Enhance Dockerfile and entrypoint script for Kerberos initialization

- Added krb5-admin-server and updated entrypoint to ensure proper initialization of the Kerberos realm.
- Improved error handling for required environment variables in entrypoint script.
- Updated README with additional prerequisites and client configuration instructions.
- Modified env.example to remove default passwords for security.
- Enhanced run-container script to set container hostname based on KDC_HOST.

entrypoint.sh

@@ -2,14 +2,15 @@
 
 set -e
 
-REALM="${KRB5_REALM:-EXAMPLE.ORG}"
-DOMAIN="${KRB5_DOMAIN:-example.org}"
-KDC_HOST="${KRB5_KDC_HOST:-localhost}"
-MASTER_PASSWORD="${KRB5_MASTER_PASSWORD:-changeit}"
-ADMIN_PRINCIPAL="${KRB5_ADMIN_PRINCIPAL:-admin}"
-ADMIN_PASSWORD="${KRB5_ADMIN_PASSWORD:-changeit}"
+if [ ! -f /var/lib/krb5kdc/principal ]; then
+    REALM="${KRB5_REALM:?KRB5_REALM must be set for first-time initialisation}"
+    DOMAIN="${KRB5_DOMAIN:?KRB5_DOMAIN must be set for first-time initialisation}"
+    KDC_HOST="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set to the FQDN of this KDC}"
+    MASTER_PASSWORD="${KRB5_MASTER_PASSWORD:?KRB5_MASTER_PASSWORD must be set for first-time initialisation}"
+    ADMIN_PRINCIPAL="${KRB5_ADMIN_PRINCIPAL:-admin}"
+    ADMIN_PASSWORD="${KRB5_ADMIN_PASSWORD:?KRB5_ADMIN_PASSWORD must be set for first-time initialisation}"
 
-cat > /etc/krb5.conf <<EOF
+    cat > /var/lib/krb5kdc/krb5.conf <<EOF
 [libdefaults]
     default_realm = ${REALM}
     dns_lookup_realm = false
@@ -26,35 +27,48 @@ cat > /etc/krb5.conf <<EOF
     ${DOMAIN} = ${REALM}
 EOF
 
-cat > /etc/krb5kdc/kdc.conf <<EOF
+    cat > /var/lib/krb5kdc/kdc.conf <<EOF
 [kdcdefaults]
     kdc_ports = 88
 
 [realms]
     ${REALM} = {
         database_name = /var/lib/krb5kdc/principal
-        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
-        acl_file = /etc/krb5kdc/kadm5.acl
-        key_stash_file = /etc/krb5kdc/.k5.${REALM}
+        admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab
+        acl_file = /var/lib/krb5kdc/kadm5.acl
+        key_stash_file = /var/lib/krb5kdc/stash
         kdc_ports = 88
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
-        master_key_type = aes256-cts
-        supported_enctypes = aes256-cts:normal aes128-cts:normal
+        master_key_type = aes256-cts-hmac-sha1-96
+        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
+        default_principal_flags = +preauth
     }
 EOF
 
-cat > /etc/krb5kdc/kadm5.acl <<EOF
+    cat > /var/lib/krb5kdc/kadm5.acl <<EOF
 ${ADMIN_PRINCIPAL}/admin@${REALM} *
 EOF
 
-if [ ! -f /var/lib/krb5kdc/principal ]; then
+    cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf
+
     echo "Initializing Kerberos realm ${REALM}..."
-    kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
-    kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}/admin@${REALM}"
+    KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
+    KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}/admin@${REALM}"
     echo "Realm initialized."
+else
+    echo "Realm already initialized, skipping."
+    cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf
+
+    CONFIGURED_HOST=$(grep -E '^\s+kdc\s*=' /var/lib/krb5kdc/krb5.conf | head -1 | cut -d= -f2- | tr -d ' ')
+    if [ "$(hostname)" != "${CONFIGURED_HOST}" ]; then
+        echo "Error: container hostname '$(hostname)' does not match configured KDC host '${CONFIGURED_HOST}'" >&2
+        exit 1
+    fi
 fi
 
+export KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf
+
 krb5kdc -n &
 KDC_PID=$!