domain-diag/ddiag.sh

#!/bin/bash
set -euo pipefail

. shell-terminfo

terminfo_init

verbose=1

msg_fail()
{
    echo -n " \ $*: ["
    color_text "FAIL" red
    echo "]"
}

msg_warn()
{
    echo -n " \ $*: ["
    color_text "WARN" yellow
    echo "]"
}

msg_done()
{
    echo -n " \ $*: ["
    color_text "DONE" green
    echo "]"
}

_command()
{
    color_message "\$ $*" bold
    $*
    echo
}

run_by_root()
{
    local msg=
    if test "$1" = '-m'; then
        shift
        msg="$1"
        shift
    fi
    if test `id -u` != 0; then
        echo -n "Running not by root, SKIP: "
        echo $*
        return 2
    else
        test -z "$msg" ||
            echo -n "$msg: "
        _command $* || return 1
    fi
}

run()
{
    local retval=126
    local func="$1"
    local msg=$(printf "/======             %-52s ======" "$func")

    test -z $verbose || echo " /============================================================================="
    if test -z $verbose; then
        $func >/dev/null 2>&1 && retval=0 || retval=$?
    else
        color_message "$msg" bold white
        $func && retval=0 || retval=$?
    fi

    test -z $verbose || echo "\=============================================================================="
    case "$retval" in
        0) msg_done  "$2" ;;
        2) msg_warn  "$2" ;;
        *) msg_fail "$2" ;;
    esac
    test -z $verbose || color_message "  \============================================================================" bold white
    test -z $verbose || echo
}

check_hostnamectl()
{
    local static_host="$(hostnamectl --static)"
    local transient_host="$(hostname)"
    _command hostnamectl
    test "$static_host" = "$transient_host"
}

test_hostname()
{
    local host=`hostname`
    test "$host" != "${host/.}" || return 2
}

check_system_auth()
{
    local auth=$(/usr/sbin/control system-auth)
    echo "control system_auth: $auth"
    _command readlink -f /etc/pam.d/system-auth
    echo -------------------------------------------------------------------------------
    _command cat /etc/pam.d/system-auth
    echo -------------------------------------------------------------------------------
    SYSTEM_AUTH="$auth"
    test -n "$auth" -a "$auth" != "unknown"
}

test_domain_system_auth()
{
    test -n "$SYSTEM_AUTH" ||
        SYSTEM_AUTH=local
    test "$SYSTEM_AUTH" != "local" || return 2
}

is_system_auth_local()
{
    test "$SYSTEM_AUTH" = "local"
}

check_krb5_conf_exists()
{
    local retval=0
    _command ls -l /etc/krb5.conf
    KRB5_DEFAULT_REALM=
    if ! test -e /etc/krb5.conf; then
        is_system_auth_local && retval=2 || retval=1
    else
        echo -------------------------------------------------------------------------------
        _command cat /etc/krb5.conf
        echo -------------------------------------------------------------------------------
        KRB5_DEFAULT_REALM=$(grep "^\s*default_realm\s\+" /etc/krb5.conf | sed -e 's/^\s*default_realm\s*=\s*//' -e 's/\s*$//')
    fi
    return $retval
}

check_krb5_conf_ccache()
{
    local ccache=$(/usr/sbin/control krb5-conf-ccache)
    echo "control krb5-conf-ccache: $ccache"
    test -n "$ccache" -a "$ccache" != "unknown"
}

test_keyring_krb5_conf_ccache()
{
    local ccache=$(/usr/sbin/control krb5-conf-ccache)
    test -n "$ccache" -a "$ccache" == "keyring" || return 2
}

check_krb5_conf_kdc_lookup()
{
    local retval=0
    echo -n "/etc/krb5.conf: dns_lookup_kdc "
    if grep -q '^\s*dns_lookup_kdc\s*=\s*\([Tt][Rr][Uu][Ee]\|1\|[Yy][Ee][Ss]\)\s*$' /etc/krb5.conf; then
        echo "is enabled"
    else
        if grep -q '^\s*dns_lookup_kdc\s*=' /etc/krb5.conf; then
            echo "is disabled"
            retval=1
        else
            echo "is enabled by default"
            retval=2
        fi
    fi
    return $retval
}

check_krb5_keytab_exists()
{
    local retval=0
    _command ls -l /etc/krb5.keytab
    if ! test -e /etc/krb5.keytab; then
        is_system_auth_local && retval=2 || retval=1
    fi
    return $retval
}

check_keytab_credential_list()
{
    local retval=0
    if ! run_by_root klist -ke; then
        is_system_auth_local && retval=2 || retval=1
    fi
    return $retval
}

check_resolv_conf()
{
    local retval=0
    ls -l /etc/resolv.conf
    echo -------------------------------------------------------------------------------
    cat /etc/resolv.conf
    echo -------------------------------------------------------------------------------
    SEARCH_DOMAIN=$(grep "^search\s\+" /etc/resolv.conf | sed -e 's/^search\s\+//' -e 's/\s/\n/' | head -1)
    NAMESERVER1=$(grep "^nameserver\s\+" /etc/resolv.conf | sed -e 's/^nameserver\s\+//' -e 's/\s/\n/' | head -1)
    NAMESERVER2=$(grep "^nameserver\s\+" /etc/resolv.conf | sed -e 's/^nameserver\s\+//' -e 's/\s/\n/' | head -2 | tail -1)
    NAMESERVER3=$(grep "^nameserver\s\+" /etc/resolv.conf | sed -e 's/^nameserver\s\+//' -e 's/\s/\n/' | head -3 | tail -1)
}

compare_resolv_conf_with_default_realm()
{
    echo "SEARCH_DOMAIN = '$SEARCH_DOMAIN'"
    echo "KRB5_DEFAULT_REALM = '$KRB5_DEFAULT_REALM'"
    local domain=$(echo "$SEARCH_DOMAIN" | tr '[:upper:]' '[:lower:]')
    local realm=$(echo "$KRB5_DEFAULT_REALM" | tr '[:upper:]' '[:lower:]')

    DOMAIN_DOMAIN="$domain"
    if test -n "$realm"; then
        DOMAIN_DOMAIN="$realm"
    else
        return 2
    fi
    test -n "$domain" || return 2
    test "$domain" = "$realm" || return 2
}

_check_nameserver()
{
    local ns="$1"
    if _command ping -c 2 -i2 "$ns"; then
        test -z "$DOMAIN_DOMAIN" || _command host "$DOMAIN_DOMAIN" "$ns"
    fi
}

check_nameservers()
{
    retval1=0
    retval2=0
    retval3=0
    if [ -n "$NAMESERVER1" ]; then
        _check_nameserver "$NAMESERVER1" || retval1=1
    fi
    if [ -n "$NAMESERVER2" ]; then
        _check_nameserver "$NAMESERVER2" || retval2=1
    fi
    if [ -n "$NAMESERVER3" ]; then
        _check_nameserver "$NAMESERVER3" || retval3=1
    fi
    if test "$retval1" = 0 -a "$retval2" = 0 -a "$retval3" = 0; then
        return 0;
    fi
    if test "$retval1" = 1 -a "$retval2" = 1 -a "$retval3" = 1; then
        return 1;
    fi
    return 2
}

run check_hostnamectl "Check hostname persistance"
run test_hostname "Test hostname is FQDN (not short)"
run check_system_auth "System authentication method"
run test_domain_system_auth "Domain system authentication enabled"
run check_krb5_conf_exists "Check Kerberos configuration exists"
run check_krb5_conf_ccache "Kerberos credential cache status"
run test_keyring_krb5_conf_ccache "Using keyring as kerberos credential cache"
run check_krb5_conf_kdc_lookup "Check DNS lookup kerberos KDC status"
run check_krb5_keytab_exists "Check machine crendetial cache is exists"
run check_keytab_credential_list "Check machine credentials list in keytab"
run check_resolv_conf "Check nameserver resolver configuration"
run compare_resolv_conf_with_default_realm "Compare krb5 realm and first search domain"
run check_nameservers "Check nameservers availability"