This Puppet module manages and installs MIT Kerberos 5 authentication.
There is only one class kerberos, which manages the installation and configuration of Kerberos.
This class installs the Kerberos packages and sets up the base configuration for the other kerberos resources to add entries to it.
The minimal usage of the kerberos class is just to include it in a Puppet manifest which will install it with a default configuration:
include kerberosNOTE: The Kerberos configuration may not be complete without declaring at least one kerberos::realm and at leas one kerberos::domain_realm resource.
The default is present which will install and configure Kerberos. Using latest will update the Kerberos packages when they become available. Kerberos packages and configuration will be removed if set to absent. Using ensure to specify package version is not currently supported.
This specifies a custom package or array of packages. The default is the standard OS specific packages for Kerberos.
Specifies the location of the Kerberos configuration file. The default is /etc/krb5.conf. Setting this parameter is not recommended, but included to support custom packages.
This sets the default realm for any domain that does not have a specific domain to realm mapping. The default value is LOCAL.
Specifies the location of the Kerberos 4 configuration file. The default is /etc/krb.conf. Setting this parameter is not recommended, but included to support custom packages.
Specifies the location of the Kerberos 4 realm configuration file. The default is /etc/krb.realms. Setting this parameter is not recommended, but included to support custom packages.
If set to true, Kerberos will convert tickets to version 4. The default value is false.
If set to true, Kerberos will get V4 tickets. The default value is false.
If set to true, Kerberos will get V5 tickets. The default value is true.
If set to true, Kerberos will run aklog. The default value is false.
This sets the path to the aklog binary or script. The default is undefined which will use the system default.
If set to 1 Kerberos will gather timestamp correction data and correct for synchronisation errors. The default valie is 1.
Defines the format of the credential cache. The default value is 4 which is the most current format.
If set to true tickets will be forwardable. The default value is false.
If set to true the principle will be allowed to obtain proxy tickets. The default value is false.
If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. The default value is true.
This resource defines a realm entry in the [realms] section of the Kerberos configuration file as described in the documentation.
The minimal declaration includes just the kdc parameter:
kerberos::realm{'example.org':
kdc => kerberos.example.org',
}This is a required parameter. This takes a single hostname, or array of hostnames for the servers running kdc for a realm. The hostnames may specify a port number suffix separated by a colon (e.g. kerberos.example.org:80).
This specifies the hostname for the administration server running kadmind. This is usually the master server. The default is undefined.
This specifies the hostname for the master kdc server. The default is undefined.
This specifies the domain used to expand hostnames. The default is undefined.
This resource defines a domain to realm mapping entry in the [domian_realm] section of the Kerberos configuration file as described in the documentation.
This specifies the kpasswd server where password changes are performed. The default is undefined.
Each declaration maps the domain used in the kerberos::domain_realm declaration to the realm specified by the realm parameter:
kerberos::domain_realm{'.example.org':
realm => 'example.org',
}This is a required parameter. This specifies realm that the domain maps to. The specified domain must be defined as a kerberos::realm resource.
This resource defines a logging entry in the [logging] section of the Kerberos configuration file as described in the documentation. Multiple entries are permitted allowing logging to the same output to different channels.
The minimal usage will set up logging to syslog by default:
include kerberos::loggingThis sets which services are being logged. Only accepts the values kdc, admin_server or default. The default is default.
This specifies the destination for the log. Check the logging documentation for acceptable values. The default is SYSLOG.
- MIT Kerberos site
- Ivan Bayan krb5 Module close but no tests and was not sure about OS logic, or how configuration files were managed.
Copyright 2015 Aaron W. Hicks aethylred@gmail.com
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This module is derived from the puppet-blank module by Aaron Hicks (aethylred@gmail.com)
This module has been developed for the use with Open Source Puppet (Apache 2.0 license) for automating server & service deployment.