summaryrefslogtreecommitdiffstats
path: root/install/share
diff options
context:
space:
mode:
Diffstat (limited to 'install/share')
-rw-r--r--install/share/Makefile.am2
-rw-r--r--install/share/kdc.conf.template2
-rw-r--r--install/share/kdc_extensions.template32
-rw-r--r--install/share/kdc_req.conf.template14
4 files changed, 50 insertions, 0 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index e4b6ca385..3423ce287 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -24,6 +24,8 @@ app_DATA = \
bind.zone.db.template \
certmap.conf.template \
kdc.conf.template \
+ kdc_extensions.template \
+ kdc_req.conf.template \
krb5.conf.template \
krb5.ini.template \
krb.con.template \
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 4a2cca412..f8e07c77b 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,4 +12,6 @@
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem
+ pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
}
diff --git a/install/share/kdc_extensions.template b/install/share/kdc_extensions.template
new file mode 100644
index 000000000..df992babd
--- /dev/null
+++ b/install/share/kdc_extensions.template
@@ -0,0 +1,32 @@
+[ kdc_cert ]
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+#Pkinit EKU
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# Copy subject details
+
+issuerAltName=issuer:copy
+
+# Add id-pkinit-san (pkinit subjectAlternativeName)
+# Also add the KDC fqdn, for good measure.
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name,DNS:${ENV::HOST_FQDN}
+
+[kdc_princ_name]
+realm = EXP:0, GeneralString:${ENV::REALM}
+principal_name = EXP:1, SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0, INTEGER:1
+name_string = EXP:1, SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::REALM}
+
diff --git a/install/share/kdc_req.conf.template b/install/share/kdc_req.conf.template
new file mode 100644
index 000000000..872852079
--- /dev/null
+++ b/install/share/kdc_req.conf.template
@@ -0,0 +1,14 @@
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+prompt = no
+output_password = $PASSWORD
+
+[ req_distinguished_name ]
+$SUBJBASE
+$CERTNAME
+
+[ req_attributes ]
+challengePassword = A challenge password
+
generated by cgit (git 2.34.1) at 2024-06-14 11:26:29 +0000