From 551c2ac64b71e67d35a381726f83209c95b1ba03 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sun, 17 May 2026 00:32:44 +0200
Subject: [PATCH] Fix Kerberos support in entrypoint.sh and env.example

- Update KRB5_KTNAME path to /etc/krb5.keytab for consistency
- Add KRB5_KDC_HOST variable to env.example
- Implement error handling for missing keytab file in entrypoint.sh
- Write krb5.conf configuration dynamically based on environment variables
---
 entrypoint.sh | 26 +++++++++++++++++++++++++-
 env.example   |  3 ++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index dcf2a7f..e599bcd 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -34,8 +34,32 @@ fi
 kerberos_enabled="0"
 if [ "${KERBEROS_ENABLE:-0}" = "1" ]; then
     kerberos_enabled="1"
-    export KRB5_KTNAME="${KRB5_KTNAME:-/etc/ldap/ldap.keytab}"
+    export KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
     echo "Kerberos : enabled (keytab: $KRB5_KTNAME)"
+
+    if [ ! -f "$KRB5_KTNAME" ]; then
+        echo "Error: keytab not found at $KRB5_KTNAME" >&2
+        exit 1
+    fi
+
+    krb5_kdc_host="${KRB5_KDC_HOST:?KRB5_KDC_HOST must be set when KERBEROS_ENABLE=1}"
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${KRB5_REALM:?KRB5_REALM must be set when KERBEROS_ENABLE=1}
+    dns_lookup_realm = false
+    dns_lookup_kdc = false
+
+[realms]
+    ${KRB5_REALM} = {
+        kdc = ${krb5_kdc_host}
+        admin_server = ${krb5_kdc_host}
+    }
+
+[domain_realm]
+    .${domain} = ${KRB5_REALM}
+    ${domain} = ${KRB5_REALM}
+EOF
+    echo "Kerberos : krb5.conf written (realm: ${KRB5_REALM}, kdc: ${krb5_kdc_host})"
 else
     echo "Kerberos : disabled"
 fi
diff --git a/env.example b/env.example
index 1909acb..e2865e5 100644
--- a/env.example
+++ b/env.example
@@ -7,5 +7,6 @@ LDAP_ADMIN_PASSWORD=changeit
 # Kerberos SASL/GSSAPI (optional)
 KERBEROS_ENABLE=0
 KRB5_REALM=EXAMPLE.ORG
+KRB5_KDC_HOST=kerberos.example.org
 KRB5_SASL_HOST=ldap.example.org
-KRB5_KTNAME=/etc/ldap/ldap.keytab
+KRB5_KTNAME=/etc/krb5.keytab