Converted kerberos::keytab to use MIT kerberos tools and changed authentication to use keytab files instead of password.

kerberos/templates/keytab.erb

@@ -3,12 +3,11 @@
 require 'digest/md5'
 require 'expect'
 require 'tempfile'
-require 'pty'
 
 
 config = {}
 config['cachedir'] = '/var/cache/puppet'
-config['kadmin'] = '/opt/heimdal/sbin/kadmin'
+config['kadmin'] = '/usr/kerberos/sbin/kadmin'
 config['klist'] = '/usr/kerberos/bin/klist'
 
 
@@ -16,7 +15,6 @@ config['klist'] = '/usr/kerberos/bin/klist'
 cachefile = File.join(config['cachedir'],
 		      homename + '.' + Digest::MD5.hexdigest(name))
 
-
 # function to check if keytab contains required principals
 def check_keytab(config, keytab, principals)
   entries = []
@@ -48,20 +46,11 @@ end
 
 # create new keytab if cache is not up to date
 if not cached
-  cmd = sprintf('%s -p %s ext_keytab --keytab=%s %s', config['kadmin'],
+  cmd = sprintf('%s -p %s -k -t /etc/puppet/puppet.keytab -q "ktadd -k %s %s"',
-		kerberos_user, cachefile, principals.join(' '))
+      config['kadmin'], kerberos_user, cachefile, principals.join(' '))
-  retval = nil
+  output = `#{cmd} 2>&1`
-  PTY.getpty(cmd) do |r,w,pid|
-    r.expect(/^.*'s Password:\s+/)
-    w.puts kerberos_pass + "\n"
-    begin
-      pid, retval = Process.wait2(pid)
-    rescue
-      nil
-    end
-  end
   if not File.exists?(cachefile)
-    raise 'Failed to create keytab ' + name
+    raise 'Failed to create keytab ' + name + ' error was: ' + output
   elsif not check_keytab(config, cachefile, principals)
     raise 'Invalid keytab ' + name + ' created'
   end