Ubuntu
sssd package

Merge ~ahasenack/ubuntu/+source/sssd:bionic-sssd-max-id-1807246 into ubuntu/+source/sssd:ubuntu/bionic-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/sssd
  3. bionic-sssd-max-id-1807246
  4. Merge into ubuntu/bionic-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Robie Basak
Approved revision: df51bf9daad357cdecf99d43de3eecc329285095
Merged at revision: df51bf9daad357cdecf99d43de3eecc329285095
Proposed branch: ~ahasenack/ubuntu/+source/sssd:bionic-sssd-max-id-1807246
Merge into: ubuntu/+source/sssd:ubuntu/bionic-devel
Diff against target: 617 lines (+561/-0)
9 files modified
debian/changelog (+11/-0)
debian/patches/fix-id-out-of-range-lookup.patch (+117/-0)
debian/patches/series (+1/-0)
debian/tests/common-tests (+28/-0)
debian/tests/control (+7/-0)
debian/tests/ldap-user-group-krb5-auth (+35/-0)
debian/tests/ldap-user-group-ldap-auth (+29/-0)
debian/tests/login.exp (+74/-0)
debian/tests/util (+259/-0)
Reviewer Review Type Date Requested Status
Robie Basak Approve
Canonical Server Pending
Review via email: mp+361848@code.launchpad.net

Description of the change

Bileto ticket and ppa, with green dep8 tests: https://bileto.ubuntu.com/#/ticket/3594

Upstream fix for bug #1807246. Since sssd always requires a somewhat complicated setup to test, I decided to also include the DEP8 tests we have added to the package in cosmic and later. To that end, I added a bionic task to #1793882 and included them here. I believe this gives more confidence in this particular update for an LTS, and also future updates of sssd.

I debated if I should pick just the one-liner that is the real fix, or the whole upstream commit. I chose the latter, since it applied cleanly, but one could argue that the SRU spirit means I should have picked the one-liner. I can see it getting in the way of future patches because of unecessary noise, but at the same time it is closer to upstream, which is where future patches are developed.

The bug has the SRU template filled out, and the testing instructions can be followed there.

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

dep8 tests are now identical to those on the development release

The new fix-id-out-of-range-lookup.patch is identical to the upstream commit (except for added dep3 headers)

Version string in changelog correct, no collisions

Changelog message looks good with correct bug references.

No other changes.

SRU information prepared and complete

Whitespace changes are great but I agree they're trivial enough that it's cleaner to do this than diverge from the upstream patch. Thank you for explaining your reasoning on this.

The patch itself looks fine.

Upload and SRU +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded, thanks.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index d8193ce..9557805 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+sssd (1.16.1-1ubuntu1.1) bionic; urgency=medium
7+
8+ * d/p/fix-id-out-of-range-lookup.patch: CACHE_REQ: Do not fail the domain
9+ locator plugin if ID outside the domain range is looked up. Thanks to
10+ Jakub Hrozek <jhrozek@redhat.com>. (LP: #1807246)
11+ * d/t/common-tests, d/t/control, d/t/ldap-user-group-krb5-auth,
12+ d/t/ldap-user-group-ldap-auth, d/t/login.exp, d/t/util: add DEP8
13+ tests for kerberos and LDAP (LP: #1793882)
14+
15+ -- Andreas Hasenack <andreas@canonical.com> Wed, 16 Jan 2019 13:58:03 -0200
16+
17 sssd (1.16.1-1ubuntu1) bionic; urgency=medium
18
19 * Merge from Debian. (LP: #1754746)
20diff --git a/debian/patches/fix-id-out-of-range-lookup.patch b/debian/patches/fix-id-out-of-range-lookup.patch
21new file mode 100644
22index 0000000..404479f
23--- /dev/null
24+++ b/debian/patches/fix-id-out-of-range-lookup.patch
25@@ -0,0 +1,117 @@
26+From 2952de740f2ec1da9cbd682fb1d9219e5370e6a1 Mon Sep 17 00:00:00 2001
27+From: Jakub Hrozek <jhrozek@redhat.com>
28+Date: May 03 2018 20:02:44 +0000
29+Subject: CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up
30+
31+
32+A fix for upstream bug #3569 and the domain-locator feature were both
33+developed in the context of the same upstream version and therefore
34+touched the same code, but the domain locator did not account for the
35+ERR_ID_OUTSIDE_RANGE error code.
36+
37+Therefore lookups for IDs that are outside the range for the domain
38+caused the whole lookup to fail instead of carrying on to the next
39+domain.
40+
41+This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID
42+was not found at all. Also some whitespace errors are fixed.
43+
44+Resolves:
45+https://pagure.io/SSSD/sssd/issue/3728
46+
47+Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
48+Origin: upstream, https://pagure.io/SSSD/sssd/c/2952de7
49+Bug: https://pagure.io/SSSD/sssd/issue/3728
50+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1807246
51+Last-Update: 2019-01-15
52+---
53+
54+diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
55+index 134688b..28b5633 100644
56+--- a/src/responder/common/cache_req/cache_req.c
57++++ b/src/responder/common/cache_req/cache_req.c
58+@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq)
59+ DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n");
60+ tevent_req_done(req);
61+ return;
62++ case ERR_ID_OUTSIDE_RANGE:
63+ case ENOENT:
64+ /* Not cached and locator was requested, run the locator
65+ * DP request plugin
66+diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
67+index 2404168..d19ca89 100644
68+--- a/src/responder/common/cache_req/plugins/cache_req_common.c
69++++ b/src/responder/common/cache_req/plugins/cache_req_common.c
70+@@ -27,7 +27,7 @@
71+ #include "responder/common/cache_req/cache_req_plugin.h"
72+
73+ errno_t cache_req_idminmax_check(struct cache_req_data *data,
74+- struct sss_domain_info *domain)
75++ struct sss_domain_info *domain)
76+ {
77+ if (((domain->id_min != 0) && (data->id < domain->id_min)) ||
78+ ((domain->id_max != 0) && (data->id > domain->id_max))) {
79+diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
80+index 3fb8103..e0c6b65 100644
81+--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
82++++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
83+@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx,
84+
85+ ret = cache_req_idminmax_check(data, domain);
86+ if (ret != EOK) {
87+- return ret;
88++ return ret;
89+ }
90+ return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result);
91+ }
92+diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
93+index 252d89d..45d71b8 100644
94+--- a/src/tests/cmocka/test_responder_cache_req.c
95++++ b/src/tests/cmocka/test_responder_cache_req.c
96+@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state)
97+ assert_true(test_ctx->dp_called);
98+ }
99+
100++void test_group_by_id_multiple_domains_outside_id_range(void **state)
101++{
102++ struct cache_req_test_ctx *test_ctx = NULL;
103++ struct sss_domain_info *domain = NULL;
104++ struct sss_domain_info *domain_a = NULL;
105++
106++ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
107++
108++ domain_a = find_domain_by_name(test_ctx->tctx->dom,
109++ "responder_cache_req_test_a", true);
110++ assert_non_null(domain_a);
111++ domain_a->id_min = 1;
112++ domain_a->id_max = 100;
113++
114++ /* Setup group. */
115++ domain = find_domain_by_name(test_ctx->tctx->dom,
116++ "responder_cache_req_test_d", true);
117++ assert_non_null(domain);
118++ prepare_group(domain, &groups[0], 1000, time(NULL));
119++
120++ /* Mock values. */
121++ will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
122++ will_return_always(sss_dp_req_recv, 0);
123++ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED);
124++
125++ /* Test. */
126++ run_group_by_id(test_ctx, NULL, 0, ERR_OK);
127++ assert_true(test_ctx->dp_called);
128++ check_group(test_ctx, &groups[0], domain);
129++}
130++
131+ void test_group_by_id_multiple_domains_locator_cache_valid(void **state)
132+ {
133+ struct cache_req_test_ctx *test_ctx = NULL;
134+@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[])
135+ new_single_domain_test(group_by_id_missing_notfound),
136+ new_multi_domain_test(group_by_id_multiple_domains_found),
137+ new_multi_domain_test(group_by_id_multiple_domains_notfound),
138++ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range),
139+
140+ new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid),
141+ new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired),
142+
143diff --git a/debian/patches/series b/debian/patches/series
144index a82d1b4..ca3afd4 100644
145--- a/debian/patches/series
146+++ b/debian/patches/series
147@@ -1 +1,2 @@
148 #placeholder
149+fix-id-out-of-range-lookup.patch
150diff --git a/debian/tests/common-tests b/debian/tests/common-tests
151new file mode 100644
152index 0000000..1bb8e1a
153--- /dev/null
154+++ b/debian/tests/common-tests
155@@ -0,0 +1,28 @@
156+#!/bin/sh
157+
158+run_common_tests() {
159+ echo "Assert local user databases do not have our LDAP test data"
160+ check_local_user "${ldap_user}"
161+ check_local_group "${ldap_user}"
162+ check_local_group "${ldap_group}"
163+
164+ echo "The LDAP user is known to the system via getent"
165+ check_getent_user "${ldap_user}"
166+
167+ echo "The LDAP user's private group is known to the system via getent"
168+ check_getent_group "${ldap_user}"
169+
170+ echo "The LDAP group ${ldap_group} is known to the system via getent"
171+ check_getent_group "${ldap_group}"
172+
173+ echo "The id(1) command can resolve the group membership of the LDAP user"
174+ #$ id -Gn testuser1
175+ #testuser1 ldapusers
176+ output=$(id -Gn ${ldap_user})
177+ # XXX couldn't find a better way to make this comparison using just /bin/sh
178+ if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then
179+ if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then
180+ die "Output doesn't match expected group membership: ${output}"
181+ fi
182+ fi
183+}
184diff --git a/debian/tests/control b/debian/tests/control
185new file mode 100644
186index 0000000..93ed50a
187--- /dev/null
188+++ b/debian/tests/control
189@@ -0,0 +1,7 @@
190+Tests: ldap-user-group-ldap-auth
191+Depends: @, slapd, ldap-utils, openssl, expect, lsb-release
192+Restrictions: isolation-container, needs-root, allow-stderr
193+
194+Tests: ldap-user-group-krb5-auth
195+Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc
196+Restrictions: isolation-container, needs-root, allow-stderr
197diff --git a/debian/tests/ldap-user-group-krb5-auth b/debian/tests/ldap-user-group-krb5-auth
198new file mode 100644
199index 0000000..e50382e
200--- /dev/null
201+++ b/debian/tests/ldap-user-group-krb5-auth
202@@ -0,0 +1,35 @@
203+#!/bin/sh
204+
205+set -ex
206+
207+. debian/tests/util
208+. debian/tests/common-tests
209+
210+mydomain="example.com"
211+myhostname="ldap.${mydomain}"
212+mysuffix="dc=example,dc=com"
213+myrealm="EXAMPLE.COM"
214+admin_dn="cn=admin,${mysuffix}"
215+admin_pw="secret"
216+ldap_user="testuser1"
217+ldap_user_pw="testuser1secret"
218+kerberos_principal_pw="testuser1kerberos"
219+ldap_group="ldapusers"
220+
221+adjust_hostname "${myhostname}"
222+reconfigure_slapd
223+generate_certs "${myhostname}"
224+enable_ldap_ssl
225+populate_ldap_rfc2307
226+create_realm "${myrealm}" "${myhostname}"
227+create_krb_principal "${ldap_user}" "${kerberos_principal_pw}"
228+configure_sssd_ldap_rfc2307_krb5_auth
229+enable_pam_mkhomedir
230+
231+# tests begin here
232+run_common_tests
233+
234+# login works with the kerneros password
235+echo "The Kerberos principal can login on a terminal"
236+kdestroy > /dev/null 2>&1 || /bin/true
237+/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}"
238diff --git a/debian/tests/ldap-user-group-ldap-auth b/debian/tests/ldap-user-group-ldap-auth
239new file mode 100644
240index 0000000..c25cff0
241--- /dev/null
242+++ b/debian/tests/ldap-user-group-ldap-auth
243@@ -0,0 +1,29 @@
244+#!/bin/sh
245+
246+set -ex
247+
248+. debian/tests/util
249+. debian/tests/common-tests
250+
251+mydomain="example.com"
252+myhostname="ldap.${mydomain}"
253+mysuffix="dc=example,dc=com"
254+admin_dn="cn=admin,${mysuffix}"
255+admin_pw="secret"
256+ldap_user="testuser1"
257+ldap_user_pw="testuser1secret"
258+ldap_group="ldapusers"
259+
260+adjust_hostname "${myhostname}"
261+reconfigure_slapd
262+generate_certs "${myhostname}"
263+enable_ldap_ssl
264+populate_ldap_rfc2307
265+configure_sssd_ldap_rfc2307
266+enable_pam_mkhomedir
267+
268+# tests begin here
269+run_common_tests
270+
271+echo "The LDAP user can login on a terminal"
272+/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}"
273diff --git a/debian/tests/login.exp b/debian/tests/login.exp
274new file mode 100644
275index 0000000..63c25ab
276--- /dev/null
277+++ b/debian/tests/login.exp
278@@ -0,0 +1,74 @@
279+#!/usr/bin/expect
280+
281+set timeout 10
282+set user [lindex $argv 0]
283+set password [lindex $argv 1]
284+set principal [lindex $argv 2]
285+
286+set distribution [exec "lsb_release" "-is"]
287+
288+if { $distribution == "Ubuntu" } {
289+ set welcome "Welcome to"
290+} elseif { $distribution == "Debian" } {
291+ set welcome "Debian GNU/Linux comes"
292+} else {
293+ puts "Unsupported linux distribution $distribution"
294+ exit 1
295+}
296+
297+spawn login
298+expect "login:"
299+send "$user\r"
300+expect "Password:"
301+send "$password\r"
302+expect {
303+ timeout
304+ {
305+ puts "Expect error: timeout after password\r\r"
306+ exit 1
307+ }
308+ "Login incorrect"
309+ {
310+ puts "Expect error: incorrect credentials\r\r"
311+ exit 1
312+ }
313+ "$welcome"
314+}
315+expect {
316+ timeout
317+ {
318+ puts "Expect error: timeout waiting for prompt\r\r"
319+ exit 1
320+ }
321+ "$ "
322+}
323+send "id -un\r"
324+expect {
325+ timeout
326+ {
327+ puts "Expect error: timeout waiting for 'id' result\r\r"
328+ exit 1
329+ }
330+ "$user"
331+}
332+expect {
333+ timeout
334+ {
335+ puts "Expect error: timeout waiting for prompt\r\r"
336+ exit 1
337+ }
338+ "$ "
339+}
340+if { $principal != "" } {
341+ send "klist\r"
342+ expect {
343+ timeout
344+ {
345+ puts "Expect error: timeout waiting for klist output\r\r"
346+ exit 1
347+ }
348+ "Default principal: $principal"
349+ }
350+}
351+send "logout\r"
352+exit 0
353diff --git a/debian/tests/util b/debian/tests/util
354new file mode 100644
355index 0000000..80f0bea
356--- /dev/null
357+++ b/debian/tests/util
358@@ -0,0 +1,259 @@
359+#!/bin/sh
360+
361+reconfigure_slapd() {
362+ debconf-set-selections << EOF
363+slapd slapd/domain string ${mydomain}
364+slapd shared/organization string ${mydomain}
365+slapd slapd/password1 password ${admin_pw}
366+slapd slapd/password2 password ${admin_pw}
367+EOF
368+ rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb
369+ dpkg-reconfigure -fnoninteractive -pcritical slapd
370+}
371+
372+die() {
373+ echo "ERROR"
374+ echo "$@"
375+ exit 1
376+}
377+
378+enable_pam_mkhomedir() {
379+ if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then
380+ echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session
381+ fi
382+}
383+
384+adjust_hostname() {
385+ local myhostname="$1"
386+
387+ echo "${myhostname}" > /etc/hostname
388+ hostname "${myhostname}"
389+ if ! grep -qE "${myhostname}" /etc/hosts; then
390+ # just so it's resolvable
391+ echo "127.0.1.10 ${myhostname}" >> /etc/hosts
392+ fi
393+}
394+
395+generate_certs() {
396+ local cn="$1"
397+ local cert="/etc/ldap/server.pem"
398+ local key="/etc/ldap/server.key"
399+ local cnf="/etc/ldap/openssl.cnf"
400+
401+ cat > "$cnf" <<EOF
402+RANDFILE = /dev/urandom
403+[ req ]
404+default_bits = 1024
405+default_keyfile = privkey.pem
406+distinguished_name = req_distinguished_name
407+prompt = no
408+policy = policy_anything
409+
410+[ req_distinguished_name ]
411+commonName = ${cn}
412+EOF
413+ openssl req -new -x509 -nodes -out "$cert" -keyout "$key" -config "$cnf"
414+ chmod 0640 "$key"
415+ chgrp openldap "$key"
416+ if [ ! -f "$cert" ]; then
417+ echo "ERROR, failed to generate certificate for ldap test"
418+ exit 1
419+ fi
420+ if [ ! -f "$key" ]; then
421+ echo "ERROR, failed to generate key for ldap test"
422+ exit 1
423+ fi
424+}
425+
426+enable_ldap_ssl() {
427+ cat > /etc/ldap/ldap.conf <<EOF
428+BASE ${mysuffix}
429+URI ldap://${myhostname}
430+TLS_CACERT /etc/ldap/server.pem
431+EOF
432+ {
433+ cat <<EOF
434+dn: cn=config
435+add: olcTLSCACertificateFile
436+olcTLSCACertificateFile: /etc/ldap/server.pem
437+-
438+add: olcTLSCertificateFile
439+olcTLSCertificateFile: /etc/ldap/server.pem
440+-
441+add: olcTLSCertificateKeyFile
442+olcTLSCertificateKeyFile: /etc/ldap/server.key
443+EOF
444+ } | ldapmodify -H ldapi:/// -Y EXTERNAL -Q
445+}
446+
447+populate_ldap_rfc2307() {
448+ {
449+ cat <<EOF
450+dn: ou=People,${mysuffix}
451+ou: People
452+objectClass: organizationalUnit
453+
454+dn: ou=Group,${mysuffix}
455+ou: Group
456+objectClass: organizationalUnit
457+
458+dn: uid=${ldap_user},ou=People,${mysuffix}
459+uid: ${ldap_user}
460+objectClass: inetOrgPerson
461+objectClass: posixAccount
462+cn: ${ldap_user}
463+sn: ${ldap_user}
464+givenName: ${ldap_user}
465+mail: ${ldap_user}@${mydomain}
466+userPassword: ${ldap_user_pw}
467+uidNumber: 10001
468+gidNumber: 10001
469+loginShell: /bin/bash
470+homeDirectory: /home/${ldap_user}
471+
472+dn: cn=${ldap_user},ou=Group,${mysuffix}
473+cn: ${ldap_user}
474+objectClass: posixGroup
475+gidNumber: 10001
476+memberUid: ${ldap_user}
477+
478+dn: cn=${ldap_group},ou=Group,${mysuffix}
479+cn: ${ldap_group}
480+objectClass: posixGroup
481+gidNumber: 10100
482+memberUid: ${ldap_user}
483+EOF
484+ } | ldapadd -x -D "${admin_dn}" -w "${admin_pw}"
485+}
486+
487+configure_sssd_ldap_rfc2307_krb5_auth() {
488+ cat > /etc/sssd/sssd.conf <<EOF
489+[sssd]
490+config_file_version = 2
491+services = nss, pam
492+domains = LDAP
493+
494+[domain/LDAP]
495+id_provider = ldap
496+ldap_uri = ldap://${myhostname}
497+auth_provider = krb5
498+krb5_server = ${myhostname}
499+krb5_realm = ${myrealm}
500+cache_credentials = True
501+ldap_search_base = ${mysuffix}
502+EOF
503+ chmod 0600 /etc/sssd/sssd.conf
504+ systemctl restart sssd
505+}
506+
507+configure_sssd_ldap_rfc2307() {
508+ cat > /etc/sssd/sssd.conf <<EOF
509+[sssd]
510+config_file_version = 2
511+services = nss, pam
512+domains = LDAP
513+
514+[domain/LDAP]
515+id_provider = ldap
516+ldap_uri = ldap://${myhostname}
517+cache_credentials = True
518+ldap_search_base = ${mysuffix}
519+EOF
520+ chmod 0600 /etc/sssd/sssd.conf
521+ systemctl restart sssd
522+}
523+
524+check_local_user() {
525+ local local_user="$1"
526+
527+ if grep -q "^${local_user}" /etc/passwd; then
528+ die "Found ${local_user} in /etc/passwd"
529+ fi
530+}
531+
532+check_local_group() {
533+ local local_group="$1"
534+
535+ if grep -q "^${local_group}" /etc/group; then
536+ die "Found ${local_group} in /etc/group"
537+ fi
538+}
539+
540+check_getent_user() {
541+ local getent_user="$1"
542+ local output
543+
544+ output=$(getent passwd ${getent_user})
545+ if [ -z "${output}" ]; then
546+ die "${getent_user} not found via getent passwd"
547+ fi
548+}
549+
550+check_getent_group() {
551+ local getent_group="$1"
552+ local output
553+
554+ output=$(getent group ${getent_group})
555+ if [ -z "${output}" ]; then
556+ die "${getent_group} not found via getent group"
557+ fi
558+}
559+
560+create_realm() {
561+ local realm_name="$1"
562+ local kerberos_server="$2"
563+
564+ # start fresh
565+ rm -rf /var/lib/krb5kdc/*
566+ rm -rf /etc/krb5kdc/*
567+ rm -f /etc/krb5.keytab
568+
569+ # setup some defaults
570+ cat > /etc/krb5kdc/kdc.conf <<EOF
571+[kdcdefaults]
572+ kdc_ports = 750,88
573+[realms]
574+ ${realm_name} = {
575+ database_name = /var/lib/krb5kdc/principal
576+ admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
577+ acl_file = /etc/krb5kdc/kadm5.acl
578+ key_stash_file = /etc/krb5kdc/stash
579+ kdc_ports = 750,88
580+ max_life = 10h 0m 0s
581+ max_renewable_life = 7d 0h 0m 0s
582+ master_key_type = des3-hmac-sha1
583+ #supported_enctypes = aes256-cts:normal aes128-cts:normal
584+ default_principal_flags = +preauth
585+ }
586+EOF
587+
588+ cat > /etc/krb5.conf <<EOF
589+[libdefaults]
590+ default_realm = ${realm_name}
591+ kdc_timesync = 1
592+ ccache_type = 4
593+ forwardable = true
594+ proxiable = true
595+ fcc-mit-ticketflags = true
596+[realms]
597+ ${realm_name} = {
598+ kdc = ${kerberos_server}
599+ admin_server = ${kerberos_server}
600+ }
601+EOF
602+ echo "# */admin *" > /etc/krb5kdc/kadm5.acl
603+
604+ # create the realm
605+ kdb5_util create -s -P secretpassword
606+
607+ # restart services
608+ systemctl restart krb5-kdc.service krb5-admin-server.service
609+}
610+
611+create_krb_principal() {
612+ local principal="$1"
613+ local password="$2"
614+
615+ kadmin.local -q "addprinc -pw ${password} ${principal}"
616+}
617+

Subscribers

People subscribed via source and target branches