Skip to content

Instantly share code, notes, and snippets.

@wangweij
Created September 1, 2015 07:09
Show Gist options
  • Save wangweij/4911aad265a8097e3315 to your computer and use it in GitHub Desktop.
Save wangweij/4911aad265a8097e3315 to your computer and use it in GitHub Desktop.
A script to create a local KDC
#! /bin/bash
if [ "$3" = "" ]; then
cat <<EOF
Usage: `basename $0` realm-name kdc-host port-number
This command will create necessary files for a new KDC instance
in the current directory. This includes a kdc.conf, a krb5.conf
and a startup script to use KDC each time. The command itself
does not make any environment changes.
Define ALLOW_WEAK=true to support DES on both KDC and client.
Define KRB5SRC if you want to use your own krb5 build.
Otherwise the system installed one (built-in) is used.
Set it to "built-in" to force using built-in.
Note: killall is in the psmisc package in Ubuntu.
EOF
exit
fi
if [ "$KRB5SRC" = "" ]; then
# I like to build my own krb5 in these places
for a in $HOME/work/krb5/src /space/work/krb5/src /space/repos/external/krb5/src; do
if [ -f $a/clients/kinit/kinit ]; then
KRB5SRC=$a
break
fi
done
fi
if [ "$KRB5SRC" = "" ]; then
KRB5SRC=built-in
fi
REALM=$1
KDC=$2
PORT=$3
ROOT=`pwd`
LC_REALM=`echo $REALM | tr '[A-Z]' '[a-z]'`
if [ -e kdc.conf ]; then
echo kdc.conf already exists. Terminated.
exit 1
fi
if [ -e krb5.conf ]; then
echo krb5.conf already exists. Terminated.
exit 1
fi
if [ "$ALLOW_WEAK" = "true" ]; then
USE_WEAK=
else
USE_WEAK=#
fi
cat <<EOF > kdc.conf
[kdcdefaults]
kdc_ports = ${PORT}
[realms]
${REALM} = {
database_name = ${ROOT}/principal
admin_keytab = FILE:${ROOT}/kadm5.keytab
acl_file = ${ROOT}/kadm5.acl
key_stash_file = ${ROOT}/.k5.ATHENA.MIT.EDU
kdc_ports = ${PORT}
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
#reject_bad_transit = false
#default_principal_flags=+preauth
${USE_WEAK}supported_enctypes = aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal arcfour-hmac:normal des-cbc-crc:normal
}
EOF
cat <<EOF > krb5.conf
[libdefaults]
default_realm = ${REALM}
default_keytab_name = FILE:${ROOT}/krb5.keytab
forwardable = true
dns_lookup_kdc = no
dns_lookup_realm = no
#default_tkt_enctypes=aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc
#permitted_enctypes=aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc
#default_tgs_enctypes=aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-hmac-sha1 des-cbc-crc
${USE_WEAK}allow_weak_crypto=true
[realms]
${REALM} = {
kdc = ${KDC}:${PORT}
}
[logging]
kdc = FILE:/tmp/krb5kdc_${REALM}.log
[domain_realm]
.${LC_REALM} = ${REALM}
EOF
if [ "$KRB5SRC" != "built-in" ]; then
cat <<EOF >> krb5.conf
[dbmodules]
db_module_dir = $KRB5SRC/tests/../plugins/kdb/db2
EOF
fi
if [ "$KRB5SRC" != "built-in" ]; then
cat <<EOF > startup
#! /bin/bash
if [ "\$KRB5SRC" = "" ]; then
KRB5SRC=$KRB5SRC
fi
export LD_LIBRARY_PATH=\$KRB5SRC/lib
export DYLD_LIBRARY_PATH=\$KRB5SRC/lib
if [ "\$(which kinit)" != "\$KRB5SRC/bin/kinit" ]; then
export PATH=\$KRB5SRC/bin:\$PATH
fi
EOF
else
echo "#! /bin/bash" > startup
fi
cat <<EOF >> startup
export KRB5CCNAME=/tmp/krb5cc_${REALM}
export KRB5_CONFIG=${ROOT}/krb5.conf
export KRB5_KDC_PROFILE=${ROOT}/kdc.conf
export _JAVA_OPTIONS="-Djava.security.krb5.conf=${ROOT}/krb5.conf"
function delprinc {
for a in \$@; do
kadmin.local -q "delprinc -force \$a"
done
}
function getprinc {
if [ "\$1" = "" ]; then
kadmin.local -q "listprincs"
else
for a in \$@; do
kadmin.local -q "getprinc \$a"
done
fi
}
function addprinc {
# name [pass]
PASSWORD=-randkey
if [ "\$2" != "" ]; then
PASSWORD="-pw \$2"
fi
echo addprinc \$PASSWORD \$1
kadmin.local -q "addprinc \$PASSWORD \$1"
kadmin.local -q "ktadd -norandkey \$1"
}
function initkdc {
kdb5_util create -s -W -P master
}
EOF
(
echo "function startkdc {"
if [ $PORT -lt 1024 ]; then
if [ "$KRB5SRC" != "built-in" ]; then
echo " sudo sh -c \"DYLD_LIBRARY_PATH=\$DYLD_LIBRARY_PATH LD_LIBRARY_PATH=\$LD_LIBRARY_PATH KRB5_CONFIG=\$KRB5_CONFIG KRB5_KDC_PROFILE=\$KRB5_KDC_PROFILE \$KRB5SRC/bin/krb5kdc\""
else
echo " sudo sh -c \"KRB5_CONFIG=\$KRB5_CONFIG KRB5_KDC_PROFILE=\$KRB5_KDC_PROFILE krb5kdc\""
fi
else
echo " krb5kdc"
fi
echo "}"
echo
echo "function killkdc {"
if [ $PORT -lt 1024 ]; then
echo " sudo sh -c \"killall krb5kdc\""
else
echo " killall krb5kdc"
fi
echo "}"
) >> startup
cat <<EOF > README
0. Initiate the env
. startup
1. Create the KDC:
initkdc
2. Starts the KDC:
killall krb5kdc
startkdc
3. Add principals
Either run the kadmin.local command, or use functions below
addprinc dummy bogus
addprinc foo bar
addprinc server/host.${LC_REALM}
addprinc backend/host.${LC_REALM}
ktadd -e "aes128-cts:normal rc4-hmac:normal" server/host.${LC_REALM}
ktadd -e "aes128-cts:normal rc4-hmac:normal" backend/host.${LC_REALM}
4. Try it out
kinit dummy
klist
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment