diff options
author | B Stack <bgstack15@gmail.com> | 2019-11-20 12:06:28 +0000 |
---|---|---|
committer | B Stack <bgstack15@gmail.com> | 2019-11-20 12:06:28 +0000 |
commit | 946edb8c3a1e117272563fcb56485072ccd9e774 (patch) | |
tree | 5a950a327556966529cf8ea6ea45d55467b7f843 /src | |
parent | Merge branch 'dev' into 'master' (diff) | |
parent | bump version to 0.0.5 (diff) | |
download | laps-946edb8c3a1e117272563fcb56485072ccd9e774.tar.gz laps-946edb8c3a1e117272563fcb56485072ccd9e774.tar.bz2 laps-946edb8c3a1e117272563fcb56485072ccd9e774.zip |
Merge branch 'dev' into 'master'
Version 0.0.5
See merge request bgstack15/laps!6
Diffstat (limited to 'src')
-rw-r--r-- | src/usr/share/doc/laps/changes | 3 | ||||
-rw-r--r-- | src/usr/share/doc/laps/version.txt | 2 | ||||
-rwxr-xr-x | src/usr/share/laps/laps.sh | 285 |
3 files changed, 34 insertions, 256 deletions
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes index 867a14a..c7067e3 100644 --- a/src/usr/share/doc/laps/changes +++ b/src/usr/share/doc/laps/changes @@ -10,3 +10,6 @@ * May 29 2019 B Stack <bgstack15@gmail.com> - 0.0.4-1 - fix #6 document the -i interactive flag - fix #7 add LAPS_KINIT_HOST_SCRIPT_OPTS + +* Thu Jul 18 2019 B Stack <bgstack15@gmail.com> - 0.0.5-1 +- move library functions out of laps diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt index 81340c7..bbdeab6 100644 --- a/src/usr/share/doc/laps/version.txt +++ b/src/usr/share/doc/laps/version.txt @@ -1 +1 @@ -0.0.4 +0.0.5 diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh index daa0d2f..1023dc4 100755 --- a/src/usr/share/laps/laps.sh +++ b/src/usr/share/laps/laps.sh @@ -7,12 +7,12 @@ # Purpose: LAPS Equivalent for GNU/Linux # Package: laps # History: see upstream project at https://gitlab.com/bgstack15/laps -# Usage: +# Usage: # Reference: ftemplate.sh 2018-09-12a; framework.sh 2018-09-12a # Improve: # Dependencies: # bundled: dependencies/datetime.py -# framework.sh, kinit-host (bgscripts-core >= 1.4.3) +# framework.sh, kinit-host, shldap >= 20190717 (bgscripts-core >= 1.4.4) # kinit, klist (krb5-workstation) # ldapsearch, ldapmodify (openldap-clients) # passwd (passwd) @@ -23,7 +23,7 @@ # sed (sed) # awk (gawk) fiversion="2018-09-12a" -lapsversion="2019-05-29a" +lapsversion="2019-07-17a" usage() { ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE @@ -82,16 +82,16 @@ debuglevoutput() { } read_workflow() { - + # 1. get user kerberos ticket get_user_kerberos_ticket "${LAPS_KERBEROS_USER}" "${LAPS_USER_IS_ROOT}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_INTERACTIVE}" "${LAPS_KINIT_BIN}" "${LAPS_KLIST_BIN}" # 2. fetch and display host password - get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" + get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_PW}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" # 3. fetch and display expiration if the various debug levels # this is called for the debuglev actions inside it, not for the output directly - wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" 1>/dev/null + wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 1>/dev/null } @@ -108,7 +108,7 @@ main_workflow() { get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}" || { ferror "${0}: unable to get host kerberos ticket. Aborted." ; exit 6 ; } # 2. fetch timestamp from ldap - LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )" + LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" )" LAPS_epoch_response="$?" test ${LAPS_epoch_response} -eq 0 || return "${LAPS_epoch_response}" @@ -120,7 +120,7 @@ main_workflow() { LAPS_timestamp="$( get_current_filetime "${LAPS_DATETIME_PY}" "${LAPS_TIMELIMIT}" )" # 5. update ldap - wrapper_update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_ATTRIB_PW}" "${LAPS_phrase}" "${LAPS_ATTRIB_TIME}" "${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}" + update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" ":" "${LAPS_ATTRIB_PW}:${LAPS_ATTRIB_TIME}" "${LAPS_phrase}:${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" # 6. if ^ was successful, change password for configured user wrapper_change_password "${LAPS_phrase}" "${LAPS_USER}" "${LAPS_PASSWD_BIN}" "${LAPS_TEST}" @@ -130,105 +130,8 @@ main_workflow() { } -get_host_keytab() { - # call: get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}" - # returns: nothing. - # action: get host kerberos ticket-granting ticket - debuglev 10 && ferror "get_host_keytab $@" - ___ghk_kinit_host_script="${1}" - ___ghk_kinit_host_script_opts="${2}" - ___ghk_klist_bin="${3}" - ___ghk_krb5cc_tmpfile="${4}" - - test -z "${___ghk_kinit_host_script}" && ___ghk_kinit_host_script="${LAPS_KINIT_HOST_SCRIPT_DEFAULT}" - - if test -e "${___ghk_kinit_host_script}" ; - then - KRB5CCNAME=FILE:"${___ghk_krb5cc_tmpfile}" "${___ghk_kinit_host_script}" ${___ghk_kinit_host_script_opts} - else - debuglev 3 && ferror "debug3: Using built-in logic to fetch host kerberos ticket because unable to find LAPS_KINIT_HOST_SCRIPT=${___ghk_kinit_host_script}" - # do internal logic here - # find kinit - ___ghk_kinit_bin="$( find "${LAPS_KINIT_BIN}" /usr/bin/kinit /bin/kinit /usr/local/bin/kinit -print -quit 2>/dev/null | head -n1 )" - if ! test -e "${___ghk_kinit_bin}" ; - then - ferror "${scriptname}: 4 fatal! Unable to find kinit. Please use variable LAPS_KINIT_BIN. Aborted." - fi - # cannot use requested server name here. root@localhost can only use its own kerberos ticket. - # observe that no domain name is given (after the dollar sign). This will force kerberos to choose, based on the default_realm value in /etc/krb5.conf. - "${___ghk_kinit_bin}" -k -c "${___ghk_krb5cc_tmpfile}" "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$" | debuglevoutput 7 - fi - - # return true if klist returns true - "${___ghk_klist_bin}" -c "${___ghk_krb5cc_tmpfile}" | debuglevoutput 7 - -} - -get_attrib_from_ldap() { - # call: get_attrib_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" - debuglev 10 && ferror "get_attrib_from_ldap $@" - ___gtfl_ldapsearch_bin="${1}" - ___gtfl_ldapsearch_flags="${2}" - ___gtfl_ldapsearch_filter="${3}" - ___gtfl_attrib="${4}" - ___gtfl_ldapconf="${5}" - ___gtfl_krb5cc_tmpfile="${6}" - - # execute for the purpose of displaying when debug level is high enough - { - debuglev 8 && set -x - KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 | debuglevoutput 8 - set +x - } 1>&2 - - # execute to check for ldap or kerberos errors - ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )" - ___gtfl_stderr_response="$?" - if test ${___gtfl_stderr_response} -ne 0 ; - then - if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ; - then - ferror "Fatal: Kerberos ticket expired." - return 1; - elif echo "${___gtfl_stderr}" | grep -qi -e 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success)' ; - then - ferror "Fatal: GSSAPI Error: Invalid name (Success). Try using \"SASL_NOCANON on\" in lapsldap.conf." - return 1; - elif echo "${___gtfl_stderr}" | grep -qi -e 'TLS: hostname does not match CN in peer certificate' ; - then - ferror "Fatal: TLS: hostname does not match CN. Try using \"TLS_REQCERT allow\" in lapsldap.conf." - return 1; - else - { - echo "Fatal: other ldap error:" - echo "${___gtfl_stderr}" - } | debuglevoutput 9 - return 1; - fi - fi - - # execute for actually fetching the value - ___gtfl_attrib="$( { KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" \ - "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" \ - "${___gtfl_attrib}" 2>/dev/null ; \ - echo "$?" > "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" ; \ - } | sed -r -e 's/^#.*$//;' -e '/^\s*$/d' | grep -iE -e "^${___gtfl_attrib}:" | awk '{print $2}' )" - ___gtfl_ldap_success="$( { cat "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" 2>/dev/null ; echo "1" ; } | head -n1 )" - if test "${___gtfl_ldap_success}" != "0" ; - then - ferror "Fatal: LDAP lookup failed" - return 1 - fi - - # here we can be sure that an empty value means there was no attribute by - # that name defined or it had an actual empty value. - - echo "${___gtfl_attrib}" - -} - wrapper_get_timestamp_from_ldap() { - # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" + # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" debuglev 10 && ferror "wrapper_get_timestamp_from_ldap $@" ___wgtfl_ldapsearch_bin="${1}" ___wgtfl_ldapsearch_flags="${2}" @@ -237,8 +140,9 @@ wrapper_get_timestamp_from_ldap() { ___wgtfl_ldapconf="${5}" ___wgtfl_datetime_py="${6}" ___wgtfl_krb5cc_tmpfile="${7}" + ___wgtfl_ldapsearch_status_tmpfile="${8}" - ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )" + ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" "${___wgtfl_ldapsearch_status_tmpfile}" )" ts_filetime_response="$?" test ${ts_filetime_response} -eq 0 || return "${ts_filetime_response}" @@ -324,7 +228,7 @@ get_current_filetime() { ___gcf_timelimit="${2}" ___gcf_timestamp="$( "${___gcf_datetime_py}" -f "$( date -u -d "now+${___gcf_timelimit}" "+%s" )" )" - + if ! fisnum "${___gcf_timestamp}" ; then ferror "${scriptfile}: 4 fatal! Could not generate valid timestamp. Aborted." @@ -336,62 +240,6 @@ get_current_filetime() { echo "${___gcf_timestamp}" } -wrapper_update_ldap() { - # call: wrapper_update_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_LDAPSEARCH_UNIQUE_ID}" "${LAPS_LDAPCONF}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_ATTRIB_PW}" "${LAPS_phrase}" "${LAPS_ATTRIB_TIME}" "${LAPS_timestamp}" "${LAPS_LDIF_TMPFILE}" "${LAPS_LDAPMODIFY_BIN}" "${LAPS_LDAPMODIFY_FLAGS}" "${LAPS_TEST}" - debuglev 10 && ferror "wrapper_update_ldap $@" - ___wul_ldapsearch_bin="${1}" - ___wul_ldapsearch_flags="${2}" - ___wul_ldapsearch_filter="${3}" - ___wul_ldapsearch_unique_id="${4}" - ___wul_ldapconf="${5}" - ___wul_krb5cc_tmpfile="${6}" - ___wul_attrib_pw="${7}" - ___wul_phrase="${8}" - ___wul_attrib_time="${9}" - ___wul_timestamp="${10}" - ___wul_ldif_tmpfile="${11}" - ___wul_ldapmodify_bin="${12}" - ___wul_ldapmodify_flags="${13}" - ___wul_test="${14}" - - # learn dn - ___wul_dn="$( get_attrib_from_ldap "${___wul_ldapsearch_bin}" "${___wul_ldapsearch_flags}" "${___wul_ldapsearch_filter}" "${___wul_ldapsearch_unique_id}" "${___wul_ldapconf}" "${___wul_krb5cc_tmpfile}" )" - - # generate ldif - { - echo "${___wul_ldapsearch_unique_id}: ${___wul_dn}" - echo "changetype: modify" - echo "replace: ${___wul_attrib_pw}" - echo "${___wul_attrib_pw}: ${___wul_phrase}" - printf "%s\n" "-" - echo "replace: ${___wul_attrib_time}" - echo "${___wul_attrib_time}: ${___wul_timestamp}" - } > "${___wul_ldif_tmpfile}" - unset ___wul_ldapmodify_flag_verbose ; debuglev 9 && ___wul_ldapmodify_flag_verbose="-v" - - # add -n to this command if flag --test is used. - unset ___wul_ldapmodify_flag_test ; fistruthy "${___wul_test}" && ___wul_ldapmodify_flag_test="-n" - { - KRB5CCNAME="${___wul_krb5cc_tmpfile}" LDAPCONF="${___wul_ldapconf}" "${___wul_ldapmodify_bin}" ${___wul_ldapmodify_flags} "${___wul_ldif_tmpfile}" ${___wul_ldapmodify_flag_verbose} ${___wul_ldapmodify_flag_test} 2>&1 - echo "$?" > "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" - }| sed -r -e '/^\s*$/d;' | debuglevoutput 1 silent - ___wul_ldap_success="$( cat "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" )" - - case "${___wul_ldap_success}" in - 0) - # continue on - : - ;; - *) - ferror "${scriptfile}: 7 fatal! ldapmodify returned ${___wul_ldap_success}. Unhandled exception. Aborted." - exit 7 - ;; - esac - - return ${___wul_ldap_success} - -} - wrapper_change_password() { # call: wrapper_change_password "${LAPS_phrase}" "${LAPS_USER}" "${LAPS_PASSWD_BIN}" "${LAPS_TEST}" debuglev 10 && ferror "wrapper_change_password $@" @@ -404,7 +252,7 @@ wrapper_change_password() { then echo "0" > "${LAPS_PASSWORD_STATUS_TMPFILE}" else - ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )" + ___wcp_stdout="$( printf "%s\n%s\n" "${___wcp_phrase}" "${___wcp_phrase}" | "${___wcp_passwd_bin}" "${___wcp_user}" 2>&1 ; echo "$?" > "${LAPS_PASSWORD_STATUS_TMPFILE}" )" fi ___wcp_passwd_result="$( cat "${LAPS_PASSWORD_STATUS_TMPFILE}" )" @@ -436,96 +284,6 @@ wrapper_log() { } -get_user_kerberos_ticket() { - # call: get_user_kerberos_ticket "${LAPS_KERBEROS_USER}" "${LAPS_USER_IS_ROOT}" "${LAPS_KRB5CC_TMPFILE}" "${LAPS_INTERACTIVE}" "${LAPS_KINIT_BIN}" "${LAPS_KLIST_BIN}" - debuglev 10 && ferror "get_user_kerberos_ticket $@" - ___gukt_kerberos_user="${1}" - ___gukt_user_is_root="${2}" - ___gukt_krb5cc_tmpfile="${3}" - ___gukt_interactive="${4}" - ___gukt_kinit_bin="${5}" - ___gukt_klist_bin="${6}" - - # LAPS on the domain side does not permit a host keytab to read the password attribute, so if user=machine, fail out - # options: - # if root, using machine ticket. ACT: fail - # if root, using user ticket. ACT: check user tgt, then prompt. - # if user, using machine ticket. ACT: check user tgt, then prompt - # if user, using user ticket ACT: check user tgt, then prompt - - if test "${___gukt_kerberos_user}" = "machine" ; - then - if test "${___gukt_user_is_root}" = "1" ; - then - ferror "${scriptfile}: 2 fatal! To read the password stored in the domain, you need LDAP_KERBEROS_USER=<username> or -u <username> or run this script as a domain admin user. Aborted." - exit 2 - else - ___gukt_kerberos_user="${USER}" - ferror "Trying with logged in user ${___gukt_kerberos_user}." - fi - fi - - # Try current user kerberos ticket to see if has a tgt for LAPS_KERBEROS_USER - ___gukt_klist_stdout="$( "${___gukt_klist_bin}" 2>/dev/null )" - echo "${___gukt_klist_stdout}" | debuglevoutput 8 - ___gukt_klist_krb5cc="$( echo "${___gukt_klist_stdout}" | grep -iE 'ticket cache:' | awk -F':' '{print $NF}' | xargs )" - ___gukt_klist_user=$( echo "${___gukt_klist_stdout}" | grep -iE 'default principal:' | awk -F':' '{print $2}' | awk -F'@' '{print $1}' | xargs ) - ___gukt_klist_krbtgt="$( echo "${___gukt_klist_stdout}" | grep -E "krbtgt\/" )" - { - echo "klist_krb5cc=${___guktk_list_krb5cc}" - echo "klist_user=${___gukt_klist_user}" - echo "klist_krbtgt=${___gukt_klist_krbtgt}" - } | debuglevoutput 7 - - # if we already have a tgt - if test -n "${___gukt_klist_krbtgt}" ; - then - case "${___gukt_klist_user}" in - # and it is for the requested user - ${___gukt_kerberos_user}) - # copy it to our temporary location - debuglev 7 && ferror "Using existing krbtgt for requested user ${___gukt_kerberos_user}" - /bin/cp -p "${___gukt_klist_krb5cc}" "${___gukt_krb5cc_tmpfile}" - ;; - *) - ferror "Using existing krb5tgt for ${___gukt_klist_user} instead of requested ${___gukt_kerberos_user}" - ___gukt_kerberos_user="${___gukt_klist_user}" - ;; - esac - else - # need to get a ticket - # are we allowed to ormpt? - if fistruthy "${___gukt_interactive}" ; - then - # prompt and save to temp kerberos location - debuglev 1 && ferror "No krbtgt found. Prompting now..." - KRB5CCNAME="${___gukt_krb5cc_tmpfile}" "${___gukt_kinit_bin}" "${___gukt_kerberos_user}" - else - ferror "${scriptfile}: 2. Need LAPS_INTERACTIVE=1 or -i flag, to allow interactive kinit prompt. Aborted." - exit 2 - fi - fi - # verify that the tgt exists now - ___gukt_klist_stdout="$( KRB5CCNAME="${___gukt_krb5cc_tmpfile}" "${___gukt_klist_bin}" 2>/dev/null )" - echo "${___gukt_klist_stdout}" | debuglevoutput 4 - ___gukt_klist_krb5cc="$( echo "${___gukt_klist_stdout}" | grep -iE 'ticket cache:' | awk -F':' '{print $NF}' | xargs )" - ___gukt_klist_user=$( echo "${___gukt_klist_stdout}" | grep -iE 'default principal:' | awk -F':' '{print $2}' | awk -F'@' '{print $1}' | xargs ) - ___gukt_klist_krbtgt="$( echo "${___gukt_klist_stdout}" | grep -E "krbtgt\/" )" - { - echo "klist_krb5cc=${___gukt_klist_krb5cc}" - echo "klist_user=${___gukt_klist_user}" - echo "klist_krbtgt=${___gukt_klist_krbtgt}" - } | debuglevoutput 5 - - if test -z "${___gukt_klist_krbtgt}" ; - then - # no krbtgt so fail out - ferror "${scriptfile}: 6 fatal! Failed to get tgt for user ${___gkt_kerberos_user}. Check password or account. Aborted." - exit 6 - fi - -} - # DEFINE TRAPS clean_laps() { @@ -620,6 +378,22 @@ case ${is_root} in ;; esac +# LOAD SHLDAP +setval 1 LAPS_SHLDAP_discovered <<EOFSENDSH # if $1="1" then setvalout="critical-fail" on failure +${LAPS_SHLDAP} +${SHLDAP} +/usr/share/bgscripts/shldap.sh +/usr/lib/bgscripts/shldap.sh +EOFSENDSH +test "${setvalout}" = "critical-fail" && ferror "${scriptfile}: 4. LAPS_SHLDAP not found. Aborted." && exit 4 +LAPS_SHLDAP_MINIMUM=20190717 +. "${LAPS_SHLDAP_discovered}" +if ! test $( echo "${SHLDAP_VERSION}" | tr -dc '[[:digit:]]' ) -ge ${LAPS_SHLDAP_MINIMUM} ; +then + ferror "${scriptfile}: 4. Insufficient version of shldap found: ${LAPS_SHLDAP_discovered} ${SHLDAP_VERSION}. Need >= ${LAPS_SHLDAP_MINIMUM}. Aborted." + exit 4 +fi + # SET CUSTOM SCRIPT AND VALUES #setval 1 sendsh sendopts<<EOFSENDSH # if $1="1" then setvalout="critical-fail" on failure #/usr/local/share/bgscripts/send.sh -hs # setvalout maybe be "fail" otherwise @@ -667,6 +441,7 @@ test -z "${LAPS_LDIF_TMPFILE}" && LAPS_LDIF_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" +#test -z "${LAPS_TMPFILE1}" && LAPS_TMPFILE1="$( TMPDIR="${LAPS_TMPDIR}" mktemp )" define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh" define_if_new LAPS_KINIT_HOST_SCRIPT_OPTS "" define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh" |