<% require 'digest/md5' require 'expect' require 'tempfile' require 'pty' config = {} config['cachedir'] = '/var/cache/puppet' config['kadmin'] = '/opt/heimdal/sbin/kadmin' config['klist'] = '/usr/kerberos/bin/klist' # set global vars cachefile = File.join(config['cachedir'], homename + '.' + Digest::MD5.hexdigest(name)) # function to check if keytab contains required principals def check_keytab(config, keytab, principals) entries = [] IO.popen(sprintf('%s -k %s', config['klist'], keytab), mode='r') { |f| f.readlines.each do |l| next unless l =~ / \d+ .*/ entries << l.split()[1] end } t = principals & entries.uniq if t.size != principals.size return false else return true end end # check if we have cached keytab up to date cached = true if File.exists?(cachefile) if not check_keytab(config, cachefile, principals) cached = false File.unlink(cachefile) end else cached = false end # create new keytab if cache is not up to date if not cached cmd = sprintf('%s -p %s ext_keytab --keytab=%s %s', config['kadmin'], kerberos_user, cachefile, principals.join(' ')) retval = nil PTY.getpty(cmd) do |r,w,pid| r.expect(/^.*'s Password:\s+/) w.puts kerberos_pass + "\n" begin pid, retval = Process.wait2(pid) rescue nil end end if not File.exists?(cachefile) raise 'Failed to create keytab ' + name elsif not check_keytab(config, cachefile, principals) raise 'Invalid keytab ' + name + ' created' end end # read keytab into memory data = File.open(cachefile).read -%><%= data -%>