#!/bin/bash

# make-cron-keytab
#
# Script to make a keytab file for use with kcron in cases where
# kcroninit can not be used (like for shared accounts which do
# not have a Kerberos principal) and load the already created
# special Kerberos principla <account>/cron/<hostname> key
# into the the keytab file so kcron will work.
#

#
# Check that /usr/krb5/bin and sbin directories exist and
# for kadmin in /usr/krb5/sbin to make sure the Fermi Kerberos
# base (or utilities) are installed.
#
if [ ! \( -d /usr/krb5/bin -a -d /usr/krb5/sbin \) ]
then
	echo "Did not find the Fermi Kerberos directories /usr/krb5/[s]bin!"
	exit 1
fi
if [ ! \( -e /usr/krb5/bin/kcron -a -e /usr/krb5/bin/kcron-create \) ]
then
        echo "Did not find the Fermi Kerberos utilities kcron and kcron-create!"
        exit 1
fi

if [ -e /usr/krb5/sbin/kadmin ]
then
	mykadmin=/usr/krb5/sbin/kadmin
elif [ -e /usr/kerberos/sbin/kadmin ]
then
	mykadmin=/usr/kerberos/sbin/kadmin
else
	echo "No Kerberos kadmin utility found!"
	exit 1
fi

#
# Get hostname and make sure its a fully-qualified domain name
#
myhost=`hostname`
mynode=`echo $myhost | cut -d"." -f1`
if [ "$myhost" = "$mynode" ]
then
	echo "Hostname $myhost is not a fully qualified domain name!"
	exit 1
fi

#
# Run this in the shared acocunt
# Make the hashed file name and create the keytab file (and
# directories if needed) - all with the correct permissions.
#

kfile=`/usr/krb5/bin/kcron -f`
echo "Making keytab file $kfile"
/usr/krb5/bin/kcron-create $kfile

#
# Make the principal name <user>/cron/<hostname>@FNAL.GOV
#

princ=$USER/cron/$myhost
echo "Will load key for principal $princ into keytab file"

#
# Now put the key into a temporary keytab file, will prompt for the
# password.
#

tempkeytab=/tmp/$kfile
$mykadmin  -p $princ  -q "ktadd  -k  $tempkeytab  $princ"

#
# Now put the keytab file into place and cleanup.
#
/bin/cp  $tempkeytab  /var/adm/krb5/$kfile
rm $tempkeytab
