-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsetup-mod_auth_vas4.in
850 lines (758 loc) · 26.5 KB
/
setup-mod_auth_vas4.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
#! /bin/sh
# (c) 2017 Quest Software, Inc. All rights reserved.
#
# This file's licence text is at the bottom of the file.
#
# This helper script is provided to simplify setting up mod_auth_vas4
# on a basic web server. It creates the HTTP service for the computer
# (if not done), and changes ownerships on the resulting keytab.
#
set -e
KEYTAB=/etc/opt/quest/vas/HTTP.keytab
VASTOOL=/opt/quest/bin/vastool
KTUTIL=/opt/quest/bin/ktutil
LOGFILE=/tmp/mod_auth_vas-setup4.log.$$
PACKAGE_VERSION='@PACKAGE_VERSION@'
TRAP_SIGNAL_LIST="TERM INT HUP PIPE ALRM ABRT QUIT"
# Re-execute with a reasonable shell and sensible PATH on Solaris.
if id -un > /dev/null 2>&1; then
echo ok > /dev/null
else
if test -d /usr/xpg4/bin && test "$MAV_SANE_SHELL" != yes; then
MAV_SANE_SHELL=yes
export MAV_SANE_SHELL
if echo $PATH | grep xpg4 > /dev/null 2>&1; then
echo ok > /dev/null
else
PATH=/usr/xpg4/bin:$PATH
export PATH
fi
echo "Re-executing with /usr/xpg4/bin in PATH..."
exec /usr/xpg4/bin/sh "$0" "$@"
fi
echo "WARNING: Could not find a sensible environment, consider re-running this" >&2
echo " script with a POSIX-compatible shell such as bash or ksh." >&2
echo " eg. /bin/bash $0 $@" >&2
fi
echo1() { echo -n "$*"; }
echo2() { echo "$*\\c"; }
echo3() { echo "$* +"; }
if test "x$(echo1 y)z" = "xyz"; then
echon() { echo1 "$*"; }
elif test "x$(echo2 y)z" = "xyz"; then
echon() { echo2 "$*"; }
else
echon() { echo3 "$*"; }
fi
umask 077
#-- prints a label with dots after it, and no newline
label() {
echon " $(echo $* ............................................... | cut -c -40) "
}
#-- prints an error message and dies
die() {
echo " -> Failed: $1" >&2
$logfile_written && echo "(Log written to $LOGFILE)"
exit 1
}
#-- prompt user for information
# usage: query prompt varname [default]
query() {
eval $2=
while eval "test ! -n \"\$$2\""; do
if read xx?yy < $0 2> /dev/null; then
eval "read \"$2?$1${3+ [$3]}: \"" || die "(end of file)"
else
eval "read -p \"$1${3+ [$3]}: \" $2" || die "(end of file)"
fi
eval : "\${$2:=\$3}"
done
}
#-- prompt for a yes/no question
yesorno() {
echo ""
while :; do
query "$1" YESORNO y
case "$YESORNO" in
Y* | y*)
echo
return 0
;;
N* | n*)
echo
return 1
;;
*) echo "Please enter 'y' or 'n'" >&2 ;;
esac
done
}
#-- record and execute a shell command
logfile_written=false
recordcmd() {
if ! $logfile_written; then
rm -f $LOGFILE
set -o noclobber
exec 5> $LOGFILE
set +o noclobber
logfile_written=true
fi
(
echo "# $(date)"
echo "$*"
echo
) >&5
"$@"
}
#-- get a TGT for some operations
kinit() {
if [ -n "$KRB5CCNAME" -o -n "$uflag" ]; then
# If KRB5CCNAME is exported, then assume kinit is done
# If -u is supplied then a password will be prompted
return
fi
if test -r /tmp/krb5cc_$(id -u); then
KRB5CCNAME=/tmp/krb5cc_$(id -u)
export KRB5CCNAME
return
fi
if [ "z$SUDO_UID" != "z" ] && [ -r /tmp/krb5cc_${SUDO_UID} ]; then
KRB5CCNAME=/tmp/krb5cc_${SUDO_UID}
export KRB5CCNAME
return
fi
local USER="$USER"
ccname=/tmp/.mav_setup_$$
if test ! -s $ccname; then
if [ $# -eq 1 ]; then
echo "Credentials required to $1"
fi
USER="${SUDO_USER:-${USER}}"
if [ z"$USER" = z"root" ]; then USER=Administrator; fi
echo
echo "Please login with a sufficiently privileged domain account."
query "Username" USER ${USER}
KRB5CCNAME=FILE:$ccname
export KRB5CCNAME
trap "rm -f $ccname" ${TRAP_SIGNAL_LIST}
$VASTOOL kinit "$USER" || die "Unable to acquire credentials"
fi
}
#-- show usage (does not exit)
usage() {
cat <<-.
Usage: $0 [-a apxs] [-c conf] [-h] [-u user]
-a apxs
Use program 'apxs' to find the web server extension tool.
If not specified, a built-in search path is used.
-c conf
Use file 'conf' as the main Apache configuration file. If
not specified, the apxs extension tool is queried.
-h
Display this help text.
-u user
Specify a user to create the service keytab
.
}
determine_keytab_access() {
# These flags indicate access control for the current user, not for apache
keytab_exists=no
keytab_readable=no
keytab_readwrite=no
label "looking for HTTP/ keytab"
if test -f "$KEYTAB"; then
keytab_exists=yes
echo "$KEYTAB"
if test -r "$KEYTAB"; then
keytab_readable=yes
if test -w "$KEYTAB"; then
keytab_readwrite=yes
fi
fi
else
echo "not found"
fi
}
#-- parse args
opterr=false
while test $# -gt 0; do
case "$1" in
-c) if test $# -lt 2; then
echo "Missing argument to $1"
opterr=true
shift
else
cflag="$2"
shift
shift
fi ;;
-c*)
cflag=$(echo " $1" | sed -e 's/^ -c//')
shift
;;
-a) if test $# -lt 2; then
echo "Missing argument to $1"
opterr=true
shift
else
aflag="$2"
shift
shift
fi ;;
-a*)
aflag=$(echo " $1" | sed -e 's/^ -a//')
shift
;;
-h)
usage
exit 0
;;
-u) if test $# -lt 2; then
echo "Missing argument to $1"
opterr=true
shift
else
uflag="$2"
shift
shift
fi ;;
--)
shift
break
;;
-?*)
echo "Unknown option: $1"
opterr=true
shift
;;
*) break ;;
esac
done
if test $# -gt 0; then
# don't expect any further arguments
opterr=true
fi
if $opterr; then
usage
exit 1
fi
#-- intro
cat <<-.
This script checks your local configuration for properly using mod_auth_vas4.
It will prompt you to create a web service object in Active Directory
if one is needed, and it will correct permissions on certain files.
Commands executed will be recorded in $LOGFILE
.
#-- tests
label "checking privileges"
id -un
if test $(id -u) -ne 0; then
checkroot() {
echo ""
echo "WARNING: This script may need superuser privileges to proceed"
echo ""
}
else
checkroot() { :; }
fi
#
# We must handle the following cases:
# 1) apxs is found (regardless of -a flag)
# 1a) no -c flag given: ask apxs where the cf file is
# 1b) -c flag given: trust -c flag
# 2) apxs is not found
# 2a) no -c flag given: search for config file in likely spots
# 2b) -c flag given: trust -c flag
#
#-- look for apxs
apxs=
label "looking for Apache extension tool"
for x in "$aflag" "@APXS@" apxs2 apxs /usr/sbin/apxs2 /usr/sbin/apxs /usr/IBMIHS/bin/apxs /usr/HTTPServer/bin/apxs; do
test -z "$x" && continue
test -x "$x" || continue
ap_target=$($x -q TARGET 2> /dev/null)
if test -n "$ap_target"; then
apxs="$x"
break
fi
test -n "$aflag" && break
done
if test -n "$apxs"; then
echo "$apxs"
else
echo "not found"
if test -n "$aflag"; then
echo "$aflag: not found or didn't work"
exit 1
fi
fi
label "looking for Apache configuration file"
if test -n "$cflag"; then
AP_CF="$cflag"
else
if test -n "$apxs"; then
sysconfdir=$($apxs -q SYSCONFDIR)
target=$($apxs -q TARGET)
else
sysconfdir=
target=
fi
#-- look for a likely configuration file
AP_CF=
for dir in $sysconfdir \
/etc/apache2 /etc/apache /etc/httpd/conf /etc/apache2/conf \
/etc/apache/conf /etc/www/conf /var/www/conf /opt/IBMIHS/conf; do
for t in $target apache2 httpd; do
if test -f $dir/$t.conf; then
AP_CF="$dir/$t.conf"
break
fi
test -n "$AP_CF" && break
done
done
fi
if test -f "$AP_CF"; then
echo "$AP_CF"
label "looking for Apache envvars file"
# As used by Debian apache2
if [ -f $(dirname "$AP_CF")/envvars ]; then
AP_ENVVARS=$(dirname "$AP_CF")/envvars
echo "$AP_ENVVARS"
. "$AP_ENVVARS"
else
AP_ENVVARS=
echo "(none)"
fi
#-- scan the config file for a group name
label "looking for Apache daemon group"
APACHE_GROUP=$( (sed -ne 's/^Group //p' < "$AP_CF" | sed -e 1q) 2> /dev/null)
if test ! -n "$APACHE_GROUP"; then
#-- try harder
for path in $(sed -ne 's/^Include //p' < "$AP_CF") /dev/null; do
APACHE_GROUP=$( (sed -ne 's/^Group //p' < "$path" | sed -e 1q) 2> /dev/null)
test -n "$APACHE_GROUP" && break
done
fi
if test -n "$APACHE_GROUP"; then
if echo "$APACHE_GROUP" | grep '^\$' > /dev/null 2>&1; then
APACHE_GROUP=$(eval echo "$APACHE_GROUP")
fi
echo "$APACHE_GROUP"
else
echo "not found"
fi
else
APACHE_GROUP=
if test -z "$cflag"; then
echo "not found"
else
echo "$cflag: not found"
exit 1
fi
fi
#-- if the Apache group is still unknown, look at existing groups and guess
if test ! -n "$APACHE_GROUP"; then
APACHE_GROUP_GUESS=nobody
for u in apache httpd www www-data nogroup; do
if test x$(eval echo "~$u") != x"~$u"; then
APACHE_GROUP_GUESS=$u
break
fi
done
fi
determine_keytab_access
if [ $keytab_exists = no ]; then
cat <<-.
This step creates a service object in Active Directory so
that browsers can authenticate with this web server.
You will need to know an account password that has
sufficient privileges to create the new service object.
Contact your systems administration staff if you do not.
.
if yesorno "Create the HTTP/ service account?"; then
echo "Please specify the container DN in which to create the service:"
query "Service container DN" CONTAINER default
test x"$CONTAINER" = x"default" && CONTAINER=
query "Service account name:" HTTP_SPN default
test x"$HTTP_SPN" = x"default" && HTTP_SPN="HTTP/"
checkroot
kinit "create the service account"
recordcmd $VASTOOL \
${uflag+-u "$uflag"} \
service create ${CONTAINER:+-c "$CONTAINER"} "$HTTP_SPN" ||
die "Cannot create $HTTP_SPN service account"
SAMACCOUNTNAME=$($VASTOOL ${uflag+-u "$uflag"} attrs -q -s "$HTTP_SPN" samaccountname || die "Cannot get samAccountName from $HTTP_SPN service account")
REALM=$(echo $HTTP_SPN | cut -d@ -f2 -s)
if [ "x$REALM" != "x" ]; then
SAMACCOUNTNAME="$SAMACCOUNTNAME@$REALM"
else
unset REALM
fi
# The keytab maynot be HTTP.keytab, parse the HTTP_SPN and take the first service class up to the /
# and use it for the keytab name, this is currently how vastool service create does it.
KEYTAB=/etc/opt/quest/vas/$(echo $HTTP_SPN | cut -d/ -f1).keytab
label "checking new service keytab"
if test -f "$KEYTAB"; then
echo "found"
else
echo "still not found"
die "Cannot find $KEYTAB"
fi
echo ""
# Update keytab availability
determine_keytab_access
elif yesorno "Use existing service account?"; then
checkroot
echo "Please specify the samAccountName of the existing service:"
query "samAccountName" SAMACCOUNTNAME
test SAMACCOUNTNAME=
# Prompt for existing service account password
validate=0
tries=0
while [ "$tries" -lt 3 ] && [ "$validate" -eq 0 ]; do
oldmodes=$(stty -g)
stty -echo
query "Password for $SAMACCOUNTNAME" PASSWORD1
echo
query "Validate Password for $SAMACCOUNTNAME" PASSWORD2
stty $oldmodes
if [ "$PASSWORD1" != "$PASSWORD2" ]; then
echo "Passwords for $SAMACCOUNTNAME do not match"
tries=$(expr $tries + 1)
else
validate=1
fi
done
if [ $validate != 1 ]; then
echo "Could not validate password"
exit
fi
# Create service account keytab
ETYPES="aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc"
# Get SPN's from the existing service account
echo ""
echo "Adding entries to $KEYTAB for:"
echo ""
REALM=$(echo $SAMACCOUNTNAME | cut -d@ -f2 -s)
if [ "x$REALM" = "x" ]; then
unset REALM
fi
HTTP_SPN="HTTP/${REALM+@"$REALM"}"
http_spn_exist=0
for spn in $($VASTOOL -u host/ attrs $SAMACCOUNTNAME servicePrincipalName |
awk '{print $2}'); do
spn="$spn${REALM+@"$REALM"}"
echo " $spn"
if echo "$spn" | grep -i "HTTP/" > /dev/null; then
HTTP_SPN="$spn"
http_spn_exist=1
fi
for ETYPE in $ETYPES; do
$KTUTIL -k "$KEYTAB" \
add -p $spn -V 0 -e $ETYPE -w $PASSWORD1 ||
die "Cannot add $spn to $SAMACCOUNTNAME service account keytab"
done
done
if [ "$http_spn_exist" -ne "1" ]; then
dnsname=$($VASTOOL -u host/ attrs -q host/ dNSHostName)
default_http="HTTP/$dnsname${REALM+@"$REALM"}"
HTTP_SPN="$default_http"
echo "Adding explicit spn for $default_http to keytab"
echo ""
echo " WARNING: Explicit service names such as HTTP"
echo " may not work in all environments."
echo ""
for ETYPE in $ETYPES; do
$KTUTIL -k "$KEYTAB" \
add -p "$default_http" -V 0 -e $ETYPE -w $PASSWORD1 ||
die "Cannot add HTTP/ to $SAMACCOUNTNAME service account keytab"
done
fi
primary_spn=$($KTUTIL -k "$KEYTAB" list 2> /dev/null | awk 'NR==4 {print $3}')
$VASTOOL ktutil -k "$KEYTAB" alias $primary_spn $SAMACCOUNTNAME || die "Cannot alias $SAMACCOUNTNAME from $primary_spn in the $KEYTAB"
PASSWORD1=
PASSWORD2=
echo ""
label "checking new service keytab"
if test -f "$KEYTAB"; then
echo "found"
else
echo "still not found"
die "Cannot find $KEYTAB"
fi
echo ""
# Update keytab availability
determine_keytab_access
else
echo "(Not creating $HTTP_SPN service account)"
fi
fi
# Keytab only has to exist for permission checks
if test -f "$KEYTAB"; then
if test ! -n "$APACHE_GROUP"; then
echo ""
echo "The Apache server process must be able to access the keytab."
echo "I didn't find a httpd.conf file so I don't know what creds it uses."
echo "Tell me what Unix group it will run as, and I'll check the"
echo "keytab file permissions so that it is readable by Apache."
echo ""
query "Group for Apache httpd process" APACHE_GROUP $APACHE_GROUP_GUESS
echo ""
fi
label "checking keytab is readable by $APACHE_GROUP"
set -- $(/bin/ls -l "$KEYTAB")
case "$1:$4" in
-??????r??:*)
echo "yes"
echo
echo "WARNING: keytab is world-readable. This is a security risk."
echo
;;
-???r?????:$APACHE_GROUP) echo "yes" ;;
*)
echo "no"
if yesorno "Change group of $KEYTAB to $APACHE_GROUP?"; then
label " -> fixing file mode and ownership"
checkroot
recordcmd chgrp "$APACHE_GROUP" "$KEYTAB" ||
die "Could not change file group"
recordcmd chmod 640 "$KEYTAB" ||
die "Could not change file mode"
echo "fixed"
else
echo "(Not changing ownership)"
fi
;;
esac
fi
if test "$keytab_readable" = "no"; then
echo >&2
echo "Skipping keytab validity check (keytab is unreadable)." >&2
echo >&2
else # Keytab is readable
if [ x"$HTTP_SPN" = "x" ]; then
query "Service account name:" HTTP_SPN HTTP/
fi
label "checking keytab can authenticate"
tmpcc=/tmp/.mod_auth_vas4cc$$
old_KRB5CCNAME="${KRB5CCNAME}"
if KRB5CCNAME=FILE:$tmpcc recordcmd $VASTOOL -u "$HTTP_SPN" -k "$KEYTAB" auth -S "$HTTP_SPN" > /dev/null; then
echo "yes"
else
echo "no"
echo ""
echo "The $HTTP_SPN service keytab: $KEYTAB could not be used to"
echo "authenticate to Active Directory. This may mean that the"
echo "service account has expired, that the keytab has become corrupt,"
echo "that the HTTP/ service is explicitly defined in the keytab,"
echo "or that the password has been changed without updating the keytab."
echo ""
echo "The error message was:"
KRB5CCNAME=FILE:$tmpcc $VASTOOL -u "$HTTP_SPN" -k "$KEYTAB" auth -S "$HTTP_SPN" 2>&1 | sed -e 's/^/ /'
echo ""
die "Keytab is not usable. Try deleting $KEYTAB and re-running $0"
fi
KRB5CCNAME="${old_KRB5CCNAME}"
rm -f $tmpcc
fi
# KB899417
cat << .
If you have clients using Internet Explorer, a known issue (KB899417)
can see them suddenly being unable to authenticate after only 30 minutes.
A workaround is to create SPN aliases with all the possible 'short-names'
that the client could use to access this server (i.e. http://short-name/).
SPN aliases can also be useful for servers with multiple DNS identities.
.
if test "$keytab_readable" = "no"; then
echo >&2
echo "Keytab is not readable. Skipping Service Principal Name (SPN) aliasing." >&2
echo "Re-run $0 as root to set up SPN aliasing." >&2
echo >&2
else
kinit "run tests on the service account $HTTP_SPN"
if [ x"$SAMACCOUNTNAME" = "x" ]; then
SAMACCOUNTNAME=$($VASTOOL ${uflag+-u "$uflag"} attrs -q -s "$HTTP_SPN" samaccountname || die "Cannot get samAccountName from $HTTP_SPN service account")
fi
echo "SamAccountName: $SAMACCOUNTNAME"
spns=$($VASTOOL ${uflag+-u "$uflag"} attrs -u "$SAMACCOUNTNAME" servicePrincipalName | wc -l)
primary=$($KTUTIL -k "$KEYTAB" list 2> /dev/null | awk 'NR==4 {print $3}')
#-- change the default to a suggested short spn
default_spn=none
if test 1 -eq "$spns"; then
nbname=$($VASTOOL -u host/ attrs -s host/ sAMAccountName | sed -e 's/^.*: //;s/\$$//')
if test x"HTTP/$nbname" != x"$($VASTOOL -u host/ attrs -u "$SAMACCOUNTNAME" servicePrincipalName | sed -e 's/.*: //')"; then
default_spn="HTTP/$nbname"
fi
fi
while :; do
cat << .
The HTTP/ service is currently known by these SPNs (service principal names):
.
$VASTOOL ${uflag+-u "$uflag"} attrs -u "$SAMACCOUNTNAME" servicePrincipalName |
awk '{print "\t" $2 }'
echo
query "Enter a new SPN alias, or 'none' to finish" SPN "$default_spn"
[ x"$SPN" = x"none" ] && break
case "$SPN" in
-*)
newspns=
found=false
for spn in $($VASTOOL ${uflag+-u "$uflag"} attrs -u "$SAMACCOUNTNAME" servicePrincipalName |
awk '{print $2}'); do
if [ x"-$spn" = x"$SPN" ]; then
found=true
else newspns="$newspns $spn"; fi
done
if $found; then
recordcmd $VASTOOL ${uflag+-u "$uflag"} \
setattrs -m -u "$SAMACCOUNTNAME" servicePrincipalName \
$newspns
recordcmd $VASTOOL ktutil -k "$KEYTAB" \
remove -p ${SPN#-}
else
echo "'${SPN#-}' not found" >&2
fi
;;
*)
oldspns=$($VASTOOL ${uflag+-u "$uflag"} attrs -u "$SAMACCOUNTNAME" servicePrincipalName |
awk '{print $2}')
recordcmd $VASTOOL ${uflag+-u "$uflag"} \
setattrs -m -u "$SAMACCOUNTNAME" servicePrincipalName \
$oldspns $SPN &&
recordcmd $VASTOOL ktutil -k "$KEYTAB" \
alias $primary $SPN${REALM+@"$REALM"}
;;
esac
default_spn=none
done
fi
#-- Bitwise operators (decimal integers only)
binary_or() { awk 'END { c = 0; for (i = 1; a || b; i *= 2) { a0 = a%2; b0 = b%2; if (a0 || b0) c += i; a = (a-a0)/2; b = (b-b0)/2; } print c; }' a="$1" b="$2" < /dev/null; }
binary_and() { awk 'END { c = 0; for (i = 1; a && b; i *= 2) { a0 = a%2; b0 = b%2; if (a0 && b0) c += i; a = (a-a0)/2; b = (b-b0)/2; } print c; }' a="$1" b="$2" < /dev/null; }
# Bug 213: HTTP/ keytab will expire by default
if test -f "$KEYTAB"; then
kinit "check that the service account is usable"
label Testing whether service password expires
# vastool attrs '-q' flag was only added in 3.2, so use sed magic.
uac=$($VASTOOL ${uflag+-u "$uflag"} attrs -u "$SAMACCOUNTNAME" userAccountControl | sed -e 's,userAccountControl: \([0-9]*\),\1,')
if [ "z$uac" = "z" ]; then
die "Unable to retrieve service account attributes, does the service exist?\
Delete $KEYTAB and re-run $0 to re-create the service account."
fi
noexpire_flag=65536 # "Password never expires" (KB305144)
if test $(binary_and $uac $noexpire_flag) -eq 0; then
echo yes
echo >&2
cat <<-. >&2
Unless the group policy is configured otherwise, the HTTP/ service
account password will expire at some point, leading to authentication
failures.
.
if yesorno "Disable password expiry for the service account? (recommended)"; then
recordcmd $VASTOOL ${uflag+-u "$uflag"} \
setattrs -u "$SAMACCOUNTNAME" userAccountControl \
$(binary_or $uac $noexpire_flag)
echo
fi
else
echo "no (good)"
fi
fi
label "checking module loading is enabled"
if test -n "$apxs"; then
sysconfdir=$($apxs -q SYSCONFDIR)
# format of config dir for example debian/ubuntu is using
available_module_path=${sysconfdir}/mods-available/auth_vas4.load
enabled_modules_dir=${sysconfdir}/mods-enabled
if [ -e "$available_module_path" ] && [ -d "${enabled_modules_dir}" ]; then
if [ -e "${enabled_modules_dir}/auth_vas4.load" ]; then
echo "yes"
else
echo "no"
echo
echo "You seem to have '${available_module_path}'. For apache to actually load the module,"
echo "this file needs to be symlinked to ${enabled_modules_dir}."
if yesorno "Do you want to create symlink and enable the module to be loaded?"; then
ln -s "${available_module_path}" "${enabled_modules_dir}"
fi
fi
else
echo "skipping"
fi
fi
#-- check that auth_vas module is loaded when config is parsed
label "checking mod_auth_vas4 is loaded"
if test -n "$apxs"; then
sbindir=$($apxs -q SBINDIR)
target=$($apxs -q TARGET)
if [ -x "$sbindir/${target}ctl" ]; then
apachecmd="$sbindir/${target}ctl"
else
apachecmd="$sbindir/${target}"
fi
if recordcmd "$apachecmd" ${AP_CF+-f "$AP_CF"} -t -e debug 2>&1 |
grep 'loaded module.*auth_vas' > /dev/null; then
echo 'yes'
label "checking loaded mod_auth_vas4 version"
module_version=$("$apachecmd" ${AP_CF+-f "$AP_CF"} \
-t -e debug 2>&1 |
sed -n -e 's/.*mod_auth_vas version \([^,]*\),.*/\1/p')
echo "${module_version-not found}"
if test -z "$module_version"; then
cat <<-.
WARNING: unable to detect the loaded mod_auth_vas4's version!
.
elif test x"$module_version" != x"$PACKAGE_VERSION"; then
cat <<-.
WARNING: A different version of mod_auth_vas4 is being loaded
by Apache as to what is expected by this script. I was
expecting to see version '$PACKAGE_VERSION'.
.
fi
else
echo 'no'
cat <<-.
It doesn't appear that the Apache web server is loading the VAS
authentication module. This could be a problem in the configuration
file (missing LoadModule or a syntax error), a mis-installation of
mod_auth_vas4 or VAS4, or perhaps this script is simply invoking the
web server in the wrong way.
The command I used to detect what modules were loaded was:
$apachecmd ${AP_CF+-f "$AP_CF"} -t -e debug
.
die "Module not loaded."
fi
else
echo 'unknown (re-run setup script with the -a flag, apxs was not found)'
fi
echo ""
$logfile_written && echo "(Log written to $LOGFILE)"
echo "Finished."
exit 0
#
# Licence
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# a. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# b. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# c. Neither the name of Quest Software, Inc. nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#