The msktutil_nfsv4.sh Script
The original source for this script can found at: https://build.opensuse.org/package/files?package=msktutil&project=home%3Adipe
The original author can be contacted at: dipeit@gmail.com
I have modified this script for my purposes but you can find more information and functionality at the link provided above.
I've never spoken with the original author so I hope he doesn't mind my usage of his scripts.
Save this script as msktutil_nfsv4.sh (or whatever you'd like), chown it root.root, and chmod it it 755.
#! /bin/sh
# Creates Active Directory computer objects for kerberized NFSv4
# Modified 09.12.2012 By Aaron Wyllie
# Original source can be found at https://build.opensuse.org/package/files?package=msktutil&project=home%3Adipe
# Original author contact: dipeit@gmail.com
OU='ou=services,ou=servers'
if [ $# -ne 1 ]; then
hostfqdn=`hostname -f`
else
hostfqdn=$1
fi
computername=${hostfqdn%%.*}
if [ $hostfqdn == $computername ]; then
hostfqdn=$computername.`hostname -d`
fi
if [ -e /etc/krb5.keytab ]; then
rm /etc/krb5.keytab
fi
# add --verbose for debugging
# CREATE ROOT servicePrincipleName (SPN) AND userPrincipleName (UPN) COMPUTER OBJECT - NOT REQUIRED FOR THIS IMPLEMENTATION - SEE ORIGINAL SOURCES ABOVE IF YOU'RE INTERESTED IN HOW IT COULD BE USED
#msktutil --dont-expire-password --no-pac --computer-name $computername-root --enctypes 0x1F -b "$OU" -k /etc/krb5.keytab -h $hostfqdn -s root/$hostfqdn --upn root/$hostfqdn --verbose --description "TEST.INTERNAL ROOT SERVICE PRINCIPLE OBJECT - DO NOT DELETE, DISABLE, MODIFY, OR MOVE"
# CREATE NFSv4 servicePrincipleName (SPN) AND userPrincipleName (UPN) COMPUTER OBJECT
msktutil --delegation --dont-expire-password --no-pac --computer-name $computername-nfs --enctypes 0x1F -b "$OU" -k /etc/krb5.keytab -h $hostfqdn -s nfs/$hostfqdn --upn nfs/$hostfqdn --verbose --description "TEST.INTERNAL NFSv4 SERVICE PRINCIPLE OBJECT - DO NOT DELETE, DISABLE, MODIFY, OR MOVE"
# I'm not using this
#echo -e "\nKerberized NFSv4 is activated\nDo you also want to create a ServicePricipleName HOST (aka "join the windows domain") to enable SSO, etc? Please select 'No' if you are already using another tool (like likewise or winbind) to bind this computer to Active Directory!"
#select yn in "Yes" "No"; do
# case $yn in
# Yes ) msktjoin; break;;
# No ) klist -k -t -e; break;;
# esac
#done
#echo -e "\nIf you experience problems, please delete the computer accounts in Active Directory that belong to $computername and run this tool again!\n"
echo -e "\nKerberized NFSv4 has been enabled.\n"
klist -ket
# Creates Active Directory computer objects for kerberized NFSv4
# Modified 09.12.2012 By Aaron Wyllie
# Original source can be found at https://build.opensuse.org/package/files?package=msktutil&project=home%3Adipe
# Original author contact: dipeit@gmail.com
OU='ou=services,ou=servers'
if [ $# -ne 1 ]; then
hostfqdn=`hostname -f`
else
hostfqdn=$1
fi
computername=${hostfqdn%%.*}
if [ $hostfqdn == $computername ]; then
hostfqdn=$computername.`hostname -d`
fi
if [ -e /etc/krb5.keytab ]; then
rm /etc/krb5.keytab
fi
# add --verbose for debugging
# CREATE ROOT servicePrincipleName (SPN) AND userPrincipleName (UPN) COMPUTER OBJECT - NOT REQUIRED FOR THIS IMPLEMENTATION - SEE ORIGINAL SOURCES ABOVE IF YOU'RE INTERESTED IN HOW IT COULD BE USED
#msktutil --dont-expire-password --no-pac --computer-name $computername-root --enctypes 0x1F -b "$OU" -k /etc/krb5.keytab -h $hostfqdn -s root/$hostfqdn --upn root/$hostfqdn --verbose --description "TEST.INTERNAL ROOT SERVICE PRINCIPLE OBJECT - DO NOT DELETE, DISABLE, MODIFY, OR MOVE"
# CREATE NFSv4 servicePrincipleName (SPN) AND userPrincipleName (UPN) COMPUTER OBJECT
msktutil --delegation --dont-expire-password --no-pac --computer-name $computername-nfs --enctypes 0x1F -b "$OU" -k /etc/krb5.keytab -h $hostfqdn -s nfs/$hostfqdn --upn nfs/$hostfqdn --verbose --description "TEST.INTERNAL NFSv4 SERVICE PRINCIPLE OBJECT - DO NOT DELETE, DISABLE, MODIFY, OR MOVE"
# I'm not using this
#echo -e "\nKerberized NFSv4 is activated\nDo you also want to create a ServicePricipleName HOST (aka "join the windows domain") to enable SSO, etc? Please select 'No' if you are already using another tool (like likewise or winbind) to bind this computer to Active Directory!"
#select yn in "Yes" "No"; do
# case $yn in
# Yes ) msktjoin; break;;
# No ) klist -k -t -e; break;;
# esac
#done
#echo -e "\nIf you experience problems, please delete the computer accounts in Active Directory that belong to $computername and run this tool again!\n"
echo -e "\nKerberized NFSv4 has been enabled.\n"
klist -ket
No comments:
Post a Comment