koszewscy/kerberos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d26cf914224d7c45bb4dd0f27d91691ee52bd5ad
kerberos/entrypoint.sh
T

77 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -e
if [ ! -f /var/lib/krb5kdc/principal ]; then
REALM="${KRB5_REALM:?KRB5_REALM must be set for first-time initialisation}"
DOMAIN="${KRB5_DOMAIN:?KRB5_DOMAIN must be set for first-time initialisation}"
KDC_HOST="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set to the FQDN of this KDC}"
MASTER_PASSWORD="${KRB5_MASTER_PASSWORD:?KRB5_MASTER_PASSWORD must be set for first-time initialisation}"
ADMIN_PRINCIPAL="${KRB5_ADMIN_PRINCIPAL:-admin}"
ADMIN_PASSWORD="${KRB5_ADMIN_PASSWORD:?KRB5_ADMIN_PASSWORD must be set for first-time initialisation}"
cat > /var/lib/krb5kdc/krb5.conf <<EOF
[libdefaults]
default_realm = ${REALM}
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
${REALM} = {
kdc = ${KDC_HOST}
admin_server = ${KDC_HOST}
}
[domain_realm]
.${DOMAIN} = ${REALM}
${DOMAIN} = ${REALM}
EOF
cat > /var/lib/krb5kdc/kdc.conf <<EOF
[kdcdefaults]
kdc_ports = 88
[realms]
${REALM} = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab
acl_file = /var/lib/krb5kdc/kadm5.acl
key_stash_file = /var/lib/krb5kdc/stash
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
default_principal_flags = +preauth
}
EOF
cat > /var/lib/krb5kdc/kadm5.acl <<EOF
${ADMIN_PRINCIPAL}@${REALM} *
EOF
cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf
echo "Initializing Kerberos realm ${REALM}..."
kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}@${REALM}"
echo "Realm initialized."
else
echo "Realm already initialized, skipping."
cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf
CONFIGURED_HOST=$(grep -E '^\s+kdc\s*=' /var/lib/krb5kdc/krb5.conf | head -1 | cut -d= -f2- | tr -d ' ')
if [ "$(hostname)" != "${CONFIGURED_HOST}" ]; then
echo "Error: container hostname '$(hostname)' does not match configured KDC host '${CONFIGURED_HOST}'" >&2
exit 1
fi
fi
krb5kdc -n &
KDC_PID=$!
kadmind -nofork &
KADMIND_PID=$!
wait -n $KDC_PID $KADMIND_PID
Reference in New Issue View Git Blame Copy Permalink