Blame view

freeipa-service-ntlm.sh 3.19 KB
Frederik Lindenaar authored
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/bash -e
#
# freeipa-service-ntlm.sh - grant host service access to NTLM Password Hash
#
# Version 1.0, latest version, documentation and bugtracker available at:
#		https://gitlab.lindenaar.net/scripts/freeipa
#
# Copyright (c) 2019 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program.  If not, visit <http://www.gnu.org/licenses/> to download it.

die() { echo $* >&2; exit 1; }

# Exit if hostname not provided
if [ $# -lt 2 ]; then
    die "Usage: `basename $0` <hostname> <service> [<service> ...]"
fi

# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
if ! klist -s; then
    die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
    die "this script should be run on an active IPA server"
fi

# Set parameters
: ${HOST:=$1}
shift
: ${ROLE_NAME:=Samba/NTLM Authenticator}
: ${ROLE_DESCRIPTION:=Perform Samba (NTLM) Authentication using the RC4 Password hash}
: ${PRIV_NAME:=Samba (NTLM) RC4 Password Hash Access}
: ${PRIV_DESCRIPTION:=Perform Samba NTLM authentication using the RC4 password Hash}
: ${PERM_NAME:=Read Samba NTLM RC4 Password Hash attribute}


if ! ipa host-show "$HOST" > /dev/null 2>&1; then
    die "host $HOST does not exist, aborting!"
fi


if ipa role-add "$ROLE_NAME" --desc="$ROLE_DESCRIPTION" > /dev/null 2>&1; then
   echo created role $ROLE_NAME
    if ipa privilege-add "$PRIV_NAME" --desc="$PRIV_DESCRIPTION" > /dev/null 2>&1; then
        echo created privilege $PRIV_NAME
Frederik Lindenaar authored
54
        if ipa permission-add "$PERM_NAME" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare > /dev/null 2>&1; then
Frederik Lindenaar authored
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
            echo created permission $PERM_NAME
        else
            echo permission $PERM_NAME exists
        fi
        if ! ipa privilege-add-permission "$PRIV_NAME" --permissions="$PERM_NAME" > /dev/null 2>&1; then
            die "adding permission to privileges failed, aborting!"
        fi
    else
        echo privilege $PRIV_NAME exists
    fi
    if ! ipa role-add-privilege "$ROLE_NAME" --privileges="$PRIV_NAME" > /dev/null 2>&1; then
        die "adding privilege to role failed, aborting!"
    fi
fi


for service in $*
do
    if ipa service-show "$service/$HOST" > /dev/null 2>&1; then
        if ipa role-add-member "$ROLE_NAME" --services="$service/$HOST" > /dev/null 2>&1; then
            echo granted service $service/$HOST the role $ROLE_NAME
        else
            echo service $service/$HOST already had role $ROLE_NAME
        fi
    else
        echo "service $service/$HOST does not exist, skipping"
    fi
done