function ping_klist($progress = 0)
{
$sock = new sockets();
$unix = new unix();
$EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth");
if (!is_numeric($EnableKerbAuth)) {
$EnableKerbAuth = 0;
}
if ($EnableKerbAuth == 0) {
return;
}
$array = unserialize(base64_decode($sock->GET_INFO("KerbAuthInfos")));
$domainUp = strtoupper($array["WINDOWS_DNS_SUFFIX"]);
$domain_lower = strtolower($array["WINDOWS_DNS_SUFFIX"]);
$adminpassword = $array["WINDOWS_SERVER_PASS"];
$adminpassword = $unix->shellEscapeChars($adminpassword);
$adminname = $array["WINDOWS_SERVER_ADMIN"];
$ad_server = $array["WINDOWS_SERVER_NETBIOSNAME"];
RunKinit($array["WINDOWS_SERVER_ADMIN"], $array["WINDOWS_SERVER_PASS"], $progress);
}
function build()
{
$sock = new sockets();
$EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth");
if (!is_numeric("{$EnableKerbAuth}")) {
$EnableKerbAuth = 0;
}
if ($EnableKerbAuth == 0) {
echo "Starting......: Kerberos, disabled\n";
return;
}
if (!checkParams()) {
echo "Starting......: Kerberos, misconfiguration failed\n";
return;
}
$unix = new unix();
$msktutil = $unix->find_program("msktutil");
$hostname_bin = $unix->find_program("hostname");
$kdb5_util = $unix->find_program("kdb5_util");
$kadmin_bin = $unix->find_program("kadmin");
$netbin = $unix->LOCATE_NET_BIN_PATH();
if (!is_file("{$msktutil}")) {
echo "Starting......: Kerberos, msktutil no such binary\n";
return;
}
if (!is_file("{$hostname_bin}")) {
echo "Starting......: Kerberos, hostname no such binary\n";
return;
}
exec("{$hostname_bin} -d 2>&1", $results);
$mydomain = trim(@implode("", $results));
unset($results);
exec("{$hostname_bin} -f 2>&1", $results);
$myFullHostname = trim(@implode("", $results));
unset($results);
exec("{$hostname_bin} -s 2>&1", $results);
$myNetBiosName = trim(@implode("", $results));
$enctype = null;
$sock = new sockets();
$array = unserialize(base64_decode($sock->GET_INFO("KerbAuthInfos")));
if ($array["WINDOWS_SERVER_TYPE"] == "WIN_2003") {
$t[] = "# For Windows 2003:";
$t[] = " default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5";
$t[] = " default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5";
$t[] = " permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5";
$t[] = "";
}
if ($array["WINDOWS_SERVER_TYPE"] == "WIN_2008AES") {
$t[] = "; for Windows 2008 with AES";
$t[] = " default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5";
$t[] = " default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5";
$t[] = " permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5";
$t[] = "";
$enctype = " --enctypes 28";
}
$hostname = strtolower(trim($array["WINDOWS_SERVER_NETBIOSNAME"])) . "." . strtolower(trim($array["WINDOWS_DNS_SUFFIX"]));
echo "Starting......: Kerberos, {$hostname}\n";
echo "Starting......: Kerberos, my domain: \"{$mydomain}\"\n";
echo "Starting......: Kerberos, my hostname: \"{$myFullHostname}\"\n";
echo "Starting......: Kerberos, my netbiosname: \"{$myNetBiosName}\"\n";
$domainUp = strtoupper($array["WINDOWS_DNS_SUFFIX"]);
$domaindow = strtolower($array["WINDOWS_DNS_SUFFIX"]);
$kinitpassword = $array["WINDOWS_SERVER_PASS"];
$kinitpassword = $unix->shellEscapeChars($kinitpassword);
$f[] = " [logging]";
$f[] = " default = FILE:/var/log/krb5libs.log";
$f[] = " kdc = FILE:/var/log/krb5kdc.log";
$f[] = " admin_server = FILE:/var/log/kadmind.log";
$f[] = "";
$f[] = "[libdefaults]";
$f[] = " default_realm = {$domainUp}";
$f[] = " dns_lookup_realm = true";
$f[] = " dns_lookup_kdc = true";
$f[] = " ticket_lifetime = 24h";
$f[] = " forwardable = yes";
$f[] = "";
@implode("\n", $t);
$f[] = "[realms]";
$f[] = " {$domainUp} = {";
$f[] = " kdc = {$hostname}";
$f[] = " admin_server = {$hostname}";
$f[] = " default_domain = {$domainUp}";
$f[] = " }";
$f[] = "";
$f[] = "[domain_realm]";
$f[] = " .{$domaindow} = {$domainUp}";
$f[] = " {$domaindow} = {$domainUp}";
$f[] = "";
$f[] = "[appdefaults]";
$f[] = " pam = {";
$f[] = " debug = false";
$f[] = " ticket_lifetime = 36000";
$f[] = " renew_lifetime = 36000";
$f[] = " forwardable = true";
$f[] = " krb4_convert = false";
$f[] = "}";
$f[] = "";
@file_put_contents("/etc/krb.conf", @implode("\n", $f));
echo "Starting......: Kerberos, /etc/krb.conf done\n";
@file_put_contents("/etc/krb5.conf", @implode("\n", $f));
echo "Starting......: Kerberos, /etc/krb5.conf done\n";
unset($f);
$f[] = "lhs=.ns";
$f[] = "rhs=.{$mydomain}";
$f[] = "classes=IN,HS";
@file_put_contents("/etc/hesiod.conf", @implode("\n", $f));
echo "Starting......: Kerberos, /etc/hesiod.conf done\n";
unset($f);
$f[] = "[libdefaults]";
$f[] = "\t\tdebug = true";
$f[] = "[kdcdefaults]";
//$f[]="\tv4_mode = nopreauth";
$f[] = "\tkdc_ports = 88,750";
//$f[]="\tkdc_tcp_ports = 88";
$f[] = "[realms]";
$f[] = "\t{$domainUp} = {";
$f[] = "\t\tdatabase_name = /etc/krb5kdc/principal";
$f[] = "\t\tacl_file = /etc/kadm.acl";
$f[] = "\t\tdict_file = /usr/share/dict/words";
$f[] = "\t\tadmin_keytab = FILE:/etc/krb5.keytab";
$f[] = "\t\tkey_stash_file = /etc/krb5kdc/.k5.{$domainUp}";
$f[] = "\t\tmaster_key_type = des3-hmac-sha1";
$f[] = "\t\tsupported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3";
$f[] = "\t\tdefault_principal_flags = +preauth";
$f[] = "\t}";
$f[] = "";
if (!is_dir("/usr/share/krb5-kdc")) {
@mkdir("/usr/share/krb5-kdc", 644, true);
}
@file_put_contents("/usr/share/krb5-kdc/kdc.conf", @implode("\n", $f));
@file_put_contents("/etc/kdc.conf", @implode("\n", $f));
echo "Starting......: Kerberos, /usr/share/krb5-kdc/kdc.conf done\n";
echo "Starting......: Kerberos, /etc/kdc.conf done\n";
unset($f);
$config = "*/admin *\n";
@file_put_contents("/etc/kadm.acl", " ");
@file_put_contents("/usr/share/krb5-kdc/kadm.acl", " ");
@file_put_contents("/etc/krb5kdc/kadm5.acl", " ");
echo "Starting......: Kerberos, /etc/kadm.acl done\n";
RunKinit($array["WINDOWS_SERVER_ADMIN"], $array["WINDOWS_SERVER_PASS"]);
unset($results);
if ($GLOBALS["VERBOSE"]) {
$mskutilverb = " --verbose";
}
$cmd = "{$msktutil} -c -b \"CN=COMPUTERS\" -s HTTP/{$myFullHostname} -h {$myFullHostname} --keytab /etc/krb5.keytab";
$cmd = $cmd . " --computer-name {$myNetBiosName} --upn HTTP/{$myFullHostname} --server {$hostname}{$enctype}{$mskutilverb} 2>&1";
echo "Starting......: msktutil, {$cmd}\n";
exec($cmd, $results);
while (list($num, $a) = each($results)) {
echo "Starting......: msktutil, {$a}\n";
}
if (is_file("{$kdb5_util}")) {
$cmd = "{$kdb5_util} create -r {$domainUp} -s -P {$kinitpassword}";
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: {$cmd}\n";
}
unset($results);
exec($cmd, $results);
while (list($num, $a) = each($results)) {
echo "Starting......: kdb5_util, {$a}\n";
}
}
if (is_file("{$kadmin_bin}")) {
}
//kadmin -p Administrateur "addprinc -randkey cifs/bdc.touzeau.com" -w DavidTouzeau180872
if (is_file("{$netbin}")) {
JOIN_ACTIVEDIRECTORY();
}
}
function kinit_config()
{
$sock = new sockets();
$EnableKerbAuth = $sock->GET_INFO("EnableKerbAuth");
if (!is_numeric("{$EnableKerbAuth}")) {
$EnableKerbAuth = 0;
}
if ($EnableKerbAuth == 1) {
echo "Enable Kerberos authentification is enabled, Aborting\n";
}
$CyrusToAD = $sock->GET_INFO("CyrusToAD");
$EnableSambaActiveDirectory = $sock->GET_INFO("EnableSambaActiveDirectory");
if (!is_numeric($EnableSambaActiveDirectory)) {
$EnableSambaActiveDirectory = 0;
}
if ($CyrusToAD == null) {
$CyrusToAD = 0;
}
if ($CyrusToAD == 0) {
DisablePamd();
return;
}
EnablePamd();
$array = unserialize(base64_decode($sock->GET_INFO("CyrusToADConfig")));
if ($EnableSambaActiveDirectory == 1) {
$newconf = unserialize(base64_decode($sock->GET_INFO("SambaAdInfos")));
$array["domain"] = $newconf["ADDOMAIN"];
$array["servername"] = $newconf["ADSERVER"];
$array["admin"] = $newconf["ADADMIN"];
$array["password"] = $newconf["PASSWORD"];
}
$default_realm = strtoupper($array["domain"]);
$servername = strtolower($array["servername"]);
$f[] = "[logging]";
$f[] = "\tdefault = FILE:/var/log/krb5libs.log";
$f[] = "\tkdc = FILE:/var/log/krb5kdc.log";
$f[] = "\tadmin_server = FILE:/var/log/kadmind.log";
$f[] = "[libdefaults]";
$f[] = "\tclockskew = 300";
$f[] = "\tticket_lifetime = 24h";
$f[] = "\tforwardable = yes";
$f[] = "\tdefault_realm = {$default_realm}";
$f[] = "[realms]";
$f[] = "\t{$default_realm} = {";
$f[] = "\t\tkdc = {$servername}";
$f[] = "\t\tdefault_domain = {$default_realm}";
$f[] = "\t\tkpasswd_server = {$servername}";
$f[] = "}";
$f[] = "";
$f[] = "[domain_realm]";
$f[] = "\t.{$default_realm} = {$default_realm}";
$f[] = "[appdefaults]";
$f[] = "pam = {";
$f[] = "\tdebug = false";
$f[] = "\tticket_lifetime = 36000";
$f[] = "\trenew_lifetime = 36000";
$f[] = "\tforwardable = true";
$f[] = "\tkrb4_convert = false";
$f[] = "}";
$f[] = "";
@file_put_contents("/etc/krb5.conf", @implode("\n", $f));
RunKinit($array["admin"] . "@" . strtoupper($array["domain"]), $array["password"]);
if ($GLOBALS["RELOAD"]) {
shell_exec("/etc/init.d/artica-postfix restart saslauthd");
}
}
