#!/bin/bash -e # # freeipa-service-ntlm.sh - grant host service access to NTLM Password Hash # # Version 1.0, latest version, documentation and bugtracker available at: # https://gitlab.lindenaar.net/scripts/freeipa # # Copyright (c) 2019 Frederik Lindenaar # # This script is free software: you can redistribute and/or modify it under the # terms of version 3 of the GNU General Public License as published by the Free # Software Foundation, or (at your option) any later version of the license. # # This script is distributed in the hope that it will be useful but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with # this program. If not, visit <http://www.gnu.org/licenses/> to download it. die() { echo $* >&2; exit 1; } # Exit if hostname not provided if [ $# -lt 2 ]; then die "Usage: `basename $0` <hostname> <service> [<service> ...]" fi # Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server if ! klist -s; then die "no valid Kerberos ticket, please login to FreeIPA using kinit first" elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then die "this script should be run on an active IPA server" fi # Set parameters : ${HOST:=$1} shift : ${ROLE_NAME:=Samba/NTLM Authenticator} : ${ROLE_DESCRIPTION:=Perform Samba (NTLM) Authentication using the RC4 Password hash} : ${PRIV_NAME:=Samba (NTLM) RC4 Password Hash Access} : ${PRIV_DESCRIPTION:=Perform Samba NTLM authentication using the RC4 password Hash} : ${PERM_NAME:=Read Samba NTLM RC4 Password Hash attribute} if ! ipa host-show "$HOST" > /dev/null 2>&1; then die "host $HOST does not exist, aborting!" fi if ipa role-add "$ROLE_NAME" --desc="$ROLE_DESCRIPTION" > /dev/null 2>&1; then echo created role $ROLE_NAME if ipa privilege-add "$PRIV_NAME" --desc="$PRIV_DESCRIPTION" > /dev/null 2>&1; then echo created privilege $PRIV_NAME if ipa permission-add "$PERM_NAME" --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare > /dev/null 2>&1; then echo created permission $PERM_NAME else echo permission $PERM_NAME exists fi if ! ipa privilege-add-permission "$PRIV_NAME" --permissions="$PERM_NAME" > /dev/null 2>&1; then die "adding permission to privileges failed, aborting!" fi else echo privilege $PRIV_NAME exists fi if ! ipa role-add-privilege "$ROLE_NAME" --privileges="$PRIV_NAME" > /dev/null 2>&1; then die "adding privilege to role failed, aborting!" fi fi for service in $* do if ipa service-show "$service/$HOST" > /dev/null 2>&1; then if ipa role-add-member "$ROLE_NAME" --services="$service/$HOST" > /dev/null 2>&1; then echo granted service $service/$HOST the role $ROLE_NAME else echo service $service/$HOST already had role $ROLE_NAME fi else echo "service $service/$HOST does not exist, skipping" fi done