scripts/FreeIPA
Archived
1
0
Fork 0
Code Issues 4 Activity

Added 3 additional scripts (refer to README.md for what they do)

Browse Source 
- freeipa-samba-user.sh
  - freeipa-service-ntlm.sh
  - freeipa-service-password.sh
This commit is contained in:
Frederik Lindenaar
2019-07-19 18:18:02 +02:00
parent 63e71697e2
commit 3470ed2dcf
4 changed files with 373 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
freeipa-service-ntlm.sh Executable file
View File

@@ -0,0 +1,83 @@
#!/bin/bash -e
#
# freeipa-service-ntlm.sh - grant host service access to NTLM Password Hash
#
# Version 1.0, latest version, documentation and bugtracker available at:
# https://gitlab.lindenaar.net/scripts/freeipa
#
# Copyright (c) 2019 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program. If not, visit <http://www.gnu.org/licenses/> to download it.
die() { echo $* >&2; exit 1; }
# Exit if hostname not provided
if [ $# -lt 2 ]; then
die "Usage: `basename $0` <hostname> <service> [<service> ...]"
fi
# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
if ! klist -s; then
die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
die "this script should be run on an active IPA server"
fi
# Set parameters
: ${HOST:=$1}
shift
: ${ROLE_NAME:=Samba/NTLM Authenticator}
: ${ROLE_DESCRIPTION:=Perform Samba (NTLM) Authentication using the RC4 Password hash}
: ${PRIV_NAME:=Samba (NTLM) RC4 Password Hash Access}
: ${PRIV_DESCRIPTION:=Perform Samba NTLM authentication using the RC4 password Hash}
: ${PERM_NAME:=Read Samba NTLM RC4 Password Hash attribute}
if ! ipa host-show "$HOST" > /dev/null 2>&1; then
die "host $HOST does not exist, aborting!"
fi
if ipa role-add "$ROLE_NAME" --desc="$ROLE_DESCRIPTION" > /dev/null 2>&1; then
echo created role $ROLE_NAME
if ipa privilege-add "$PRIV_NAME" --desc="$PRIV_DESCRIPTION" > /dev/null 2>&1; then
echo created privilege $PRIV_NAME
if ipa permission-add "$PERM_NAME" --attrs=sambaNTPassword --attrs=sambaPwdLastSet --attrs=sambaSID --attrs=sambaAcctFlags --attrs=sambaDomainName --type=user --right=read --right=compare > /dev/null 2>&1; then
echo created permission $PERM_NAME
else
echo permission $PERM_NAME exists
fi
if ! ipa privilege-add-permission "$PRIV_NAME" --permissions="$PERM_NAME" > /dev/null 2>&1; then
die "adding permission to privileges failed, aborting!"
fi
else
echo privilege $PRIV_NAME exists
fi
if ! ipa role-add-privilege "$ROLE_NAME" --privileges="$PRIV_NAME" > /dev/null 2>&1; then
die "adding privilege to role failed, aborting!"
fi
fi
for service in $*
do
if ipa service-show "$service/$HOST" > /dev/null 2>&1; then
if ipa role-add-member "$ROLE_NAME" --services="$service/$HOST" > /dev/null 2>&1; then
echo granted service $service/$HOST the role $ROLE_NAME
else
echo service $service/$HOST already had role $ROLE_NAME
fi
else
echo "service $service/$HOST does not exist, skipping"
fi
done