trust intg test env

testenv/docker/krb5kdc-res/Dockerfile

@@ -0,0 +1,19 @@
+FROM centos:latest
+MAINTAINER Jonathan Turner <jt@jtnet.co.uk>
+
+EXPOSE 88
+ENTRYPOINT ["/usr/sbin/krb5kdc", "-n"]
+
+RUN yum install -y \
+  krb5-server \
+  tcpdump krb5-workstation vim \
+ && yum update -y && yum clean all
+
+ADD krb5.conf /etc/krb5.conf
+ADD kdc.conf /var/kerberos/krb5kdc/kdc.conf
+ADD kadm5.acl /var/kerberos/krb5kdc/kadm5.acl
+ADD krb5kdc-init.sh /opt/krb5/bin/krb5kdc-init.sh
+RUN mkdir -p /opt/krb5/log && \
+  mkdir -p /var/log/kerberos && \
+  /bin/bash /opt/krb5/bin/krb5kdc-init.sh && \
+  ln -sf /dev/stdout /var/log/krb5kdc.log

testenv/docker/krb5kdc-res/README.md

@@ -0,0 +1,16 @@
+# KDC Intergation Test Instance for RESDOM.GOKRB5
+
+DO NOT USE THIS CONTAINER FOR ANY PRODUCTION USE!!!
+
+To run:
+```bash
+docker run -v /etc/localtime:/etc/localtime:ro -p 188:88 -p 188:88/udp --rm --name gokrb5-res jcmturner/gokrb5:kdc-resdom &
+```
+
+To build:
+```bash
+docker build -t jcmturner/gokrb5:kdc-resdom --force-rm=true --rm=true .
+docker push jcmturner/gokrb5:kdc-resdom
+```
+
+

testenv/docker/krb5kdc-res/kadm5.acl

@@ -0,0 +1,4 @@
+testuser1@RESDOM.GOKRB5	*
+*/admin@RESDOM.GOKRB5	*
+*/*@RESDOM.GOKRB5		i
+*@RESDOM.GOKRB5		i

testenv/docker/krb5kdc-res/kdc.conf

@@ -0,0 +1,14 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+
+[realms]
+ RESDOM.GOKRB5 = {
+  master_key_type = aes256-cts-hmac-sha1-96
+  max_life = 12h 0m 0s
+  max_renewable_life = 7d 0h 0m 0s
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  admin_keytab = /opt/krb5/data/kadm5.keytab
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha384-192:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
+ }

testenv/docker/krb5kdc-res/krb5.conf

@@ -0,0 +1,39 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+
+[libdefaults]
+  default_realm = RESDOM.GOKRB5
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  ticket_lifetime = 24h
+  forwardable = yes
+
+[realms]
+ TEST.GOKRB5 = {
+  kdc = 127.0.0.1:88
+  admin_server = 127.0.0.1:749
+  default_domain = test.gokrb5
+ }
+  RESDOM.GOKRB5 = {
+   kdc = 127.0.0.1:188
+   admin_server = 127.0.0.1:749
+   default_domain = resdom.gokrb5
+  }
+
+[domain_realm]
+ .test.gokrb5 = TEST.GOKRB5
+ test.gokrb5 = TEST.GOKRB5
+ .resdom.gokrb5 = RESDOM.GOKRB5
+ resdom.gokrb5 = RESDOM.GOKRB5
+
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }

testenv/docker/krb5kdc-res/krb5kdc-init.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+REALM=RESDOM.GOKRB5
+DOMAIN=resdom.gokrb5
+SERVER_HOST=kdc.resdom.gokrb5
+ADMIN_USERNAME=adminuser
+HOST_PRINCIPALS="kdc.resdom.gokrb5 host.resdom.gokrb5"
+SPNs="HTTP/host.resdom.gokrb5"
+
+create_entropy() {
+   while true
+   do
+     sleep $(( ( RANDOM % 10 )  + 1 ))
+     echo "Generating Entropy... $RANDOM"
+   done
+}
+
+create_entropy &
+ENTROPY_PID=$!
+
+
+  echo "Kerberos initialisation required. Creating database for ${REALM} ..."
+  echo "This can take a long time if there is little entropy. A process has been started to create some."
+  MASTER_PASSWORD=$(echo $RANDOM$RANDOM$RANDOM | md5sum | awk '{print $1}')
+  /usr/sbin/kdb5_util create -r ${REALM} -s -P ${MASTER_PASSWORD}
+  kill -9 ${ENTROPY_PID}
+  echo "Kerberos database created."
+  /usr/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
+  echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
+
+  KEYTAB_DIR="/keytabs"
+  mkdir -p $KEYTAB_DIR
+
+  if [ ! -z "${HOST_PRINCIPALS}" ]; then
+    for host in ${HOST_PRINCIPALS}
+    do
+      /usr/sbin/kadmin.local -q "add_principal -pw hostpasswordvalue -kvno 1 host/$host"
+      echo "Created host principal host/$host"
+    done
+  fi
+
+  /usr/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.resdom.gokrb5"
+
+  /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
+  /usr/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"
+  /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser3"
+
+  # Set up trust
+  /usr/sbin/kadmin.local -q "add_principal -requires_preauth -pw trustpasswd -kvno 1 krbtgt/TEST.GOKRB5@RESDOM.GOKRB5"
+  /usr/sbin/kadmin.local -q "add_principal -requires_preauth -pw trustpasswd -kvno 1 krbtgt/RESDOM.GOKRB5@TEST.GOKRB5"
+
+
+  echo "Kerberos initialisation complete"

testenv/docker/krb5kdc/krb5kdc-init.sh

@@ -45,4 +45,8 @@ ENTROPY_PID=$!
   /usr/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"
   /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser3"
 
+  # Set up trust
+  /usr/sbin/kadmin.local -q "add_principal -requires_preauth -pw trustpasswd -kvno 1 krbtgt/TEST.GOKRB5@RESDOM.GOKRB5"
+  /usr/sbin/kadmin.local -q "add_principal -requires_preauth -pw trustpasswd -kvno 1 krbtgt/RESDOM.GOKRB5@TEST.GOKRB5"
+
   echo "Kerberos initialisation complete"