From d5a361c7644b93f6520e9bffc3ead2a458443956 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Fri, 4 Sep 2009 00:26:24 +0300
Subject: [PATCH] Added support for OpenBSD and added initial version of
 krb5.conf template.

---
 kerberos/manifests/init.pp       | 52 +++++++++++++++++++++++++++-----
 kerberos/templates/krb5.conf.erb | 29 ++++++++++++++++++
 2 files changed, 74 insertions(+), 7 deletions(-)
 create mode 100644 kerberos/templates/krb5.conf.erb

diff --git a/kerberos/manifests/init.pp b/kerberos/manifests/init.pp
index dd3b380..51ac621 100644
--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@@ -9,11 +9,16 @@ class kerberos::client {
 	}
     }
 
-    file { "/etc/krb5.conf":
-	ensure => present,
-	mode   => 0644,
-	owner  => root,
-	group  => $operatingsystem ? {
+    file { "krb5.conf":
+	path    => $operatingsystem ? {
+	    openbsd => "/etc/kerberosV/krb5.conf",
+	    default => "/etc/krb5.conf",
+	},
+	ensure  => present,
+	content => template("kerberos/krb5.conf.erb"),
+	mode    => 0644,
+	owner   => root,
+	group   => $operatingsystem ? {
 	    openbsd => wheel,
 	    default => root,
 	},
@@ -31,14 +36,47 @@ class kerberos::server inherits kerberos::client {
 }
 
 
-define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "root", $mode = "0600") {
+# Create keytab file.
+#
+# === Parameters
+#
+#   $name:
+#       Keytab file path.
+#   $principals:
+#	List of principals to be added into keytab
+#   $ensure:
+#	Set to present to create keytab and absent to remove it
+#   $owner:
+#	Owner for keytab file
+#   $group:
+#	Group for keytab file
+#   $mode:
+#	Permissions for keytab file
+#
+# === Sample usage
+#
+# kerberos::keytab { "/etc/krb5.keytab":
+#     ensure     => present,
+#     principals => [ "testhost.foo.sh@FOO.SH" ],
+# }
+#
+define kerberos::keytab($principals = [], $ensure = present, $owner = "root", $group = "", $mode = "0600") {
+
+    case $group {
+	"": {
+	    case $operatingsystem {
+		openbsd: { $real_group = "wheel" }
+		default: { $real_group = "root" }
+	    }
+	}
+    }
 
     file { "${name}":
 	ensure  => $ensure,
 	content => template("kerberos/keytab.erb"),
 	mode    => "${mode}",
 	owner   => "${owner}",
-	group   => "${group}",
+	group   => "${real_group}",
     }
 
 }
diff --git a/kerberos/templates/krb5.conf.erb b/kerberos/templates/krb5.conf.erb
new file mode 100644
index 0000000..4188ff3
--- /dev/null
+++ b/kerberos/templates/krb5.conf.erb
@@ -0,0 +1,29 @@
+[libdefaults]
+  default_realm = <%= kerberos_realm %>
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  ticket_lifetime = 24h
+  forwardable = yes
+
+[domain_realm]
+  <%= kerberos_realm.downcase %> = <%= kerberos_realm %>
+  .<%= kerberos_realm.downcase %> = <%= kerberos_realm %>
+
+[realms]
+  <%= kerberos_realm -%> = {
+<% kerberos_kdc.each do |kdc| -%>
+    kdc = <%= kdc %>
+<% end -%>
+    admin_server = <% if has_variable?('kerberos_kadmin') %><%= kerberos_kadmin %><% else %><%= kerberos_kdc[0] %><% end %>
+  }
+
+<% if kernel == 'Linux' -%>
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }
+<% end -%>