#!/bin/bash -e
#
# freeipa-service-ntlm.sh - grant host service access to NTLM Password Hash
#
# Version 1.0, latest version, documentation and bugtracker available at:
#		https://gitlab.lindenaar.net/scripts/freeipa
#
# Copyright (c) 2019 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program.  If not, visit <http://www.gnu.org/licenses/> to download it.

die() { echo $* >&2; exit 1; }

# Exit if hostname not provided
if [ $# -lt 2 ]; then
    die "Usage: `basename $0` <hostname> <service> [<service> ...]"
fi

# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
if ! klist -s; then
    die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
    die "this script should be run on an active IPA server"
fi

# Set parameters
: ${HOST:=$1}
shift
: ${ROLE_NAME:=Samba/NTLM Authenticator}
: ${ROLE_DESCRIPTION:=Perform Samba (NTLM) Authentication using the RC4 Password hash}
: ${PRIV_NAME:=Samba (NTLM) RC4 Password Hash Access}
: ${PRIV_DESCRIPTION:=Perform Samba NTLM authentication using the RC4 password Hash}
: ${PERM_NAME:=Read Samba NTLM RC4 Password Hash attribute}


if ! ipa host-show "$HOST" > /dev/null 2>&1; then
    die "host $HOST does not exist, aborting!"
fi


if ipa role-add "$ROLE_NAME" --desc="$ROLE_DESCRIPTION" > /dev/null 2>&1; then
   echo created role $ROLE_NAME
    if ipa privilege-add "$PRIV_NAME" --desc="$PRIV_DESCRIPTION" > /dev/null 2>&1; then
        echo created privilege $PRIV_NAME
        if ipa permission-add "$PERM_NAME" --attrs=ipaNTHash --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare > /dev/null 2>&1; then
            echo created permission $PERM_NAME
        else
            echo permission $PERM_NAME exists
        fi
        if ! ipa privilege-add-permission "$PRIV_NAME" --permissions="$PERM_NAME" > /dev/null 2>&1; then
            die "adding permission to privileges failed, aborting!"
        fi
    else
        echo privilege $PRIV_NAME exists
    fi
    if ! ipa role-add-privilege "$ROLE_NAME" --privileges="$PRIV_NAME" > /dev/null 2>&1; then
        die "adding privilege to role failed, aborting!"
    fi
fi


for service in $*
do
    if ipa service-show "$service/$HOST" > /dev/null 2>&1; then
        if ipa role-add-member "$ROLE_NAME" --services="$service/$HOST" > /dev/null 2>&1; then
            echo granted service $service/$HOST the role $ROLE_NAME
        else
            echo service $service/$HOST already had role $ROLE_NAME
        fi
    else
        echo "service $service/$HOST does not exist, skipping"
    fi
done