Fix Kerberos support in entrypoint.sh and env.example

- Update KRB5_KTNAME path to /etc/krb5.keytab for consistency - Add KRB5_KDC_HOST variable to env.example - Implement error handling for missing keytab file in entrypoint.sh - Write krb5.conf configuration dynamically based on environment variables
2026-05-17 00:32:44 +02:00
parent 56dc172379
commit 551c2ac64b
2 changed files with 27 additions and 2 deletions
@@ -34,8 +34,32 @@ fi
 kerberos_enabled="0"
 if [ "${KERBEROS_ENABLE:-0}" = "1" ]; then
    kerberos_enabled="1"
-    export KRB5_KTNAME="${KRB5_KTNAME:-/etc/ldap/ldap.keytab}"
+    export KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
    echo "Kerberos : enabled (keytab: $KRB5_KTNAME)"
+
+    if [ ! -f "$KRB5_KTNAME" ]; then
+        echo "Error: keytab not found at $KRB5_KTNAME" >&2
+        exit 1
+    fi
+
+    krb5_kdc_host="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set when KERBEROS_ENABLE=1}"
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${KRB5_REALM:?KRB5_REALM must be set when KERBEROS_ENABLE=1}
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    ${KRB5_REALM} = {
+        kdc = ${krb5_kdc_host}
+        admin_server = ${krb5_kdc_host}
+    }
+
+[domain_realm]
+    .${domain} = ${KRB5_REALM}
+    ${domain} = ${KRB5_REALM}
+EOF
+    echo "Kerberos : krb5.conf written (realm: ${KRB5_REALM}, kdc: ${krb5_kdc_host})"
 else
    echo "Kerberos : disabled"
 fi
@@ -7,5 +7,6 @@ LDAP_ADMIN_PASSWORD=changeit
 # Kerberos SASL/GSSAPI (optional)
 KERBEROS_ENABLE=0
 KRB5_REALM=EXAMPLE.ORG
+KRB5_KDC_HOST=kerberos.example.org
 KRB5_SASL_HOST=ldap.example.org
-KRB5_KTNAME=/etc/ldap/ldap.keytab
+KRB5_KTNAME=/etc/krb5.keytab