forked from saratov/diag-domain-client
168 lines
3.7 KiB
Bash
168 lines
3.7 KiB
Bash
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
. shell-terminfo
|
|
|
|
terminfo_init
|
|
|
|
verbose=1
|
|
|
|
msg_fail()
|
|
{
|
|
echo -n " \ $*: ["
|
|
color_text "FAIL" red
|
|
echo "]"
|
|
}
|
|
|
|
msg_warn()
|
|
{
|
|
echo -n " \ $*: ["
|
|
color_text "WARN" yellow
|
|
echo "]"
|
|
}
|
|
|
|
msg_done()
|
|
{
|
|
echo -n " \ $*: ["
|
|
color_text "DONE" green
|
|
echo "]"
|
|
}
|
|
|
|
run_by_root()
|
|
{
|
|
local msg=
|
|
if test "$1" = '-m'; then
|
|
shift
|
|
msg="$1"
|
|
shift
|
|
fi
|
|
if test `id -u` != 0; then
|
|
echo -n "Running not by root, SKIP: "
|
|
echo $*
|
|
return 2
|
|
else
|
|
test -z "$msg" ||
|
|
echo -n "$msg: "
|
|
$* || return 1
|
|
fi
|
|
}
|
|
|
|
run()
|
|
{
|
|
local retval=126
|
|
local func="$1"
|
|
local msg=$(printf "/--- %-70s ---" "$func")
|
|
|
|
if test -z $verbose; then
|
|
$func >/dev/null 2>&1 && retval=0 || retval=$?
|
|
else
|
|
color_message "$msg" bold white
|
|
$func && retval=0 || retval=$?
|
|
fi
|
|
|
|
test -z $verbose || echo "\------------------------------------------------------------------------------"
|
|
case "$retval" in
|
|
0) msg_done "$2" ;;
|
|
2) msg_warn "$2" ;;
|
|
*) msg_fail "$2" ;;
|
|
esac
|
|
test -z $verbose || color_message " \----------------------------------------------------------------------------" bold white
|
|
test -z $verbose || echo
|
|
}
|
|
|
|
check_hostnamectl()
|
|
{
|
|
local static_host="$(hostnamectl --static)"
|
|
local transient_host="$(hostname)"
|
|
hostnamectl
|
|
test "$static_host" = "$transient_host"
|
|
}
|
|
|
|
test_hostname()
|
|
{
|
|
local host=`hostname`
|
|
test "$host" != "${host/.}" || return 2
|
|
}
|
|
|
|
check_system_auth()
|
|
{
|
|
local auth=$(/usr/sbin/control system-auth)
|
|
echo "control system_auth: $auth"
|
|
readlink -f /etc/pam.d/system-auth
|
|
cat /etc/pam.d/system-auth
|
|
SYSTEM_AUTH="$auth"
|
|
test -n "$auth" -a "$auth" != "unknown"
|
|
}
|
|
|
|
test_domain_system_auth()
|
|
{
|
|
test -n "$SYSTEM_AUTH" ||
|
|
SYSTEM_AUTH=local
|
|
test "$SYSTEM_AUTH" != "local" || return 2
|
|
}
|
|
|
|
is_system_auth_local()
|
|
{
|
|
test "$SYSTEM_AUTH" = "local"
|
|
}
|
|
|
|
check_krb5_conf_ccache()
|
|
{
|
|
local ccache=$(/usr/sbin/control krb5-conf-ccache)
|
|
echo "control krb5-conf-ccache: $ccache"
|
|
test -n "$ccache" -a "$ccache" != "unknown"
|
|
}
|
|
|
|
test_keyring_krb5_conf_ccache()
|
|
{
|
|
local ccache=$(/usr/sbin/control krb5-conf-ccache)
|
|
test -n "$ccache" -a "$ccache" == "keyring" || return 2
|
|
}
|
|
|
|
check_krb5_conf_kdc_lookup()
|
|
{
|
|
local retval=0
|
|
echo -n "/etc/krb5.conf: dns_lookup_kdc "
|
|
if grep -q '^\s*dns_lookup_kdc\s*=\s*\([Tt][Rr][Uu][Ee]\|1\|[Yy][Ee][Ss]\)\s*$' /etc/krb5.conf; then
|
|
echo "is enabled"
|
|
else
|
|
if grep -q '^\s*dns_lookup_kdc\s*=' /etc/krb5.conf; then
|
|
echo "is disabled"
|
|
retval=1
|
|
else
|
|
echo "is enabled by default"
|
|
retval=2
|
|
fi
|
|
fi
|
|
return $retval
|
|
}
|
|
|
|
check_krb5_keytab_exists()
|
|
{
|
|
local retval=0
|
|
ls -la /etc/krb5.keytab
|
|
if ! test -e /etc/krb5.keytab; then
|
|
is_system_auth_local && retval=2 || retval=1
|
|
fi
|
|
return $retval
|
|
}
|
|
|
|
check_keytab_credential_list()
|
|
{
|
|
local retval=0
|
|
if ! run_by_root klist -ke; then
|
|
is_system_auth_local && retval=2 || retval=1
|
|
fi
|
|
return $retval
|
|
}
|
|
|
|
run check_hostnamectl "Check hostname persistance"
|
|
run test_hostname "Test hostname is FQDN (not short)"
|
|
run check_system_auth "System authentication method"
|
|
run test_domain_system_auth "Domain system authentication enabled"
|
|
run check_krb5_conf_ccache "Kerberos credential cache status"
|
|
run test_keyring_krb5_conf_ccache "Using keyring as kerberos credential cache"
|
|
run check_krb5_conf_kdc_lookup "Check DNS lookup kerberos KDC status"
|
|
run check_krb5_keytab_exists "Check machine crendetial cache is exists"
|
|
run check_keytab_credential_list "Check machine credentials list in keytab"
|