#!/bin/sh

set -eu

read puavo_domain            < /etc/puavo/domain
read puavo_kerberos_master   < /etc/puavo/kerberos/master
read puavo_kerberos_realm    < /etc/puavo/kerberos/realm
read puavo_kerberos_toprealm < /etc/puavo/kerberos/toprealm
read puavo_ldap_master       < /etc/puavo/ldap/master
read puavo_topdomain         < /etc/puavo/topdomain

krb5_config() {
  local use_kerberos_slave
  use_kerberos_slave=$1

  slave_kdc_config=''
  if $use_kerberos_slave \
    && [ "$puavo_kerberos_master" != "kerberos.${puavo_domain}" ]; then
      # Use a possible bootserver kerberos as the fallback server in case
      # it can be found.
      slave_kdc_config="                kdc = kerberos.${puavo_domain}"
  fi

  realms=$(
    cat <<EOF
[realms]
        ${puavo_kerberos_realm} = {
                kdc = ${puavo_kerberos_master}
EOF
    if [ -n "$slave_kdc_config" ]; then printf "%s\n" "$slave_kdc_config"; fi
    cat <<EOF
                default_domain = ${puavo_domain}
        }
        ${puavo_kerberos_toprealm} = {
                kdc = ${puavo_ldap_master}
                default_domain = ${puavo_topdomain}
        }
EOF
)

  cat <<EOF
[libdefaults]
    default_realm = ${puavo_kerberos_realm}
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-hmac-sha1
    dns_lookup_kdc = false
    dns_lookup_realm = false
    allow_weak_crypto = true
    dns_canonicalize_hostname = false

${realms}

[appdefaults]
        pam = {
                debug = false
                ticket_lifetime = 604800
                renew_lifetime = 604800
                forwardable = true
                krb4_convert = false
                ignore_k5login = true
        }
EOF
}

krb5_config true > /etc/krb5.conf.tmp
mv /etc/krb5.conf.tmp /etc/krb5.conf

krb5_config false > /etc/krb5.conf.masteronly.tmp
mv /etc/krb5.conf.masteronly.tmp /etc/krb5.conf.masteronly
