+
100+ /* Test. */
101+ run_group_by_id(test_ctx, NULL, 0, ERR_OK);
102+ assert_true(test_ctx->dp_called);
103+ check_group(test_ctx, &groups[0], domain);
104+}
105+
106 void test_group_by_id_multiple_domains_locator_cache_valid(void **state)
107 {
108 struct cache_req_test_ctx *test_ctx = NULL;
109@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[])
110 new_single_domain_test(group_by_id_missing_notfound),
111 new_multi_domain_test(group_by_id_multiple_domains_found),
112 new_multi_domain_test(group_by_id_multiple_domains_notfound),
113+ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range),
114
115 new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid),
116 new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired),
117
diff --git a/debian/patches/series b/debian/patches/series
index a82d1b4..ca3afd4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
1#placeholder1#placeholder
2fix-id-out-of-range-lookup.patch
diff --git a/debian/tests/common-tests b/debian/tests/common-tests
2new file mode 1006443new file mode 100644
index 0000000..1bb8e1a
--- /dev/null
+++ b/debian/tests/common-tests
@@ -0,0 +1,28 @@
1#!/bin/sh
2
3run_common_tests() {
4 echo "Assert local user databases do not have our LDAP test data"
5 check_local_user "${ldap_user}"
6 check_local_group "${ldap_user}"
7 check_local_group "${ldap_group}"
8
9 echo "The LDAP user is known to the system via getent"
10 check_getent_user "${ldap_user}"
11
12 echo "The LDAP user's private group is known to the system via getent"
13 check_getent_group "${ldap_user}"
14
15 echo "The LDAP group ${ldap_group} is known to the system via getent"
16 check_getent_group "${ldap_group}"
17
18 echo "The id(1) command can resolve the group membership of the LDAP user"
19 #$ id -Gn testuser1
20 #testuser1 ldapusers
21 output=$(id -Gn ${ldap_user})
22 # XXX couldn't find a better way to make this comparison using just /bin/sh
23 if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then
24 if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then
25 die "Output doesn't match expected group membership: ${output}"
26 fi
27 fi
28}
diff --git a/debian/tests/control b/debian/tests/control
0new file mode 10064429new file mode 100644
index 0000000..93ed50a
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,7 @@
1Tests: ldap-user-group-ldap-auth
2Depends: @, slapd, ldap-utils, openssl, expect, lsb-release
3Restrictions: isolation-container, needs-root, allow-stderr
4
5Tests: ldap-user-group-krb5-auth
6Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc
7Restrictions: isolation-container, needs-root, allow-stderr
diff --git a/debian/tests/ldap-user-group-krb5-auth b/debian/tests/ldap-user-group-krb5-auth
0new file mode 1006448new file mode 100644
index 0000000..e50382e
--- /dev/null
+++ b/debian/tests/ldap-user-group-krb5-auth
@@ -0,0 +1,35 @@
1#!/bin/sh
2
3set -ex
4
5. debian/tests/util
6. debian/tests/common-tests
7
8mydomain="example.com"
9myhostname="ldap.${mydomain}"
10mysuffix="dc=example,dc=com"
11myrealm="EXAMPLE.COM"
12admin_dn="cn=admin,${mysuffix}"
13admin_pw="secret"
14ldap_user="testuser1"
15ldap_user_pw="testuser1secret"
16kerberos_principal_pw="testuser1kerberos"
17ldap_group="ldapusers"
18
19adjust_hostname "${myhostname}"
20reconfigure_slapd
21generate_certs "${myhostname}"
22enable_ldap_ssl
23populate_ldap_rfc2307
24create_realm "${myrealm}" "${myhostname}"
25create_krb_principal "${ldap_user}" "${kerberos_principal_pw}"
26configure_sssd_ldap_rfc2307_krb5_auth
27enable_pam_mkhomedir
28
29# tests begin here
30run_common_tests
31
32# login works with the kerneros password
33echo "The Kerberos principal can login on a terminal"
34kdestroy > /dev/null 2>&1 || /bin/true
35/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}"
diff --git a/debian/tests/ldap-user-group-ldap-auth b/debian/tests/ldap-user-group-ldap-auth
0new file mode 10064436new file mode 100644
index 0000000..c25cff0
--- /dev/null
+++ b/debian/tests/ldap-user-group-ldap-auth
@@ -0,0 +1,29 @@
1#!/bin/sh
2
3set -ex
4
5. debian/tests/util
6. debian/tests/common-tests
7
8mydomain="example.com"
9myhostname="ldap.${mydomain}"
10mysuffix="dc=example,dc=com"
11admin_dn="cn=admin,${mysuffix}"
12admin_pw="secret"
13ldap_user="testuser1"
14ldap_user_pw="testuser1secret"
15ldap_group="ldapusers"
16
17adjust_hostname "${myhostname}"
18reconfigure_slapd
19generate_certs "${myhostname}"
20enable_ldap_ssl
21populate_ldap_rfc2307
22configure_sssd_ldap_rfc2307
23enable_pam_mkhomedir
24
25# tests begin here
26run_common_tests
27
28echo "The LDAP user can login on a terminal"
29/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}"
diff --git a/debian/tests/login.exp b/debian/tests/login.exp
0new file mode 10064430new file mode 100644
index 0000000..63c25ab
--- /dev/null
+++ b/debian/tests/login.exp
@@ -0,0 +1,74 @@
1#!/usr/bin/expect
2
3set timeout 10
4set user [lindex $argv 0]
5set password [lindex $argv 1]
6set principal [lindex $argv 2]
7
8set distribution [exec "lsb_release" "-is"]
9
10if { $distribution == "Ubuntu" } {
11 set welcome "Welcome to"
12} elseif { $distribution == "Debian" } {
13 set welcome "Debian GNU/Linux comes"
14} else {
15 puts "Unsupported linux distribution $distribution"
16 exit 1
17}
18
19spawn login
20expect "login:"
21send "$user\r"
22expect "Password:"
23send "$password\r"
24expect {
25 timeout
26 {
27 puts "Expect error: timeout after password\r\r"
28 exit 1
29 }
30 "Login incorrect"
31 {
32 puts "Expect error: incorrect credentials\r\r"
33 exit 1
34 }
35 "$welcome"
36}
37expect {
38 timeout
39 {
40 puts "Expect error: timeout waiting for prompt\r\r"
41 exit 1
42 }
43 "$ "
44}
45send "id -un\r"
46expect {
47 timeout
48 {
49 puts "Expect error: timeout waiting for 'id' result\r\r"
50 exit 1
51 }
52 "$user"
53}
54expect {
55 timeout
56 {
57 puts "Expect error: timeout waiting for prompt\r\r"
58 exit 1
59 }
60 "$ "
61}
62if { $principal != "" } {
63 send "klist\r"
64 expect {
65 timeout
66 {
67 puts "Expect error: timeout waiting for klist output\r\r"
68 exit 1
69 }
70 "Default principal: $principal"
71 }
72}
73send "logout\r"
74exit 0
diff --git a/debian/tests/util b/debian/tests/util
0new file mode 10064475new file mode 100644
index 0000000..80f0bea
--- /dev/null
+++ b/debian/tests/util
@@ -0,0 +1,259 @@
1#!/bin/sh
2
3reconfigure_slapd() {
4 debconf-set-selections << EOF
5slapd slapd/domain string ${mydomain}
6slapd shared/organization string ${mydomain}
7slapd slapd/password1 password ${admin_pw}
8slapd slapd/password2 password ${admin_pw}
9EOF
10 rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
11 dpkg-reconfigure -fnoninteractive -pcritical slapd
12}
13
14die() {
15 echo "ERROR"
16 echo "$@"
17 exit 1
18}
19
20enable_pam_mkhomedir() {
21 if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then
22 echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session
23 fi
24}
25
26adjust_hostname() {
27 local myhostname="$1"
28
29 echo "${myhostname}" > /etc/hostname
30 hostname "${myhostname}"
31 if ! grep -qE "${myhostname}" /etc/hosts; then
32 # just so it's resolvable
33 echo "127.0.1.10 ${myhostname}" >> /etc/hosts
34 fi
35}
36
37generate_certs() {
38 local cn="$1"
39 local cert="/etc/ldap/server.pem"
40 local key="/etc/ldap/server.key"
41 local cnf="/etc/ldap/openssl.cnf"
42
43 cat > "$cnf" <<EOF
44RANDFILE = /dev/urandom
45[ req ]
46default_bits = 1024
47default_keyfile = privkey.pem
48distinguished_name = req_distinguished_name
49prompt = no
50policy = policy_anything
51
52[ req_distinguished_name ]
53commonName = ${cn}
54EOF
55 openssl req -new -x509 -nodes -out "$cert" -keyout "$key" -config "$cnf"
56 chmod 0640 "$key"
57 chgrp openldap "$key"
58 if [ ! -f "$cert" ]; then
59 echo "ERROR, failed to generate certificate for ldap test"
60 exit 1
61 fi
62 if [ ! -f "$key" ]; then
63 echo "ERROR, failed to generate key for ldap test"
64 exit 1
65 fi
66}
67
68enable_ldap_ssl() {
69 cat > /etc/ldap/ldap.conf <<EOF
70BASE ${mysuffix}
71URI ldap://${myhostname}
72TLS_CACERT /etc/ldap/server.pem
73EOF
74 {
75 cat <<EOF
76dn: cn=config
77add: olcTLSCACertificateFile
78olcTLSCACertificateFile: /etc/ldap/server.pem
79-
80add: olcTLSCertificateFile
81olcTLSCertificateFile: /etc/ldap/server.pem
82-
83add: olcTLSCertificateKeyFile
84olcTLSCertificateKeyFile: /etc/ldap/server.key
85EOF
86 } | ldapmodify -H ldapi:/// -Y EXTERNAL -Q
87}
88
89populate_ldap_rfc2307() {
90 {
91 cat <<EOF
92dn: ou=People,${mysuffix}
93ou: People
94objectClass: organizationalUnit
95
96dn: ou=Group,${mysuffix}
97ou: Group
98objectClass: organizationalUnit
99
100dn: uid=${ldap_user},ou=People,${mysuffix}
101uid: ${ldap_user}
102objectClass: inetOrgPerson
103objectClass: posixAccount
104cn: ${ldap_user}
105sn: ${ldap_user}
106givenName: ${ldap_user}
107mail: ${ldap_user}@${mydomain}
108userPassword: ${ldap_user_pw}
109uidNumber: 10001
110gidNumber: 10001
111loginShell: /bin/bash
112homeDirectory: /home/${ldap_user}
113
114dn: cn=${ldap_user},ou=Group,${mysuffix}
115cn: ${ldap_user}
116objectClass: posixGroup
117gidNumber: 10001
118memberUid: ${ldap_user}
119
120dn: cn=${ldap_group},ou=Group,${mysuffix}
121cn: ${ldap_group}
122objectClass: posixGroup
123gidNumber: 10100
124memberUid: ${ldap_user}
125EOF
126 } | ldapadd -x -D "${admin_dn}" -w "${admin_pw}"
127}
128
129configure_sssd_ldap_rfc2307_krb5_auth() {
130 cat > /etc/sssd/sssd.conf <<EOF
131[sssd]
132config_file_version = 2
133services = nss, pam
134domains = LDAP
135
136[domain/LDAP]
137id_provider = ldap
138ldap_uri = ldap://${myhostname}
139auth_provider = krb5
140krb5_server = ${myhostname}
141krb5_realm = ${myrealm}
142cache_credentials = True
143ldap_search_base = ${mysuffix}
144EOF
145 chmod 0600 /etc/sssd/sssd.conf
146 systemctl restart sssd
147}
148
149configure_sssd_ldap_rfc2307() {
150 cat > /etc/sssd/sssd.conf <<EOF
151[sssd]
152config_file_version = 2
153services = nss, pam
154domains = LDAP
155
156[domain/LDAP]
157id_provider = ldap
158ldap_uri = ldap://${myhostname}
159cache_credentials = True
160ldap_search_base = ${mysuffix}
161EOF
162 chmod 0600 /etc/sssd/sssd.conf
163 systemctl restart sssd
164}
165
166check_local_user() {
167 local local_user="$1"
168
169 if grep -q "^${local_user}" /etc/passwd; then
170 die "Found ${local_user} in /etc/passwd"
171 fi
172}
173
174check_local_group() {
175 local local_group="$1"
176
177 if grep -q "^${local_group}" /etc/group; then
178 die "Found ${local_group} in /etc/group"
179 fi
180}
181
182check_getent_user() {
183 local getent_user="$1"
184 local output
185
186 output=$(getent passwd ${getent_user})
187 if [ -z "${output}" ]; then
188 die "${getent_user} not found via getent passwd"
189 fi
190}
191
192check_getent_group() {
193 local getent_group="$1"
194 local output
195
196 output=$(getent group ${getent_group})
197 if [ -z "${output}" ]; then
198 die "${getent_group} not found via getent group"
199 fi
200}
201
202create_realm() {
203 local realm_name="$1"
204 local kerberos_server="$2"
205
206 # start fresh
207 rm -rf /var/lib/krb5kdc/*
208 rm -rf /etc/krb5kdc/*
209 rm -f /etc/krb5.keytab
210
211 # setup some defaults
212 cat > /etc/krb5kdc/kdc.conf <<EOF
213[kdcdefaults]
214 kdc_ports = 750,88
215[realms]
216 ${realm_name} = {
217 database_name = /var/lib/krb5kdc/principal
218 admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
219 acl_file = /etc/krb5kdc/kadm5.acl
220 key_stash_file = /etc/krb5kdc/stash
221 kdc_ports = 750,88
222 max_life = 10h 0m 0s
223 max_renewable_life = 7d 0h 0m 0s
224 master_key_type = des3-hmac-sha1
225 #supported_enctypes = aes256-cts:normal aes128-cts:normal
226 default_principal_flags = +preauth
227 }
228EOF
229
230 cat > /etc/krb5.conf <<EOF
231[libdefaults]
232 default_realm = ${realm_name}
233 kdc_timesync = 1
234 ccache_type = 4
235 forwardable = true
236 proxiable = true
237 fcc-mit-ticketflags = true
238[realms]
239 ${realm_name} = {
240 kdc = ${kerberos_server}
241 admin_server = ${kerberos_server}
242 }
243EOF
244 echo "# */admin *" > /etc/krb5kdc/kadm5.acl
245
246 # create the realm
247 kdb5_util create -s -P secretpassword
248
249 # restart services
250 systemctl restart krb5-kdc.service krb5-admin-server.service
251}
252
253create_krb_principal() {
254 local principal="$1"
255 local password="$2"
256
257 kadmin.local -q "addprinc -pw ${password} ${principal}"
258}
259

Subscribers

People subscribed via source and target branches