Import rest of modules.

2009-08-20 00:24:14 +03:00 · 2009-08-20 00:24:14 +03:00 · 3f225ced9b
commit 3f225ced9b
parent 02fa10f33c
39 changed files with 2056 additions and 0 deletions
--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@ -0,0 +1,44 @@
+
+class kerberos::client {
+
+    case $operatingsystem {
+	centos,fedora: {
+	    package { ["krb5-workstation", "pam-krb5"]:
+		ensure => installed,
+	    }
+	}
+    }
+
+    file { "/etc/krb5.conf":
+	ensure => present,
+	mode   => 0644,
+	owner  => root,
+	group  => $operatingsystem ? {
+	    openbsd => wheel,
+	    default => root,
+	},
+    }
+
+}
+
+
+class kerberos::server inherits kerberos::client {
+
+    package { "heimdal-server":
+	ensure => installed,
+    }
+
+}
+
+
+define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "root", $mode = "0600") {
+
+    file { "${name}":
+	ensure  => $ensure,
+	content => template("kerberos/keytab.erb"),
+	mode    => "${mode}",
+	owner   => "${owner}",
+	group   => "${group}",
+    }
+
+}
--- a/kerberos/templates/keytab.erb
+++ b/kerberos/templates/keytab.erb
@ -0,0 +1,73 @@
+<%
+
+require 'digest/md5'
+require 'expect'
+require 'tempfile'
+require 'pty'
+
+
+config = {}
+config['cachedir'] = '/var/cache/puppet'
+config['kadmin'] = '/opt/heimdal/sbin/kadmin'
+config['klist'] = '/usr/kerberos/bin/klist'
+
+
+# set global vars
+cachefile = File.join(config['cachedir'],
+		      fqdn + '.' + Digest::MD5.hexdigest(name))
+
+
+# function to check if keytab contains required principals
+def check_keytab(config, keytab, principals)
+  entries = []
+  IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f|
+    f.readlines.each do |l|
+      next unless l =~ /   \d+ .*/
+      entries << l.split()[1]
+    end
+  }
+  t = principals & entries.uniq
+  if t.size != principals.size
+    return false
+  else
+    return true
+  end
+end
+
+
+# check if we have cached keytab up to date
+cached = true
+if File.exists?(cachefile)
+  if not check_keytab(config, cachefile, principals)
+    cached = false
+    File.unlink(cachefile)
+  end
+else
+  cached = false
+end
+
+# create new keytab if cache is not up to date
+if not cached
+  cmd = sprintf('%s -p %s ext_keytab --keytab=%s %s', config['kadmin'],
+		kerberos_user, cachefile, principals.join(' '))
+  retval = nil
+  PTY.getpty(cmd) do |r,w,pid|
+    r.expect(/^.*'s Password:\s+/)
+    w.puts kerberos_pass + "\n"
+    begin
+      pid, retval = Process.wait2(pid)
+    rescue
+      nil
+    end
+  end
+  if not File.exists?(cachefile)
+    raise 'Failed to create keytab ' + name
+  elsif not check_keytab(config, cachefile, principals)
+    raise 'Invalid keytab ' + name + ' created'
+  end
+end
+
+# read keytab into memory
+data = File.open(cachefile).read
+
+-%><%= data -%>