ft-util/ft_util_kerberos at main · Futur-Tech/ft-util · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/bin/bash

# Original script: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records

# This function will generate a Kerberos ticket for a Domain Username from a keytab file located in the home directory
# If this script is run as root on a Domain Controller, it can automatically also generate a keytab.
# The following variable will be exported
#     ft_util_kerberos_sambatool, its value will contain the Kerberos argument needed for the installed version of samba-tool
#     KRB5CCNAME, its value is used to locate the default ticket cache (see "man klist")

# 1st argument is the Domain Username
function get_kerberos_ticket() {
    if [ -z "${1}" ]; then
        echo "Missing Domain Username Argument"
        exit 10
    fi

    local domain_username="${1,,}" # domain username is changed to lowercase
    local keytab="$HOME/ft_util_kerberos-${domain_username}.keytab"
    local domain=$(hostname -d)

    local realm="${domain^^}"                        # Samba realm
    local setprincipal="${domain_username}@${realm}" # Kerberos Principal

    # Check Samba install
    local bindir=$(samba -b | grep 'BINDIR' | grep -v 'SBINDIR' | awk '{print $NF}')
    [[ -z $bindir ]] && echo "Cannot find the 'samba' binary, is it installed ?"
    local wbinfo="$bindir/wbinfo"

    # Check samba-tool
    local sambatool=$(command -v samba-tool)
    [[ -z $sambatool ]] && echo "Cannot find the 'samba-tool' binary, is it installed?"

    # Check domain
    if [ -z "${domain}" ]; then
        echo "Cannot obtain domain name, is DNS set up correctly?"
        echo "Cannot continue... Exiting."
        exit 1
    fi

    # Check if domain_username exist
    if [ -z "$($wbinfo -u | grep ${domain_username})" ]; then
        echo "No AD ${domain_username} user exists, need to create it first.. exiting."
        # echo "you can do this by typing the following commands"
        # echo "kinit Administrator@${realm}"
        # echo "$sambatool user create ${domain_username} --random-password"
        # echo "$sambatool user setexpiry ${domain_username} --noexpiry"
        # echo "$sambatool group addmembers DnsAdmins ${domain_username}"
        exit 1
    fi

    # Check for Kerberos keytab
    if [ ! -f "${keytab}" ]; then

        # If running as root and server is ADDC, then we can get the keytab
        if [ "$(whoami)" = "root" ] && [ "$(samba-tool testparm --suppress-prompt --parameter-name="server role" 2>/dev/null)" = "active directory domain controller" ]; then

            echo "Keytab missing, but this is a domain controller... we can export keytab"
            if samba-tool domain exportkeytab --principal=${setprincipal} $keytab && chown root:root $keytab && chmod 400 $keytab; then
                echo "Keytab exported to $keytab"
            else
                echo "Failed to export $keytab"
                exit 5
            fi

        else
            echo "Required keytab $keytab not found, it needs to be created.
                Use the following commands from an authorized computer:
                ssh -o StrictHostKeyChecking=no root@${domain} samba-tool domain exportkeytab --principal=${setprincipal} /tmp/exportkeytab
                scp -o StrictHostKeyChecking=no -3 root@${domain}:/tmp/exportkeytab root@$(hostname --short):$keytab
                ssh root@$(hostname --short) chown $(whoami):$(id -gn $(whoami)) $keytab
                ssh root@$(hostname --short) chmod 400 $keytab
                ssh -o StrictHostKeyChecking=no root@${domain} rm /tmp/exportkeytab"
            exit 1
        fi
    fi

    # krbcc ticket cache
    export KRB5CCNAME="/tmp/ft_util_kerberos-${domain_username}.cc"

    klist -c "${KRB5CCNAME}" -s
    err="$?"
    if [ $err -ne 0 ]; then
        echo "Getting new ticket, old one has expired"
        # On FreeBSD change the -F to --no-forwardable
        kinit -F -k -t $keytab "${setprincipal}"
        err="$?"
        if [ $err -ne 0 ]; then
            echo "kinit for ${domain_username} failed"

            exit 1
        else
            echo "${domain_username} ticket has been created"
        fi
    else
        echo "${domain_username} ticket is still valid"
    fi

    if [ "$($sambatool -V | grep -o '[0-9]*' | tr '\n' ' ' | awk '{print $2}')" -gt '14' ]; then
        export ft_util_kerberos_sambatool="--use-kerberos=required"
    else
        export ft_util_kerberos_sambatool="-k yes"
    fi

    return 0
}
export -f get_kerberos_ticket