tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
puppet/kerberos/manifests/init.pp

302 lines
7.2 KiB
Puppet
Raw Blame History

# Install and configure kerberos client
#
# === Global variables
#
# $kerberos_realm:
# Kerberos realm name.
#
# $kerberos_kdc:
# Array containing list of Kerberos KDC servers. Default is to
# find servers using DNS SRV records.
#
# $kerberos_kadmin:
# Kerberos admin server address. Defaults to first KDC server.
#
# $kerberos_kpasswd:
# Kerberos password change server address. Defaults to first
# KDC server.
#
# === Parameters
#
# $enctypes:
# Array containing encryption types used. Mainly needed due to
# older samba not getting AES keys from AD.
#
class kerberos::client($enctypes=[]) {
if !$kerberos_kadmin and $kerberos_kdc {
$kerberos_kadmin = $kerberos_kdc[0]
}
if !$kerberos_kpasswd and $kerberos_kdc {
$kerberos_kpasswd = $kerberos_kdc[0]
}
if !$kerberos_kdc {
$kerberos_kdc = []
}
case $::operatingsystem {
"centos","redhat","fedora": {
package { "krb5-workstation":
ensure => installed,
before => File["krb5.conf"],
}
}
"openbsd": {}
"debian","ubuntu": {
package { "krb5-user":
ensure => installed,
before => File["krb5.conf"],
}
}
default: {
fail("kerberos::client not supported in ${::operatingsystem}")
}
}
file { "krb5.conf":
ensure => present,
path => $::operatingsystem ? {
"openbsd" => "/etc/kerberosV/krb5.conf",
default => "/etc/krb5.conf",
},
content => template("kerberos/krb5.conf.erb"),
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
}
}
# Install daemon version of kinit
#
class kerberos::kstart {
package { "kstart":
ensure => installed,
}
}
# Configure kerberos authentication
#
# === Global variables
#
# $kerberos_realm:
# Kerberos realm name.
#
# $kerberos_kdc:
# Array containing list of Kerberos KDC servers. Default is to
# find servers using DNS SRV records.
#
# $kerberos_kadmin:
# Kerberos admin server address. Defaults to first KDC server.
#
# $kerberos_kpasswd:
# Kerberos password change server address. Defaults to first
# KDC server.
#
class kerberos::auth {
include pam::common
include kerberos::client
case $::operatingsystem {
"centos","redhat","fedora": {
package { "pam_krb5":
ensure => installed,
}
exec { "authconfig --enablekrb5 --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => "egrep '^USEKERBEROS=yes\$' /etc/sysconfig/authconfig",
before => Class["kerberos::client"],
require => Package["authconfig", "pam_krb5"],
}
}
"debian","ubuntu": {
package { "libpam-krb5":
ensure => installed,
}
}
default: {
fail("kerberos::auth not supported on ${::operatingsystem}")
}
}
}
# Install Kerberos server
#
# === Global variables
#
# $kerberos_realm:
# Kerberos realm name.
#
# $kerberos_datadir:
# Directory where to store Kerberos database files
# defaults to /srv/kerberos
#
class kerberos::server {
require kerberos::client
package { "krb5-server":
ensure => installed,
}
if $kerberos_datadir {
file { $kerberos_datadir:
ensure => directory,
mode => "0600",
owner => "root",
group => "root",
seltype => "krb5_conf_t",
}
file { "/srv/kerberos":
ensure => link,
target => $kerberos_datadir,
owner => "root",
group => "root",
seltype => "usr_t",
require => File[$kerberos_datadir],
}
selinux::manage_fcontext { "${kerberos_datadir}(/.*)?":
type => "krb5_conf_t",
before => File[$kerberos_datadir],
}
selinux::manage_fcontext { "/srv/kerberos":
type => "usr_t",
before => File["/srv/kerberos"],
}
} else {
file { "/srv/kerberos":
ensure => directory,
mode => "0600",
owner => "root",
group => "root",
seltype => "krb5_conf_t",
}
selinux::manage_fcontext { "/srv/kerberos(/.*)?":
type => "krb5_conf_t",
before => File["/srv/kerberos"],
}
}
file { "/var/kerberos/krb5kdc/kdc.conf":
ensure => present,
content => template("kerberos/kdc.conf.erb"),
mode => "0600",
owner => "root",
group => "root",
require => [ Package["krb5-server"], File["/srv/kerberos"], ],
notify => Service["krb5kdc"],
}
service { "krb5kdc":
ensure => running,
enable => true,
subscribe => File["/etc/krb5.conf"],
}
file { "/var/kerberos/krb5kdc/kadm5.acl":
ensure => present,
content => template("kerberos/kadm5.acl.erb"),
mode => "0600",
owner => "root",
group => "root",
require => Package["krb5-server"],
notify => Service["kadmin"],
}
service { "kadmin":
ensure => running,
enable => true,
require => Service["krb5kdc"],
}
}
# Install Kerberos server with LDAP backend
#
# === Global variables
#
# $kerberos_realm:
# Kerberos realm name.
#
# $kerberos_datadir:
# Directory where to store Kerberos authentication keys
# defaults to /srv/kerberos
#
class kerberos::server::ldap inherits kerberos::server {
package { "krb5-server-ldap":
ensure => installed,
before => Service["krb5kdc"],
}
File["/var/kerberos/krb5kdc/kdc.conf"] {
content => template("kerberos/kdc-ldap.conf.erb"),
}
}
# Create keytab file.
#
# === Parameters
#
# $name:
# Keytab file path.
# $principals:
# List of principals to be added into keytab
# $ensure:
# Set to present to create keytab and absent to remove it
# $owner:
# Owner for keytab file
# $group:
# Group for keytab file
# $mode:
# Permissions for keytab file
#
# === Sample usage
#
# kerberos::keytab { "/etc/krb5.keytab":
# ensure => present,
# principals => [ "host/testhost.foo.sh@FOO.SH" ],
# }
#
define kerberos::keytab($principals=[], $ensure=present, $owner="root",
$group="", $mode="0600") {
case $group {
"": {
case $::operatingsystem {
"openbsd": { $real_group = "wheel" }
default: { $real_group = "root" }
}
}
default: {
$real_group = $group
}
}
keytab_generate($name, $principals)
$source = base64($name)
file { $name:
ensure => $ensure,
source => "puppet:///generated/${source}",
mode => $mode,
owner => $owner,
group => $real_group,
}
}
Reference in a new issue View git blame Copy permalink