|
2 |
|
2 |
|
3 |
[libdefaults] |
3 |
[libdefaults] |
4 |
@!@ |
4 |
@!@ |
5 |
kerberos_realm = configRegistry.get('kerberos/realm') or 'UNIVENTION.UNCONFIGURED' |
5 |
PERMITTED_ENCTYPES = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1' |
|
|
6 |
kerberos_realm = configRegistry.setdefault('kerberos/realm', 'UNIVENTION.UNCONFIGURED') |
7 |
default_enctypes = configRegistry.setdefault('kerberos/defaults/enctypes/permitted', PERMITTED_ENCTYPES) |
8 |
kerberos_kdc = configRegistry.setdefault('kerberos/kdc', '127.0.0.1:88') |
9 |
kerberos_adminserver = configRegistry.setdefault('kerberos/adminserver', '127.0.0.1:88') |
10 |
kerberos_kpasswdserver = configRegistry.setdefault('kerberos/kpasswdserver', '127.0.0.1:464') |
6 |
|
11 |
|
7 |
print '\tdefault_realm = %s' % kerberos_realm |
12 |
print '\tdefault_realm = %(kerberos/realm)s' % configRegistry |
8 |
|
|
|
9 |
permitted_enctypes = 'aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1' |
10 |
default_enctypes = configRegistry.get('kerberos/defaults/enctypes/permitted', permitted_enctypes) |
11 |
|
13 |
|
12 |
## Set Heimdal options |
14 |
## Set Heimdal options |
13 |
print '\tdefault_etypes = %s' % default_enctypes |
15 |
print '\tdefault_etypes = %s # Heimdal only' % default_enctypes |
14 |
default_tgs_etypes = configRegistry.get('kerberos/defaults/enctypes/tgs') |
16 |
default_tgs_etypes = configRegistry.get('kerberos/defaults/enctypes/tgs') |
15 |
if default_tgs_etypes: |
17 |
if default_tgs_etypes: |
16 |
print '\tdefault_tgs_etypes = %s' % default_tgs_etypes |
18 |
print '\tdefault_tgs_etypes = %s # Heimdal only' % default_tgs_etypes |
17 |
default_as_etypes = configRegistry.get('kerberos/defaults/enctypes/tkt') |
19 |
default_as_etypes = configRegistry.get('kerberos/defaults/enctypes/tkt') |
18 |
if default_as_etypes: |
20 |
if default_as_etypes: |
19 |
print '\tdefault_as_etypes = %s' % default_as_etypes |
21 |
print '\tdefault_as_etypes = %s # Heimdal only' % default_as_etypes |
20 |
|
22 |
|
21 |
if not configRegistry.is_false('kerberos/allow/weak/crypto'): |
23 |
def boolean(key, default=False): return 'true' if configRegistry.is_true(key, default) else 'false' |
22 |
print '\tallow_weak_crypto=true' |
24 |
print '\tallow_weak_crypto = %s' % (boolean('kerberos/allow/weak/crypto', True),) |
23 |
print '\tdns_lookup_kdc = %s' % configRegistry.get('kerberos/defaults/dns_lookup_kdc', 'true') |
25 |
print '\tdns_lookup_kdc = %s' % (boolean('kerberos/defaults/dns_lookup_kdc', True),) |
24 |
print '\tdns_lookup_realm = %s' % configRegistry.get('kerberos/defaults/dns_lookup_realm', 'false') |
26 |
print '\tdns_lookup_realm = %s' % (boolean('kerberos/defaults/dns_lookup_realm', False),) |
25 |
print '\tforwardable = %s' % configRegistry.get('kerberos/defaults/forwardable', 'true') |
27 |
print '\tforwardable = %s' % (boolean('kerberos/defaults/forwardable', True),) |
26 |
print '\tproxiable = %s' % configRegistry.get('kerberos/defaults/proxiable', 'true') |
28 |
print '\tproxiable = %s' % (boolean('kerberos/defaults/proxiable', True),) |
27 |
print '\tkdc_timesync = %s' % configRegistry.get('kerberos/defaults/kdc_timesync', '1') |
29 |
print '\tkdc_timesync = %d' % (1 if configRegistry.is_true('kerberos/defaults/kdc_timesync', True) else 0,) |
28 |
print '\tdebug = %s' % configRegistry.get('kerberos/defaults/debug', 'false') |
|
|
29 |
|
30 |
|
30 |
## Also set the MIT options, for compatibility |
31 |
## Also set the MIT options, for compatibility |
31 |
print '\t# ' |
32 |
print '\t# ' |
32 |
print '\t# The following libdefaults are for clients using the MIT Kerberos library' |
33 |
print '\t# The following libdefaults are for clients using the MIT Kerberos library' |
33 |
print '\t# ' |
34 |
print '\t# ' |
34 |
print '\tpermitted_enctypes = %s' % default_enctypes |
35 |
print '\tpermitted_enctypes = %s # MIT only' % default_enctypes |
35 |
print '\tdefault_tgs_enctypes = %s' % (default_tgs_etypes or permitted_enctypes) |
36 |
print '\tdefault_tgs_enctypes = %s # MIT only' % (default_tgs_etypes or PERMITTED_ENCTYPES) |
36 |
print '\tdefault_tkt_enctypes = %s' % (default_as_etypes or permitted_enctypes) |
37 |
print '\tdefault_tkt_enctypes = %s # MIT only' % (default_as_etypes or PERMITTED_ENCTYPES) |
37 |
if configRegistry.is_true('kerberos/defaults/ignore_acceptor_hostname'): |
38 |
print '\tignore_acceptor_hostname = %s # MIT only' % (boolean('kerberos/defaults/ignore_acceptor_hostname'),) |
38 |
print '\tignore_acceptor_hostname = true' |
39 |
print '\trdns = %s # MIT only' % (boolean('kerberos/defaults/rdns', True),) |
39 |
if configRegistry.is_false('kerberos/defaults/rdns'): |
|
|
40 |
print '\trdns = false' |
41 |
print '' |
42 |
|
40 |
|
43 |
def is_samba4_dc(): |
41 |
def is_samba4_dc(): |
44 |
import os.path |
42 |
import os.path |
45 |
if not configRegistry.get('server/role') in ['domaincontroller_master', 'domaincontroller_backup', 'domaincontroller_slave']: |
43 |
if configRegistry.get('server/role') not in ['domaincontroller_master', 'domaincontroller_backup', 'domaincontroller_slave']: |
46 |
return False |
44 |
return False |
47 |
if not os.path.exists('/usr/sbin/univention-s4search'): |
45 |
if not os.path.exists('/usr/sbin/univention-s4search'): |
48 |
return False |
46 |
return False |
|
50 |
|
48 |
|
51 |
if configRegistry.get('kerberos/domain_realms'): |
49 |
if configRegistry.get('kerberos/domain_realms'): |
52 |
print '[domain_realm]' |
50 |
print '[domain_realm]' |
53 |
domain_realms = configRegistry.get('kerberos/domain_realms').split(',') |
51 |
print configRegistry.get('kerberos/domain_realms').replace(',', '\n') |
54 |
for i in domain_realms: |
|
|
55 |
print i |
56 |
|
52 |
|
57 |
kerberos_kdc = configRegistry.get('kerberos/kdc') |
53 |
print ''' |
58 |
kerberos_adminserver = configRegistry.get('kerberos/adminserver') |
54 |
[realms] |
59 |
kerberos_kpasswdserver = configRegistry.get('kerberos/kpasswdserver') |
55 |
%(kerberos/realms)s = { |
60 |
print '[realms]' |
56 |
kdc = %(kerberos/kdc)s |
61 |
print '%s = { ' % kerberos_realm |
57 |
admin_server = %(kerberos/adminserver)s |
62 |
print '\tacl_file = /var/lib/heimdal-kdc/kadmind.acl' |
58 |
kpasswd_server = %(kerberos/kpasswdserver)s |
63 |
if kerberos_kdc: |
59 |
}''' % configRegistry |
64 |
print '\tkdc = %s' % kerberos_kdc |
|
|
65 |
if kerberos_adminserver: |
66 |
print '\tadmin_server = %s' % kerberos_adminserver |
67 |
if kerberos_kpasswdserver: |
68 |
print '\tkpasswd_server = %s' % kerberos_kpasswdserver |
69 |
print '}' |
70 |
|
60 |
|
71 |
windows_domain = configRegistry.get('windows/domain') |
61 |
windows_domain = configRegistry.get('windows/domain') |
72 |
if windows_domain and windows_domain != kerberos_realm and is_samba4_dc(): |
62 |
if windows_domain and windows_domain != kerberos_realm and is_samba4_dc(): |
73 |
if configRegistry.get('kerberos/realm'): |
63 |
print ''' |
74 |
print '' |
64 |
%(windows/domain)s = { |
75 |
else: |
65 |
kdc = %(kerberos/kdc)s |
76 |
print '[realms]' |
66 |
admin_server = %(kerberos/adminserver)s |
77 |
print '%s = { ' % windows_domain |
67 |
default_domain = %(domainnames)s |
78 |
print '\tkdc = %s' % (kerberos_kdc or "127.0.0.1:88") |
68 |
}''' % configRegistry |
79 |
print '\tadmin_server = %s' % (kerberos_adminserver or "127.0.0.1:88") |
|
|
80 |
print '\tdefault_domain = %s' % configRegistry['domainname'] |
81 |
print '}' |
82 |
|
69 |
|
83 |
print '''[kdc] |
70 |
print ''' |
|
|
71 |
[kdc] |
84 |
hdb-ldap-create-base = cn=kerberos,%(ldap/base)s |
72 |
hdb-ldap-create-base = cn=kerberos,%(ldap/base)s |
85 |
''' % configRegistry |
73 |
database = { |
|
|
74 |
dbname = ldap:%(ldap/base)s |
75 |
realm = %(kerberos/realm)s |
76 |
mkey_file = /var/heimdal/m-key |
77 |
acl_file = /var/lib/heimdal-kdc/kadmind.acl |
78 |
log_file = /var/log/heimdal-database.log |
79 |
}''' % configRegistry |
86 |
|
80 |
|
87 |
print '[kadmin]' |
|
|
88 |
if configRegistry.get('kerberos/kadmin/default/keys'): |
81 |
if configRegistry.get('kerberos/kadmin/default/keys'): |
89 |
print '\tdefault_keys = %s' % configRegistry.get('kerberos/kadmin/default/keys') |
82 |
print ''' |
90 |
|
83 |
[kadmin] |
91 |
print '''database = { |
84 |
default_keys = %(kerberos/kadmin/default/keys)s |
92 |
label = { |
85 |
''' % configRegistry |
93 |
acl_file = /var/lib/heimdal-kdc/kadmind.acl |
|
|
94 |
dbname = ldap:%(ldap_base)s |
95 |
realm = %(kerberos_realm)s''' % {"ldap_base": configRegistry['ldap/base'], |
96 |
"kerberos_realm": kerberos_realm} |
97 |
@!@ |
86 |
@!@ |
98 |
log_file = /var/log/heimdal-database.log |
|
|
99 |
mkey_file = /var/heimdal/m-key |
100 |
} |
101 |
} |