[debian-edu-commits] r81432 - in branches/wheezy/debian-edu-config: debian share/debian-edu-config/tools

pere at alioth.debian.org pere at alioth.debian.org
Sun Jul 7 07:17:48 UTC 2013 

Author: pere
Date: 2013-07-07 07:17:48 +0000 (Sun, 07 Jul 2013)
New Revision: 81432

Modified:
   branches/wheezy/debian-edu-config/debian/changelog
   branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-roaming
   branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config
Log:
Extend setup-roaming to also generate krb5.conf dynamically, to
make sure kerberos work properly independent of where the client
is located and what it is named.

Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog	2013-07-07 06:58:36 UTC (rev 81431)
+++ branches/wheezy/debian-edu-config/debian/changelog	2013-07-07 07:17:48 UTC (rev 81432)
@@ -1,3 +1,12 @@
+debian-edu-config (1.709) unstable; urgency=low
+
+  [ Petter Reinholdtsen ]
+  * Extend setup-roaming to also generate krb5.conf dynamically, to
+    make sure kerberos work properly independent of where the client
+    is located and what it is named.
+
+ -- Petter Reinholdtsen <pere at debian.org>  Sun, 07 Jul 2013 09:12:49 +0200
+
 debian-edu-config (1.708) unstable; urgency=low
 
   [ Petter Reinholdtsen ]

Modified: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-roaming
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-roaming	2013-07-07 06:58:36 UTC (rev 81431)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-roaming	2013-07-07 07:17:48 UTC (rev 81432)
@@ -56,6 +56,13 @@
 fi
 invoke-rc.d sssd restart || true
 
+# try to set up kerberos
+if $bindir/sssd-generate-config -k > /etc/krb5.conf.new ; then
+    chmod 644 /etc/krb5.conf.new
+    mv /etc/krb5.conf.new /etc/krb5.conf
+else
+    rm /etc/krb5.conf.new
+fi
 
 # FIXME See if we can drop libnss-ldapd now that sssd support sudoers. (compatible LDAP schema?)
 # FIXME See if we can drop libnss-ldapd even if sssd do not support networks

Modified: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config	2013-07-07 06:58:36 UTC (rev 81431)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config	2013-07-07 07:17:48 UTC (rev 81432)
@@ -89,7 +89,7 @@
     echo $domain
 }
 
-generate_config() {
+generate_sssd_config() {
     domain=$(find_dns_domain "$1")
     kerberosrealm=$(lookup_kerberos_realm $domain)
     ldapuri=$(lookup_ldap_uri "$domain")
@@ -166,4 +166,76 @@
     fi
 fi
 }
-generate_config "$@"
+
+generate_krb5_config() {
+    dnsdomain=$(find_dns_domain "$1")
+    kerberosrealm=$(lookup_kerberos_realm $dnsdomain)
+    kerberosserver=$(lookup_kerberos_server "$dnsdomain")
+    if [ -z "$kerberosserver" ];  then
+	# autodetection failed
+	return 1
+    fi
+    # setup content based on krb5-config version 2.3
+cat <<EOF
+[libdefaults]
+	default_realm = $kerberosrealm
+
+# The following krb5.conf variables are only for MIT Kerberos.
+	krb4_config = /etc/krb.conf
+	krb4_realms = /etc/krb.realms
+	kdc_timesync = 1
+	ccache_type = 4
+	forwardable = true
+	proxiable = true
+
+# The following encryption type specification will be used by MIT Kerberos
+# if uncommented.  In general, the defaults in the MIT Kerberos code are
+# correct and overriding these specifications only serves to disable new
+# encryption types as they are added, creating interoperability problems.
+#
+# Thie only time when you might need to uncomment these lines and change
+# the enctypes is if you have local software that will break on ticket
+# caches containing ticket encryption types it doesn't know about (such as
+# old versions of Sun Java).
+
+#	default_tgs_enctypes = des3-hmac-sha1
+#	default_tkt_enctypes = des3-hmac-sha1
+#	permitted_enctypes = des3-hmac-sha1
+
+# The following libdefaults parameters are only for Heimdal Kerberos.
+	v4_instance_resolve = false
+	v4_name_convert = {
+		host = {
+			rcmd = host
+			ftp = ftp
+		}
+		plain = {
+			something = something-else
+		}
+	}
+	fcc-mit-ticketflags = true
+
+[realms]
+	$kerberosrealm = {
+		kdc = $kerberosserver
+		admin_server = $kerberosserver
+	}
+
+[domain_realm]
+        $dnsdomain = $kerberosrealm
+        .$dnsdomain = $kerberosrealm
+
+[login]
+	krb4_convert = true
+	krb4_get_tickets = false
+
+EOF
+
+}
+
+if [ "-k" = "$1" ] ; then
+    shift
+    generate_krb5_config "$@"
+else
+    generate_sssd_config "$@"
+fi

More information about the debian-edu-commits mailing list