Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-krb5', '7.8.0'Learn more about managing modules with a PuppetfileDocumentation
Krb5
Table of Contents
- Krb5
- [Table of Contents](#table-of-contents)
Module Description
Management of the MIT Kerberos Stack
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
This module is designed for use within a larger SIMP ecosystem, but many of its functions can be used independently.
See REFERENCE.md for full API details.
Setup
What krb5 affects
The module, by default, sets up a fully functional KDC in your environment and generates keytabs for one admin user, and all of your hosts that it can discover via the SIMP keydist directory.
keydist discovery only works if the KDC is on the same system as your Puppet Server!
Setup Requirements
To use this module, simply install it into your environment's modulepath.
If you wish to have your keytabs available for automatic distribution via
puppet, you will need to create a krb5_files module that the puppet
user can write to.
It is recommended that you make this a location that is separated from your regular modules so that your code synchronization engine does not remove the files and so that this sensitive information is not placed into revision control.
The simplest method for doing this is to create an environment.conf file in
your environment that has something like the following:
The simp directory in the example below should be used unless you
explicitly set krb5::kdc::auto_keytabs::output_dir.
modulepath = modules:/var/simp/environments/<my_environment>/site_files:$basemodulepath
You will then need to create the target keytabs directory in that space so that the puppet type knows that it should write the keytabs.
To create the default required directories, run the following on the puppet master:
mkdir -p /var/simp/environments/<my_environment>/site_files/krb5_files/files/keytabs
chgrp -R puppet /var/simp
chmod -R g+rX /var/simp
chmod g+w /var/simp/environments/<my_environment>/site_files/krb5_files/files/keytabs
If you have SELinux enabled, don't forget to set your contexts appropriately!
chcon -R -t puppet_var_lib_t /var/simp
Beginning with krb5
The following sections give a brief guide on how to get started, for more information, please see the official Red Hat Documentation.
NOTE
You can skip this section if you're using the default settings. These will complete the following for you with randomly generated passwords for all keytabs and the master password.
Usage
Automatically manage the KDC and keytabs on clients
The examples in this section provides the hiera configuration needed to automatically set up the KDC along with automated keytab distribution.
Set the following to be applied to all nodes that require Kerberos connectivity
classes:
- 'krb5::keytab'
krb5: true
On your puppet server, set the following
classes:
- 'krb5::kdc'
Keytab Propagation
When puppet runs on the server, it will generate a set of keytabs, one per
known host. By default, the keytabs will be placed in
/var/kerberos/krb5kdc/generated_keytabs/. If the setup instructions were
followed for the puppet server, then the keytabs will be placed in the
created directory.
During subsequent client execution, each puppet client will have all generated
keytabs copied to their system in /etc/krb5_keytabs. The default keytab,
krb5.keytab, will be copied to /etc/krb5.keytab and act as the system
default.
While it is unlikely that you will have more than one keytab, the facility has been created to support that structure should you require it in the future for different applications.
NOTE
Should you opt out of combining your puppet server and KDC, you will need to copy the generated keytabs from your KDC to the puppet server and into a
keytabsdistribution space as specified inSetup Requirements. Be sure to properly set your permissions after copy!
Manual Configuration and Expansion
If you opt out of the automated process above, you can use the following to generate keytabs for your principals and distribute them in a manner of your choice.
Creating Admin Principals
ACL Configuration
The following Puppet code snippet will create an ACL for your admin user that is probably appropriate for your organization.
krb5_acl{ "${facts['networking']['domain']}_admin":
principal => "*/admin@${facts['networking']['domain']}",
operation_mask => '*'
}
Create Your Admin Principal
Your first principal will be an admin principal and will be allowed to manage
the environment since it is in the admin group. This must be created on
the KDC system.
Run the following command, as root, to create your principal:
/usr/sbin/kadmin.local -r YOUR.DOMAIN -q "addprinc <username>/admin"
You can now do everything remotely using this principal. Load it using
$ /usr/bin/kinit <username>/admin
Creating Host Principals
Before you can really do anything with your hosts, you need to ensure that the host itself has a keytab.
It is highly recommended that you use the instructions in Setup Requirements
to provide a protected space for your keytabs to be distributed.
On the KDC, generate a principal for each host in your environment using the following:
/usr/sbin/kadmin.local -r YOUR.DOMAIN -q 'addprinc -randkey host/<fqdn>'
Create Your Keytabs
Then, create a separate keytab file for each of your created hosts using the following command:
/usr/sbin/kadmin.local -r YOUR.DOMAIN -q 'ktadd -k <fqdn>.keytab host/<fqdn>'
Once this is complete, the keys will be propagated across your environment per
Keytab Propagation.
Integration with SIMP NFS Module
Please see our NFS module documentation or our online documentation for information on how to integrate KRB5 with NFS.
Limitations
SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Acceptance tests
To run the system tests, you need Vagrant installed.
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from thespec/fixtures/modulesdirectory, based on the contents of.fixtures.yml. The contents of this directory are usually populated bybundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
krb5: Kerberos 5 management and manipulationkrb5::client: A client class that will connect with the given KDCkrb5::config: NOTE: THIS IS A PRIVATE CLASS Basic configuration of the MIT Kerberoskrb5::config::default_settings: Default System Settingskrb5::install: Install the MIT Kerberos clientkrb5::kdc: The necessary structure to manage the Kerberos 5 KDC on a given system.krb5::kdc::auto_keytabs: Provides a mechanism for auto-generating keytabs on the KDC as well as provisioning those keytabs for distribution via Puppet if possible.krb5::kdc::config: Provides the necessary structure to manage the Kerberos 5 KDC on a given system.krb5::kdc::firewall: Set up the firewall for the KDCkrb5::kdc::install: Install the krb5kdc packageskrb5::kdc::selinux_hotfix: This class provides a hotfix for a broken SELinux policy in EL7krb5::kdc::service: Manage the KRB5 serviceskrb5::keytab: Distribute Kerberos keytabs in a sane manner
Defined types
krb5::kdc::realm: Allows you to add a realm to the[realms]section of/var/kerberos/krb5kdc/kdc.conf.krb5::setting: Allows you to set individual configuration elements in/etc/krb5.conf.krb5::setting::domain_realm: Allows you to configure individual domain => realm mappings.krb5::setting::realm: Allows you to add a realm to the[realms]section of/etc/krb5.conf.
Resource types
krb5_acl: Manages krb5 kadmind ACL entries per kadmind(8). When removing an entry, you can specify a regex for the operation_target and all associatedkrb5kdc_auto_keytabs: Auto-generates principals and keytabs on a functional KDC and outputs the keytabs to a directory of the user's choosing. Can optionally take
Functions
krb5::munge_conf_filename: Returns a string that is safe to use as a filename for including in krb5 configuration files.krb5::validate_time_duration: Validates that the passed string is a valid krb5 time duration per http://web.mit.edu/kerberos/krb5-1.13/doc/basic/date_format.html#duration.
Classes
krb5
This base class installs everything necessary for basic KRB client use
We modify the default /etc/krb5.conf to use an include structure under
/etc/krb5.conf.simp.d. Each [subsection] is broken out into a
separate directory and all files in that directory are included.
Parameters
The following parameters are available in the krb5 class:
ldap
Data type: Boolean
Configure the system to incorporate LDAP components
- This presently does not set up the LDAP back-end for KRB5
Default value: simplib::lookup('simp_options::ldap', { 'default_value' => false })
firewall
Data type: Boolean
Use the SIMP iptables module
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
haveged
Data type: Boolean
Use the SIMP haveged module
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => true })
enctypes
Data type: Array[String]
An Array of default permitted encryption types
Default value: [ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96' ]
krb5::client
By default, this is set up to connect with the KDC that would be configured if you use the default options.
Parameters
The following parameters are available in the krb5::client class:
realms
Data type:
Hash[
String,
Struct[{
admin_server => Simplib::Host,
Optional[kdc] => Simplib::Host
}]
]
A Hash of Kerberos Realms that provide a Realm paired with an Admin Server and a KDC
- If you specify nothing here, then the system will try to set up a client with the Puppet server as the KDC. This will fail if no server is specified.
Default value: {}
krb5::config
NOTE: THIS IS A PRIVATE CLASS
Basic configuration of the MIT Kerberos client
Parameters
The following parameters are available in the krb5::config class:
config_dirdefault_realmrealm_domainsdns_lookup_realmdns_lookup_kdcrenew_lifetimeforwardableclockskewpermitted_tgs_enctypespermitted_tkt_enctypespermitted_enctypespuppet_exclusive_managed
config_dir
Data type: Stdlib::Absolutepath
The path to the Puppet managed config files.
Default value: '/etc/krb5.conf.simp.d'
default_realm
Data type: String
Default realm to which to bind.
Default value: inline_template('<%= @domain.upcase %>')
realm_domains
Data type: Array[String]
Array of domains bound to the default realm set in $default_realm.
Default value: [ ".${facts['networking']['domain']}", $facts['networking']['domain'] ]
dns_lookup_realm
Data type: Boolean
Use DNS TXT records to lookup the realm.
Default value: false
dns_lookup_kdc
Data type: Boolean
Use DNS SRV records to lookup the KDC.
Default value: true
renew_lifetime
Data type: String
The default renewable lifetime for initial tickets. Should be a valid krb5 Time Duration string. @see http://web.mit.edu/kerberos/krb5-1.13/doc/basic/date_format.html#duration
Default value: '7d'
forwardable
Data type: Boolean
Whether or not to make initial tickets forwardable by default. This is needed for SSH GSSAPI.
Default value: true
clockskew
Data type: Integer[0]
Max allowable amount of seconds of clockskew allowed before assuming that a message is invalid.
Default value: 500
permitted_tgs_enctypes
Data type: Array[String]
Supported encryption types reported by the KDC.
Default value: $krb5::enctypes
permitted_tkt_enctypes
Data type: Array[String]
Permitted client encryption types.
Default value: $krb5::enctypes
permitted_enctypes
Data type: Array[String]
Permitted session key encryption types.
Default value: $krb5::enctypes
puppet_exclusive_managed
Data type: Boolean
Set to false to allow users to add files to the /etc/krb5.conf.d directory manually.
Default value: true
krb5::config::default_settings
NOTE: THIS IS A PRIVATE CLASS
krb5::install
NOTE: THIS IS A PRIVATE CLASS
Parameters
The following parameters are available in the krb5::install class:
packages
Data type: Array[String[1]]
The list of pakages to install
- Provided by module data
ensure
Data type: String[1]
The package state to ensure
- Compatible with the
PackageResourceensureparameter can
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
haveged
Data type: Boolean
Include haveged for entropy generation.
Default value: $krb5::haveged
krb5::kdc
The variables used here can be found in kdc.conf(5).
Any variable not covered here can be managed using file resources.
Examples
Add Your Own Custom Config Snippet
class my_krb5kdc {
include 'krb5::kdc'
file { "${krb5::kdc::config_dir}/my_snippet__custom":
content => "My Custom Content"
}
Class['krb5::kdc'] -> Class['my_krb5kdc']
Class['my_krb5kdc'] ~> Class['krb5::kdc::service']
}
Parameters
The following parameters are available in the krb5::kdc class:
trusted_netsconfig_dirldapfirewallhavegedauto_initializeauto_realmauto_management_principalauto_generate_host_keytabs
trusted_nets
Data type: Simplib::Netlist
An Array of hostnames or IP addresses that are allowed into this system. Only used by the IPTables settings.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] })
config_dir
Data type: Stdlib::Absolutepath
The path to the Puppet managed config files.
Default value: '/var/kerberos/krb5kdc/kdc.conf.simp.d'
ldap
Data type: Boolean
If set, configure the system to incorporate LDAP components. @note This presently does not set up the LDAP back-end for KRB5
Default value: $krb5::ldap
firewall
Data type: Boolean
If set, use the SIMP iptables module.
Default value: $krb5::firewall
haveged
Data type: Boolean
If set, enable the HAVEGE daemon for entropy
Default value: $krb5::haveged
auto_initialize
Data type: Boolean
If set, create a default realm do all
necessary work to set up the environment for production.
@note This will simply use the system defaults. If you want something other
than that, you'll need to call the krb5::kdc::realm define directly.
If you select this, this will automatically initialize your Kerberos database and prepare your system to run.
Default value: true
auto_realm
Data type: String
If $auto_initialize is set, then use this string as your default Kerberos Realm.
Default value: $facts['networking']['domain']
auto_management_principal
Data type: String
If $auto_initialize is set, then use this string as the primary Kerberos principal name for the default Realm.
Default value: 'puppet_auto'
auto_generate_host_keytabs
Data type: Boolean
If set, create keytabs for all hosts that Puppet currently knows about. @note Host Principals are identified by having a 'host/' entry in the list of principals. Any host without one of these entries will be ignored.
This is not dependent on $auto_initialize! You may want to toggle
some of the parameters in the krb5::kdc::auto_keytabs class to tailor
the generation.
This capability expects a ${module_name}_files module to be present in
the environment's module path. It is not recommended that you place
this module inside of the standard module path. Instead, the containing
directory should be added to the modulepath directive of your
environment.conf.
@see https://docs.puppet.com/puppet/4.5/reference/config_file_environment.html
With the ${module_name}_files module, you should also have a section in
your Puppet auth.conf that looks something like the following and is
placed before the path /file stanza.
@example auth.conf update
# Restrict access to a directory that matches the hostname
# Example: /environments/production/krb5_files/files/my.host.name.domain
path ~ ^/file_(metadata|content)/modules/krb5_files/([^/]+)
allow $2
Default value: true
krb5::kdc::auto_keytabs
NOTE: THIS IS A PRIVATE CLASS
The keytabs will be collected in a directory that is, by default, located at
/var/kerberos/krb5kdc/generated_keytabs.
The target directory will have subdirectories created, one per
host/fqdn@REALM principal that match the fqdn of the host.
Each of those directories will have a krb5.keytab file created that contains all discovered keytabs for the principal, regardless of REALM.
- Note If this is enabled on a Puppet server, and
$introspectistrue, it will attempt to install the keytabs into the${environmentpath}/${environment}/site_files/${module_name}_files/files/keytabsdirectory.
It will also attempt to automatically create host keytabs for any hosts in one of the following two directories:
-
${environmentpath}/${environment}/keydist -
${environmentpath}/${environment}/site_files/pki_files/files/keydist@note For any of the above, if
$environmentpathis empty, or does not exist, then$confdirwill be substituted for${environmentpath}/${environment}
Parameters
The following parameters are available in the krb5::kdc::auto_keytabs class:
introspect
Data type: Boolean
If set, attempt to discover, and create all relevant keytabs from data on the Puppet server. @note This has no effect if you aren't running on a Puppet server.
Default value: true
output_dir
Data type: Optional[Stdlib::Absolutepath]
The directory into which to install the keytabs.
Default value: undef
all_known
Data type: Boolean
If set, generate keytabs for any 'host/.*' entries known to the KDC.
Default value: false
user
Data type: String
The user that should own the keytab files.
Default value: 'root'
group
Data type: String
The group that should own the keytab files.
Default value: 'puppet'
realms
Data type: String
The REALMs into which the hosts should be added unless
otherwise specified in the $hosts Hash. Will be auto-upcased.
Default value: simplib::lookup('krb5::kdc::auto_realm', { 'default_value' => $facts['networking']['domain'] })
global_services
Data type: Array[String]
An Array of Kerberos services that should be added to all hosts.
Default value: []
hosts
Data type:
Hash[String,
Struct[{'ensure' => Enum['absent','present'],
Optional['realms'] => Array[String],
Optional['services'] => Array[String]
}]
]
A Hash of hosts for which keytabs should be generated, and kept in the KDC by Puppet. This is done as a Hash so that you don't end up with thousands of Puppet resources in your catalog. @note The Hash should be formatted as follows: { 'fqdn' => 'ensure' => ('absent'|'present') # Required 'realms' => ['REALM1', 'REALM2'] # Optional. Will be auto upcased. 'services' => ['svc1','svc2'] # Optional }
@note This will be combined with the auto-generated hosts if $auto_generate
is true
Default value: {}
purge
Data type: Boolean
If set, purge any keytab directories for systems that we don't know about.
Default value: true
krb5::kdc::config
NOTE: THIS IS A PRIVATE CLASS
The variables used here can be found in kdc.conf(5).
Any variable not covered here can be managed using file resources.
Examples
Add Your Own Custom Config Snippet
class my_krb5kdc {
include 'krb5::kdc'
file { "${krb5::kdc::config_dir}/my_snippet__custom":
content => "My Custom Content"
}
Class['krb5::kdc'] -> Class['my_krb5kdc']
Class['my_krb5kdc'] ~> Class['krb5::kdc::service']
}
Parameters
The following parameters are available in the krb5::kdc::config class:
kdb5_password
Data type: String
The password that should be used for auto-initializing the Principal database
- If this password is changed, there will be no effect unless the password file is physically removed from the system
@note For safety, the Principal database will not be rebuilt unless it is physically absent from the system
Default value: simplib::passgen('kdb5kdc', { 'length' => 1024 })
kdc_ports
Data type: Array[Simplib::Port]
The UDP ports on which the KDC should listen
Default value: [88, 750]
kdc_tcp_ports
Data type: Array[Simplib::Port]
The TCP ports on which the KDC should listen
Default value: [88, 750]
krb5::kdc::firewall
NOTE: THIS IS A PRIVATE CLASS
Parameters
The following parameters are available in the krb5::kdc::firewall class:
kdc_ports
Data type: Array[Simplib::Port]
The UDP ports on which the KDC should listen
Default value: $krb5::kdc::config::kdc_ports
kdc_tcp_ports
Data type: Array[Simplib::Port]
The TCP ports on which the KDC should listen
Default value: $krb5::kdc::config::kdc_tcp_ports
trusted_nets
Data type: Simplib::Netlist
Hostnames and/or IP addresses that are allowed into this system
- Only used by the IPTables settings
Default value: $krb5::kdc::config::_trusted_nets
allow_kadmind
Data type: Boolean
Allow remote connections to kadmind
- You should probably always allow this
Default value: true
kadmind_udp_ports
Data type: Array[Simplib::Port]
The UDP ports on which kadmind should listen
Default value: [464]
kadmind_tcp_ports
Data type: Array[Simplib::Port]
The TCP ports on which kadmind should listen
Default value: [464, 749]
krb5::kdc::install
NOTE: THIS IS A PRIVATE CLASS
Parameters
The following parameters are available in the krb5::kdc::install class:
ensure
Data type: String
The package state to ensure
- Accepts all valid options for the
Packageresource'sensureparameter
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
krb5::kdc::selinux_hotfix
NOTE: THIS IS A PRIVATE CLASS
The OS confinement of this class should be done elsewhere.
krb5::kdc::service
NOTE: THIS IS A PRIVATE CLASS
Parameters
The following parameters are available in the krb5::kdc::service class:
ensure
Data type: String
May be one of 'running' or 'stopped'.
Default value: 'running'
enable
Data type: Boolean
If true, enable the services at boot time.
Default value: true
krb5::keytab
Users should feel free to do what they like, but this will be consistent
Parameters
The following parameters are available in the krb5::keytab class:
keytab_source
Data type: Any
The File resource compatible source for the system keytab
Default value: "puppet:///modules/krb5_files/keytabs/${facts['networking']['fqdn']}"
owner
Data type: Any
The keytab file owner
Default value: 'root'
group
Data type: Any
The keytab file group
Default value: 'root'
mode
Data type: Any
The keytab file mode
Default value: '0400'
Defined types
krb5::kdc::realm
Note: The kdc.conf file is fully managed by Puppet
- See also
- kdc.conf(5)
- -> REALMS SECTION
- kdc.conf(5)
Parameters
The following parameters are available in the krb5::kdc::realm defined type:
initializeauto_principaltrusted_netsacl_fileadmin_keytabdatabase_namedefault_principal_expirationdefault_principal_flagsdict_filekadmind_portkpasswd_portkey_stash_filekdc_portskdc_tcp_portsmaster_key_namemaster_key_typemax_lifemax_renewable_lifeiprop_enableiprop_master_ulogsizeiprop_slave_pollsupported_enctypesreject_bad_transitconfig_dirensurefirewall
initialize
Data type: Boolean
If set, auto-initialize the Realm. This will add an initial Principal for this Realm.
Default value: false
auto_principal
Data type: String
If $initialize is set, this principal will
be created as an administrative Principal on the Realm.
Default value: 'puppet_auto'
trusted_nets
Data type: Simplib::Netlist
networks to allow access into the KDC realm.
Default value:
pick(
getvar('krb5::kdc::trusted_nets'),
simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1']})
)
acl_file
Data type: Stdlib::Absolutepath
The path to the KDC realm ACL file.
Default value: "/var/kerberos/krb5kdc/kadm5_${name}.acl"
admin_keytab
Data type: Stdlib::Absolutepath
The path to the KDC realm keytab.
Default value: "/var/kerberos/krb5kdc/kadm5_${name}.keytab"
database_name
Data type: Optional[String]
The path to the KDC realm database.
Default value: undef
default_principal_expiration
Data type: Optional[String]
The Absolute Time for expiring the principal expiration date for this realm. @see http://web.mit.edu/kerberos/krb5-devel/doc/basic/date_format.html#abstime
Default value: undef
default_principal_flags
Data type: Array[String]
An array following the format prescribed in the man page. The absence of a '-' in front of the entry implies that a '+' will be added.
Default value: []
dict_file
Data type: Stdlib::Absolutepath
The path to the dictionary file of strings that are not allowed as passwords.
Default value: '/usr/share/dict/words'
kadmind_port
Data type: Optional[Simplib::Port]
The port on which kadmind should listen.
Default value: undef
kpasswd_port
Data type: Optional[Simplib::Port]
The port on which kpasswd should listen.
Default value: undef
key_stash_file
Data type: Optional[Stdlib::Absolutepath]
The path to the KDC realm master key.
Default value: undef
kdc_ports
Data type: Array[Simplib::Port]
UDP ports upon which the KDC should listen.
Default value: []
kdc_tcp_ports
Data type: Array[Simplib::Port]
TCP ports upon which the KDC should listen.
Default value: []
master_key_name
Data type: Optional[String]
The principal associated with the master key.
Default value: undef
master_key_type
Data type: String
The master key's key type.
Default value: 'aes256-cts'
max_life
Data type: Optional[String]
The maximum time period for which a ticket may be valid. Should be a valid krb5 Time Duration string. @see http://web.mit.edu/kerberos/krb5-1.13/doc/basic/date_format.html#duration
Default value: undef
max_renewable_life
Data type: Optional[String]
The maximum time period during which a valid ticket may be renewed. Should be a valid krb5 Time Duration string.
Default value: undef
iprop_enable
Data type: Optional[Boolean]
Whether incremental database propogation is enabled.
Default value: undef
iprop_master_ulogsize
Data type: Optional[Integer]
The maximum number of log entries for incremental propogation.
Default value: undef
iprop_slave_poll
Data type: Optional[String]
How often the KDC polls for new updates from the master.
Default value: undef
supported_enctypes
Data type: Array[String]
The default key/salt combinations for this realm.
Default value: [ 'aes256-cts:normal', 'aes128-cts:normal' ]
reject_bad_transit
Data type: Optional[Boolean]
Whether to check the list of transited realms for cross-realm tickets.
Default value: undef
config_dir
Data type: Stdlib::Absolutepath
The path to the Puppet managed config files.
Default value: simplib::lookup('krb5::kdc::config_dir', { 'default_value' => '/var/kerberos/krb5kdc/kdc.conf.simp.d' })
ensure
Data type: String
Whether to set or clear the key. Valid values are 'present' and 'absent'. Setting anything besides 'absent' will default to 'present'.
Default value: 'present'
firewall
Data type: Boolean
Whether to add appropriate iptables rules for KDC
Default value: simplib::lookup('krb5::kdc::firewall', { 'default_value' => false })
krb5::setting
Sections with nested sub-sections or allowed repeated keys have their own specialized defines.
- See also
- krb5.conf(5)
Parameters
The following parameters are available in the krb5::setting defined type:
value
Data type: Scalar
The number/string/boolean that should be used to set the designated value. This will not be processed so make sure that it's what you want to output to the system.
target
Data type: Stdlib::Absolutepath
The target directory to which to add setting files.
Default value: pick(getvar('krb5::config::config_dir'), '/etc/krb5.conf.d')
ensure
Data type: String
Whether to set or clear the key. Valid values are 'present' and 'absent'. Setting anything besides 'absent' will default to 'present'.
Default value: 'present'
filemode
Data type: String
The File mode (per the Puppet File resource) that should be set on the settings files.
Default value: '0644'
seltype
Data type: String
The SELinux Type to which to set the file that holds the setting.
Default value: 'krb5_conf_t'
krb5::setting::domain_realm
It was specifically created so that you could pass in your domains as a name array and then your realm as a value.
- See also
- krb5.conf(5)
Parameters
The following parameters are available in the krb5::setting::domain_realm defined type:
ensure
Data type: String
Whether to set or clear the key. Valid values are 'present' and 'absent'. Setting anything besides 'absent' will default to 'present'.
Default value: 'present'
realm
Data type: String
The realm to which to map your domain.
target
Data type: Stdlib::Absolutepath
The target directory to which to add setting files.
Default value: pick(getvar('krb5::config::config_dir'), '/etc/krb5.conf.d')
krb5::setting::realm
Allows you to add a realm to the [realms] section of /etc/krb5.conf.
- See also
- krb5.conf(5)
- -> REALMS SECTION
- krb5.conf(5)
Parameters
The following parameters are available in the krb5::setting::realm defined type:
admin_serverkdcdefault_domainv4_instance_convertv4_realmauth_to_local_namesauth_to_localtargetownergroupmode
admin_server
Data type: Simplib::Host
The host where the admin server is running.
kdc
Data type: Optional[Simplib::Host]
The host where the KDC is running.
Default value: undef
default_domain
Data type: Optional[String]
The default domain in which hosts are assumed to be present.
Default value: undef
v4_instance_convert
Data type: Hash[String,String]
A hash of 'tag name' to 'tag value' mappings for default domain mapping translations.
Default value: {}
v4_realm
Data type: Optional[String]
The v4 realm to be used when talking to legacy systems.
Default value: undef
auth_to_local_names
Data type: Hash[String,String]
A hash of 'principal names' to 'local user names' per the man page.
Default value: {}
auth_to_local
Data type: Optional[String]
A general rule for mapping to local user names. The following values are allowed: DB: RULE: DEFAULT
Default value: undef
target
Data type: Stdlib::Absolutepath
The path to the Puppet managed config files.
Default value: pick(getvar('krb5::config::config_dir'), '/etc/krb5.conf.d')
owner
Data type: String
Default value: 'root'
group
Data type: String
Default value: 'root'
mode
Data type: String
Default value: '0644'
Resource types
krb5_acl
Manages krb5 kadmind ACL entries per kadmind(8). When removing an entry, you can specify a regex for the operation_target and all associated entries will be removed.
Properties
The following properties are available in the krb5_acl type.
ensure
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
operation_mask
Valid values: %r{^([admcilpADMCILP]+|[x*])$}
The operation mask per kadmind(8). Be aware that lower case activates a mask and upper case deactivates it
Parameters
The following parameters are available in the krb5_acl type.
name
namevar
A required, but meaningless, name
operation_target
An optional partially, or fully, qualified Kerberos 5 principal name upon which 'principal' is allowed to operate. If this is specified, the 'principal', 'operation_mask', and 'ensure' options will be restricted. This must be specified as a ruby regex without '/' in the case of ensure => 'absent'.
Default value: undef
principal
The partially, or fully, qualified Kerberos 5 principal name. This is what must appear as the usual 'name' of the resource.
provider
The specific backend to use for this krb5_acl resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
target
The ACL file upon which to operate
Default value: /var/kerberos/krb5kdc/kadm5.acl
krb5kdc_auto_keytabs
Auto-generates principals and keytabs on a functional KDC and outputs the keytabs to a directory of the user's choosing.
Can optionally take a hash of hosts, with associated principal metadata, to be created on the KDC. Will warn if you are attempting to add a host that does not have a valid REALM.
Properties
The following properties are available in the krb5kdc_auto_keytabs type.
ensure
Valid values: present, generated, absent
The state to enforce on the resource
Default value: present
Parameters
The following parameters are available in the krb5kdc_auto_keytabs type.
all_known
Valid values: true, false, yes, no
Generate keytabs for any 'host/.*' entires known to the KDC.
Default value: false
global_services
The global services that should be applied to every auto-generated principal
group
The group that should own the generated keytabs, defaults to '#{Puppet[:group]}' when installing into a Puppet Environment and 'root' otherwise.
Default value: group
hosts
A Hash of hosts that should be managed in the KDC.
The Hash format should be as follows:
{ 'fqdn' => { 'ensure' => ('absent' | 'present') # Required 'realms' => ['REALM1', 'REALM2'] # Optional. Will be auto-upcased 'services' => ['svc1','svc2'] # Optional } }
If '$global_services' is set, it will be added to the list of services for each host here.
introspect
Valid values: true, false, yes, no
Attempt to discover, and create, all relevant keytabs from data on the Puppet server.
This will create host principals for discovered entities if they do not exist already!
This takes a best guess from the SIMP default PKI key locations:
${environmentpath}/${environment}/keydist/var/simp/environments/${environment}/site_files/pki_files/files/keydist
If $environmentpath is not set, then $confdir will be substituted for
${environmentpath}/${environment}
Default value: true
name
namevar
The output directory to which to write the keytabs
If 'default' will be set to either
/var/simp/environments/${environment}/site_files/krb5_files/files/keytabs or
/var/kerberos/krb5kdc/generated_keytabs depending on which target path
exists.
provider
The specific backend to use for this krb5kdc_auto_keytabs resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
purge
Valid values: true, false, yes, no
Remove all unmanaged keytabs from the '$name' directory
Default value: true
realms
The realms under which the hosts should be generated
Default value: Facter.value(:networking)['domain']
user
The user that should own the generated keytabs, defaults to '#{Puppet[:user]}' when installing into a Puppet Environment and 'root' otherwise.
Default value: root
Functions
krb5::munge_conf_filename
Type: Ruby 4.x API
Returns a string that is safe to use as a filename for including in krb5 configuration files.
krb5::munge_conf_filename(String $name)
Returns a string that is safe to use as a filename for including in krb5 configuration files.
Returns: Any String transformed filename
name
Data type: String
String to be converted to a k4b6 configuration filename
krb5::validate_time_duration
Type: Ruby 4.x API
Validates that the passed string is a valid krb5 time duration per http://web.mit.edu/kerberos/krb5-1.13/doc/basic/date_format.html#duration.
krb5::validate_time_duration(String $time_duration)
Validates that the passed string is a valid krb5 time duration per http://web.mit.edu/kerberos/krb5-1.13/doc/basic/date_format.html#duration.
Returns: Undef
time_duration
Data type: String
Time duration string to be validated
- Fri Sep 13 2024 Steven Pritchard steve@sicura.us - 7.8.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
- Wed Jul 03 2024 Steven Pritchard steve@sicura.us - 7.7.2
- Clean up legacy fact usage to support puppet 8
- Wed Jan 17 2024 Richard Gardner rick@sicura.us - 7.7.1
- Updated hiera.yaml facts to support puppet 8
- Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 7.7.0
- [puppetsync] Add EL9 support
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 7.6.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Sep 07 2023 Steven Pritchard steve@sicura.us - 7.5.0
- Add AlmaLinux 8 support
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 7.4.0
- Add RockyLinux 8 support
- Mon Sep 26 2022 Trevor Vaughan trevor@sicura.us - 7.3.0
- Added:
- The module now supports Amazon Linux 2
- Changed:
- Added a
.rubocop.yml - Rubocop'd the Ruby
- Added a
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.2.0
- Removed
- Removed support for Puppet 5
- Removed unnecessary use of top scope in manifests
- Ensured support for Puppet 7 in requirements and stdlib
- Thu Jan 07 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 7.1.1
- Removed EL6 support
- Wed Dec 18 2019 Trevor Vaughan tvaughan@onyxpoint.com - 7.1.0-0
- Add EL8 support
- Update SELinux hotfix
- Migrate SELinux hotfix to vox_selinux::module
- Update documentation
- Add REFERENCE.md
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 7.1.0-0
- Remove Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Support puppetlabs/stdlib 6.x and puppet 6.x.
- Tue Feb 12 2019 Liz Nemsick lnemsick.simp@gmail.com - 7.0.5-0
- Use simplib::passgen() in lieu of passgen(), a deprecated simplib Puppet 3 function.
- Use simplib::validate_re_array() in lieu of validate_re_array(), a deprecated simplib Puppet 3 function.
- Removed unnecessary use of validate_port() on parameters of type Simplib::Port
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Wed Nov 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.0.4-0
- Update badges and contribution guide URL in README.md
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 7.0.4-0
- Changed the packages from 'latest' to 'installed'
- Ensure parameters will also now respect
simp_options::package_ensure
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.0.4-0
- Drop Hiera 4 support
- Wed Mar 21 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.4-0
- Add support for Puppet 5 and OEL
- Mon Oct 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 7.0.3-0
- Allow users to modify the owner, group, and mode of files that may be used by multiple subsystems
- Thu Jun 22 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.0.2-0
- Update custom Puppet 3 functions to namespaced, Puppet 4 functions
- Fix most of the puppet strings problems
- Update puppet requirement and remove OBE pe requirement in metadata.json
- Wed Apr 05 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com 7.0.1-0
- Fixed Facter call in type for krb5kdc_auto_keytabs.rb
- Fri Dec 16 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated global catalysts
- Tue Nov 22 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0
- Update version to reflect SIMP6 dependencies
- Update to SIMP6 dependencies
- Minor cleanup
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.9-0
- Updated iptables dependency version
- Thu Nov 10 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.9-0
- Eliminated use of deprecated Puppet.newtype
- Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.7-0
- Fix Forge
havegeddependency name
- Thu Sep 01 2016 Jeanne Greulich jeanne.greulich@onyxpoint.com - 5.0.6-0
- Ensure that the /etc/krb5.simp.d/realm* files are mode 644
- Tue Aug 16 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.5-0
- Adapted to the new 'site_files' directory
- Fixed a bug in the selinux policy in EL7
- Thu Aug 11 2016 Nick Miller nick.miller@onyxpoint.com - 5.0.4-0
- Keytab file source and permission corrections
- Tue Jul 22 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.3-0
- The Realm KDC must be explicitly specified
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.2-0
- Fixed a bug in the krb5kdc_auto_keytab provider where passed hosts were not getting the realms array integrated.
- Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0
- Haveged now included by default.
- Fri May 27 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Overhaul of the entire module
- Removed all use of 'concat'
- Split the entire module into new-style components
- Added tests
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Changed puppet-server requirement to puppet
- Mon May 19 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-2
- Removed all stock classes so they can be ported to the SIMP module.
- Mon Apr 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Updated to avoid globals and call Hiera instead.
- Sat Mar 01 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-0
- Refactored to pass all lint tests.
- Added rspec tests for test coverage.
- Mon Oct 14 2013 Trevor Vaughan tvaughan@onyxpoint.com - 0.0.1-3
- Updated the custom types to no longer use Puppet::Util::FileLocking since it has been removed.
- Mon Oct 07 2013 Nick Markowski nmarkowski@keywcorp.com - 0.0.1-2
- Updated template to reference instance variables with @
- Mon Jan 28 2013 Maintenance - 0.0.1-1
- Create a Cucumber test that includes krb5 in the manifest and runs puppet successfully.
- Mon Sep 10 2012 Maintenance - 0.0.1-0
- Initial implementation of krb5 module.
Dependencies
- simp/simplib (>= 4.9.0 < 5.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
pupmod-simp-krb5 - A Puppet Module for managing MIT Kerberos
--
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.