Moin Mike, On Sun, Apr 19, 2020 at 11:43:24AM +0000, Mike Gabriel wrote: > On my customer site, we have 300 host entries or so. Doing the above > loop for every host change in LDAP will let the script walk over 300 > LDAP queries. The response time of GOsa becomes awful with that. [..] > During the next days, I can test your patch, either the one or above > or a follow-up version. Maybe you can test a follow-up one, based on your proposal to query LDAP only once. (Host gateway considered too, just in case someone has added a keytab.) Wolfgang
#!/bin/sh
set -e
## This script is run by www-data using sudo. Keep that in mind!
## Make sure that malicious execution cannot hurt.##
HOST="$1"
kadmin.local -q "add_principal -policy hosts -randkey host/$HOST.intern"
kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab host/$HOST.intern"
kadmin.local -q "add_principal -policy hosts -randkey nfs/$HOST.intern"
kadmin.local -q "ktadd -k /etc/debian-edu/host-keytabs/$HOST.intern.keytab nfs/$HOST.intern"
logger -t gosa-modify-host -p notice Krb5 principals and keytab file for host \'$HOST\' created.
# update services:
/usr/share/debian-edu-config/tools/gosa-sync-dns-nfs
# cleanup from leftover host principals and keytab file:
TEMPDIR=$(mktemp -d)
ldapsearch -xLLL "objectclass=dhcpHost" | grep ^cn: | cut -d' ' -f2 > ${TEMPDIR}/hosts
echo gateway >> ${TEMPDIR}/hosts
for i in $(basename -a /etc/debian-edu/host-keytabs/* | sed 's#.intern.keytab##') ; do
if ! grep -q $i ${TEMPDIR}/hosts ; then
kadmin.local delprinc host/$i.intern@INTERN
kadmin.local delprinc nfs/$i.intern@INTERN
rm /etc/debian-edu/host-keytabs/$i.intern.keytab
fi
done
exit 0
Attachment:
signature.asc
Description: PGP signature