freeipa-service-ntlm.sh
3.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/bin/bash -e
#
# freeipa-service-ntlm.sh - grant host service access to NTLM Password Hash
#
# Version 1.0, latest version, documentation and bugtracker available at:
# https://gitlab.lindenaar.net/scripts/freeipa
#
# Copyright (c) 2019 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program. If not, visit <http://www.gnu.org/licenses/> to download it.
die() { echo $* >&2; exit 1; }
# Exit if hostname not provided
if [ $# -lt 2 ]; then
die "Usage: `basename $0` <hostname> <service> [<service> ...]"
fi
# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
if ! klist -s; then
die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
die "this script should be run on an active IPA server"
fi
# Set parameters
: ${HOST:=$1}
shift
: ${ROLE_NAME:=Samba/NTLM Authenticator}
: ${ROLE_DESCRIPTION:=Perform Samba (NTLM) Authentication using the RC4 Password hash}
: ${PRIV_NAME:=Samba (NTLM) RC4 Password Hash Access}
: ${PRIV_DESCRIPTION:=Perform Samba NTLM authentication using the RC4 password Hash}
: ${PERM_NAME:=Read Samba NTLM RC4 Password Hash attribute}
if ! ipa host-show "$HOST" > /dev/null 2>&1; then
die "host $HOST does not exist, aborting!"
fi
if ipa role-add "$ROLE_NAME" --desc="$ROLE_DESCRIPTION" > /dev/null 2>&1; then
echo created role $ROLE_NAME
if ipa privilege-add "$PRIV_NAME" --desc="$PRIV_DESCRIPTION" > /dev/null 2>&1; then
echo created privilege $PRIV_NAME
if ipa permission-add "$PERM_NAME" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare > /dev/null 2>&1; then
echo created permission $PERM_NAME
else
echo permission $PERM_NAME exists
fi
if ! ipa privilege-add-permission "$PRIV_NAME" --permissions="$PERM_NAME" > /dev/null 2>&1; then
die "adding permission to privileges failed, aborting!"
fi
else
echo privilege $PRIV_NAME exists
fi
if ! ipa role-add-privilege "$ROLE_NAME" --privileges="$PRIV_NAME" > /dev/null 2>&1; then
die "adding privilege to role failed, aborting!"
fi
fi
for service in $*
do
if ipa service-show "$service/$HOST" > /dev/null 2>&1; then
if ipa role-add-member "$ROLE_NAME" --services="$service/$HOST" > /dev/null 2>&1; then
echo granted service $service/$HOST the role $ROLE_NAME
else
echo service $service/$HOST already had role $ROLE_NAME
fi
else
echo "service $service/$HOST does not exist, skipping"
fi
done