From 4cd45826791ae94ca61177f9b7d75b4b150c4eb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Wed, 18 Apr 2012 15:56:51 +0300 Subject: [PATCH] Converted kerberos::keytab to use MIT kerberos tools and changed authentication to use keytab files instead of password. --- kerberos/templates/keytab.erb | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/kerberos/templates/keytab.erb b/kerberos/templates/keytab.erb index 8532811..e15afbc 100644 --- a/kerberos/templates/keytab.erb +++ b/kerberos/templates/keytab.erb @@ -3,12 +3,11 @@ require 'digest/md5' require 'expect' require 'tempfile' -require 'pty' config = {} config['cachedir'] = '/var/cache/puppet' -config['kadmin'] = '/opt/heimdal/sbin/kadmin' +config['kadmin'] = '/usr/kerberos/sbin/kadmin' config['klist'] = '/usr/kerberos/bin/klist' @@ -16,7 +15,6 @@ config['klist'] = '/usr/kerberos/bin/klist' cachefile = File.join(config['cachedir'], homename + '.' + Digest::MD5.hexdigest(name)) - # function to check if keytab contains required principals def check_keytab(config, keytab, principals) entries = [] @@ -48,20 +46,11 @@ end # create new keytab if cache is not up to date if not cached - cmd = sprintf('%s -p %s ext_keytab --keytab=%s %s', config['kadmin'], - kerberos_user, cachefile, principals.join(' ')) - retval = nil - PTY.getpty(cmd) do |r,w,pid| - r.expect(/^.*'s Password:\s+/) - w.puts kerberos_pass + "\n" - begin - pid, retval = Process.wait2(pid) - rescue - nil - end - end + cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"', + config['kadmin'], kerberos_user, cachefile, principals.join(' ')) + output = `#{cmd} 2>&1` if not File.exists?(cachefile) - raise 'Failed to create keytab ' + name + raise 'Failed to create keytab ' + name + ' error was: ' + output elsif not check_keytab(config, cachefile, principals) raise 'Invalid keytab ' + name + ' created' end