[debian-lan-devel] [SCM] Debian-LAN development and packaging branch, master, updated. 0.7-17-gebc44f7

Andreas B. Mundt andi at debian.org
Mon Feb 4 16:22:28 UTC 2013 

The following commit has been merged in the master branch:
commit ebc44f7f6e1ffb33bd1b2b3bbbdf39e5c053d35d
Author: Andreas B. Mundt <andi at debian.org>
Date:   Mon Feb 4 17:06:20 2013 +0100

    Cosmetics: Rename Kerberos service principals.  Fix permissions.
    
    Make sure admin's home directory is private.

diff --git a/fai/config/files/etc/ldap/krb5.ldif/SERVER_A b/fai/config/files/etc/ldap/krb5.ldif/SERVER_A
index 444d8b6..967018b 100644
--- a/fai/config/files/etc/ldap/krb5.ldif/SERVER_A
+++ b/fai/config/files/etc/ldap/krb5.ldif/SERVER_A
@@ -3,14 +3,14 @@ dn: cn=kerberos,dc=intern
 objectClass: krbContainer
 cn: kerberos
 
-dn: cn=kdc-service,cn=kerberos,dc=intern
+dn: cn=kdc,cn=kerberos,dc=intern
 objectClass: organizationalRole
 objectClass: simpleSecurityObject
-cn: kdc-service
+cn: kdc
 userPassword: @KDC_SERVICE_PW_HASH@
 
-dn: cn=kadmin-service,cn=kerberos,dc=intern
+dn: cn=kadmin,cn=kerberos,dc=intern
 objectClass: organizationalRole
 objectClass: simpleSecurityObject
-cn: kadmin-service
+cn: kadmin
 userPassword: @KDC_SERVICE_PW_HASH@
diff --git a/fai/config/files/etc/ldap/slapd.conf/GOSA b/fai/config/files/etc/ldap/slapd.conf/GOSA
index 8abe654..f823dda 100644
--- a/fai/config/files/etc/ldap/slapd.conf/GOSA
+++ b/fai/config/files/etc/ldap/slapd.conf/GOSA
@@ -124,17 +124,17 @@ access to attrs=userPassword
 
 ################# Kerberos-KDC access ##################
 access to dn.subtree="cn=kerberos,dc=intern"
-       by dn.exact="cn=kdc-service,cn=kerberos,dc=intern"    read
-       by dn.exact="cn=kadmin-service,cn=kerberos,dc=intern" write
+       by dn.exact="cn=kdc,cn=kerberos,dc=intern"    read
+       by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write
        by * none
 
 access to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
-       by dn.exact="cn=kdc-service,cn=kerberos,dc=intern"     read
-       by dn.exact="cn=kadmin-service,cn=kerberos,dc=intern"  write
+       by dn.exact="cn=kdc,cn=kerberos,dc=intern"     read
+       by dn.exact="cn=kadmin,cn=kerberos,dc=intern"  write
        by self read
        by *    auth
 
 ## Default access; kadmin needs full access:
 access to *
-       by dn.exact="cn=kadmin-service,cn=kerberos,dc=intern" write
+       by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write
        by * read
diff --git a/fai/config/files/etc/ldap/slapd.conf/SERVER_A b/fai/config/files/etc/ldap/slapd.conf/SERVER_A
index 0897ef1..eee7806 100644
--- a/fai/config/files/etc/ldap/slapd.conf/SERVER_A
+++ b/fai/config/files/etc/ldap/slapd.conf/SERVER_A
@@ -103,17 +103,17 @@ access to attrs=userPassword
 
 ################# Kerberos-KDC access ##################
 access to dn.subtree="cn=kerberos,dc=intern"
-       by dn.exact="cn=kdc-service,cn=kerberos,dc=intern"    read
-       by dn.exact="cn=kadmin-service,cn=kerberos,dc=intern" write
+       by dn.exact="cn=kdc,cn=kerberos,dc=intern"    read
+       by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write
        by * none
 
 access to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
-       by dn.exact="cn=kdc-service,cn=kerberos,dc=intern"     read
-       by dn.exact="cn=kadmin-service,cn=kerberos,dc=intern"  write
+       by dn.exact="cn=kdc,cn=kerberos,dc=intern"     read
+       by dn.exact="cn=kadmin,cn=kerberos,dc=intern"  write
        by self read
        by *    auth
 
 ## Default access; kadmin needs full access:
 access to *
-       by dn.exact="cn=kadmin-service,cn=kerberos,dc=intern" write
+       by dn.exact="cn=kadmin,cn=kerberos,dc=intern" write
        by * read
diff --git a/fai/config/scripts/KDC_LDAP/10-slapd-KDC b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
index 6c30079..443c872 100755
--- a/fai/config/scripts/KDC_LDAP/10-slapd-KDC
+++ b/fai/config/scripts/KDC_LDAP/10-slapd-KDC
@@ -17,8 +17,8 @@ for file in $LDIFS /etc/ldap/slapd.conf; do
 done
 
 DN_KRB_CONT=`$ROOTCMD awk '/^dn: cn=kerberos,/ {print $2}' /etc/ldap/krb5.ldif`
-DN_KDC="cn=kdc-service,$DN_KRB_CONT"
-DN_KADMIN="cn=kadmin-service,$DN_KRB_CONT"
+DN_KDC="cn=kdc,$DN_KRB_CONT"
+DN_KADMIN="cn=kadmin,$DN_KRB_CONT"
 
 ## We might want to change a configuration after installation,
 ## so distribute the corresponding files in any case:
@@ -86,8 +86,8 @@ init_LDAP () {
     $ROOTCMD touch $KDCCONFDIR$KEYFILE
     $ROOTCMD chmod -v 0600 $KDCCONFDIR$KEYFILE
     cat > $target$KDCCONFDIR$KEYFILE <<EOF
-cn=kdc-service,$KRB_CONT_DN#{HEX}$KDC_SERVICE_PW_HEX
-cn=kadmin-service,$KRB_CONT_DN#{HEX}$KDC_SERVICE_PW_HEX
+cn=kdc,$KRB_CONT_DN#{HEX}$KDC_SERVICE_PW_HEX
+cn=kadmin,$KRB_CONT_DN#{HEX}$KDC_SERVICE_PW_HEX
 EOF
 
     ## Bootstrap ldap with passwords inserted:
@@ -190,6 +190,7 @@ init_KDC() {
 	GRID=$(sed -n '/^dn: uid=admin,/,/^dn:/p' $GOSALDIF | grep "^gidNumber:" | cut -d " " -f 2)
 	$ROOTCMD kadmin.local -q "add_principal -pw $LDAP_ADMIN_PW -x $USERDN admin"
 	cp -r $target/etc/skel $target/$HOMEDIR
+	$ROOTCMD chmod -R o-rwx $HOMEDIR
 	$ROOTCMD chown -R $USID:$GRID $HOMEDIR
     fi
     $ROOTCMD kadmin.local -q "modify_policy -minlength 4 -minclasses 2 default"

-- 
Debian-LAN development and packaging

More information about the debian-lan-devel mailing list