[31808] in Kerberos
Re: Adding users with a script
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Dec 27 13:43:20 2009
From: Russ Allbery <rra@stanford.edu>
To: Jaap Winius <jwinius@umrk.nl>
In-Reply-To: <4b36b370$0$8410$e4fe514c@dreader25.news.xs4all.nl> (Jaap
Winius's message of "27 Dec 2009 01:08:00 GMT")
Date: Sun, 27 Dec 2009 10:42:24 -0800
Message-ID: <87pr60tg1b.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
--=-=-=
Jaap Winius <jwinius@umrk.nl> writes:
> If you have 1,000 user names and passwords to add to an MIT Kerberos V
> database on a Linux system, you could add them all manually with kadmin,
> but that would be a terrible waste of time. The proper way would be to
> automate this process with a script, but I have no idea how.
> Any ideas?
Attached is a script we use locally. This only supports creating users
with random passwords, but if you know a bit of Perl, it should be fairly
easy to modify it to take the password from the file and add it.
Note that this exposes the user's password on the command line to anyone
else on the system. We only run it directly on the KDCs, where only
privileged users have login.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
--=-=-=
Content-Type: text/x-perl
Content-Disposition: attachment; filename=krb5-mass-kadmin
#!/usr/bin/perl
our $ID = q$Id$;
#
# krb5-mass-kadmin -- Perform kadmin operations on files of principals.
#
# Written by Russ Allbery <rra@stanford.edu>
# Copyright 2007 Board of Trustees, Leland Stanford Jr. University
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for any purpose and without fee is hereby granted, provided
# that the above copyright notice appear in all copies and that both that
# copyright notice and this permission notice appear in supporting
# documentation, and that the name of Stanford University not be used in
# advertising or publicity pertaining to distribution of the software without
# specific, written prior permission. Stanford University makes no
# representations about the suitability of this software for any purpose. It
# is provided "as is" without express or implied warranty.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
##############################################################################
# Declarations and site configuration
##############################################################################
use strict;
# Path to kadmin.local, used to perform kadmin operations.
our $KADMIN = '/usr/sbin/kadmin.local';
##############################################################################
# kadmin operations
##############################################################################
# Run a kadmin command and capture the output. Returns the output, either as
# a list of lines or, in scalar context, as one string. The exit status of
# kadmin is often worthless.
sub kadmin {
my ($command) = @_;
my @args = ('-q', $command);
my $pid = open (KADMIN, '-|');
if (not defined $pid) {
die "cannot fork: $!\n";
} elsif ($pid == 0) {
open (STDERR, '>&STDOUT') or die "self: cannot dup stdout: $!\n";
exec ($KADMIN, @args) or die "self: cannot run $KADMIN @args: $!\n";
}
local $_;
my @output;
while (<KADMIN>) {
if (/^self: cannot /) {
s/^self: //;
die $_;
}
push (@output, $_) unless /Authenticating as principal/;
}
close KADMIN;
return wantarray ? @output : join ('', @output);
}
# Given a principal name, examine that account and return a status. Possible
# status codes are active, for an active account, disabled, if
# DISALLOW_ALL_TIX is set in the flags, or missing, if the account was not
# found at all.
sub principal_status {
my ($principal) = @_;
my $output = kadmin ("getprinc $principal");
if ($output =~ /^get_principal: /) {
return 'missing';
} elsif ($output =~ /Attributes:.*DISALLOW_ALL_TIX/) {
return 'disabled';
} else {
return 'active';
}
}
##############################################################################
# Commands
##############################################################################
# Read a file of principals into memory and return them as a list. Ignore
# blank lines and comments, as well as anything after whitespace.
sub read_principals {
my ($file) = @_;
my @principals;
open (FILE, '<', $file) or die "cannot open $file: $!\n";
local $_;
while (<FILE>) {
s/^\s+//;
s/\s.*$//s;
next if /^\#/;
next unless /^\S/;
push (@principals, $_);
}
close FILE;
return @principals;
}
# Given a file of principals, randomize the passwords for each principal. We
# would just use cpw -randkey, but right now that doesn't propagate the
# password to Active Directory or the AFS kaserver. Work around that by using
# apg to generate random passwords.
sub randomize {
my ($file) = @_;
my @principals = read_principals ($file);
for (@principals) {
my $password = `apg -a1 -m20 -n1 -Mncl`;
chomp $password;
my $output = kadmin ("cpw -pw $password $_");
print $output;
}
}
# Given a file of principals, create each principal with a randomized
# password.
sub create_randomized {
my ($file) = @_;
my @principals = read_principals ($file);
for (@principals) {
my $password = `apg -a1 -m20 -n1 -Mncl`;
chomp $password;
my $output = kadmin ("addprinc -pw $password -clearpolicy +requires_preauth -allow_tix $_");
print $output;
}
}
# Given a file of principals, output one line for each principal giving the
# principal name and the status of that principal.
sub status {
my ($file) = @_;
my @principals = read_principals ($file);
my $longest = 0;
my %status;
for (@principals) {
my $length = length ($_);
$longest = $length if $length > $longest;
$status{$_} = principal_status ($_);
}
for (@principals) {
printf "%-${longest}s %s\n", $_, $status{$_};
}
}
##############################################################################
# Main routine
##############################################################################
# Get output in order.
$| = 1;
# Stupid option parsing for now, just the action and the file. Later we'll do
# something more interesting.
my ($action, $file) = @ARGV;
unless (defined $file) {
die "Usage: krb5-mass-kadmin <action> <file>\n";
}
if ($action eq 'status') {
status ($file);
} elsif ($action eq 'create') {
create_randomized ($file);
} elsif ($action eq 'randomize') {
randomize ($file);
} else {
die "unknown action $action\n";
}
exit 0;
__END__
##############################################################################
# Documentation
##############################################################################
=head1 NAME
krb5-mass-kadmin - Perform kadmin operations on files of principals
=head1 SYNOPSIS
B<krb5-mass-kadmin> (randomize|status) I<file>
=head1 DESCRIPTION
B<krb5-mass-kadmin> performs Kerberos administrative operations using
B<kadmin.local> on a list of principals. Since it uses B<kadmin.local>, it
must be run locally on a KDC.
B<krb5-mass-kadmin> supports the following operations on the principals
listed in the provided file.
=over 4
=item create
Creates an account for each principal. The password for each principal is
randomized (using C<cpw -randkey>). Prints out the output of kadmin.local
for each operation.
=item randomize
Randomizes the password for each principal (using C<cpw -randkey>). Prints
out the output of kadmin.local for each operation.
=item status
Checks the status of each principal and prints out one line per principal
giving the principal, whitespace, and then the status. The status will be
one of C<missing>, indicating the principal was not found in the KDC,
C<disabled>, indicating the principal had the DISALLOW_ALL_TIX flag set, or
C<active>, indicating the principal is present and enabled.
=back
=head1 FILES
=over 4
=item F</usr/sbin/kadmin.local>
The expected path to B<kadmin.local>, set at the top of the script.
=back
=head1 SEE ALSO
kadmin.local(8)
=head1 AUTHOR
Russ Allbery <rra@stanford.edu>
=cut
--=-=-=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-=-=--
