Puppet Class: profile::kerberos::kadminserver

Defined in:
modules/profile/manifests/kerberos/kadminserver.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • krb_realm_name (Stdlib::Fqdn) (defaults to: lookup('kerberos_realm_name'))
  • krb_kadmin_primary (Stdlib::Fqdn) (defaults to: lookup('kerberos_kadmin_server_primary'))
  • krb_kadmin_keytabs_repo (Array[Stdlib::Fqdn]) (defaults to: lookup('kerberos_kadmin_keytabs_repo'))
  • rsync_secrets_file_auth_users (Array[String]) (defaults to: lookup('profile::kerberos::kadminserver', { 'default_value' => ['kerb'] }))
  • enable_replication (Optional[Boolean]) (defaults to: lookup('profile::kerberos::kadminserver::enable_replication', {'default_value' => false} ))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# File 'modules/profile/manifests/kerberos/kadminserver.pp', line 2

class profile::kerberos::kadminserver (
    Stdlib::Fqdn $krb_realm_name = lookup('kerberos_realm_name'),
    Stdlib::Fqdn $krb_kadmin_primary = lookup('kerberos_kadmin_server_primary'),
    Array[Stdlib::Fqdn] $krb_kadmin_keytabs_repo = lookup('kerberos_kadmin_keytabs_repo'),
    Array[String] $rsync_secrets_file_auth_users = lookup('profile::kerberos::kadminserver', { 'default_value' => ['kerb'] }),
    Optional[Boolean] $enable_replication = lookup('profile::kerberos::kadminserver::enable_replication', {'default_value' => false} ),
) {
    package { 'krb5-admin-server':
        ensure => present,
    }

    package { 'python3-pexpect':
        ensure => present,
    }

    $is_krb_master = $facts['fqdn'] == $krb_kadmin_primary

    if $is_krb_master {
        $ensure_motd = 'absent'

        # The kadmin server shutsdown by itself if
        # not running on the master/primary node.
        service { 'krb5-admin-server':
            ensure  => running,
            require => Package['krb5-admin-server'],
        }

        profile::auto_restarts::service { 'krb5-admin-server':
            ensure => stdlib::ensure($is_krb_master)
        }
    } else {
        $ensure_motd = 'present'
    }

    motd::script { 'inactive_warning':
        ensure   => $ensure_motd,
        priority => 1,
        content  => template('profile/kerberos/kadminserver/inactive.motd.erb'),
    }

    firewall::service { 'kerberos_kpasswd_tcp':
        proto    => 'tcp',
        port     => 464,
        src_sets => ['DOMAIN_NETWORKS'],
    }

    firewall::service { 'kerberos_kpasswd_udp':
        proto    => 'udp',
        port     => 464,
        src_sets => ['DOMAIN_NETWORKS'],
    }

    # Util script to help generating keytabs
    file{ '/usr/local/sbin/generate_keytabs.py':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/profile/kerberos/generate_keytabs.py',
    }

    file{ '/usr/local/sbin/manage_principals.py':
        ensure => file,
        mode   => '0550',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/profile/kerberos/manage_principals.py',
    }

    # Keytabs will be generated manually, via a script that uses kadmin.local,
    # under /srv/kerberos/keytabs
    file{ '/srv/kerberos':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    file{ '/srv/kerberos/keytabs':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0750',
    }

    # Add the rsync server configuration only to the active kerberos host.
    # This allows the Puppet server holding the private repository to rsync
    # the keytab files in order to be able to add them to the private repository.
    # This way the puppet master will not need to be a kerberos client.
    if $is_krb_master {
        $ensure_rsync = 'present'
        $ensure_rsync_secrets_file = 'present'
    } else {
        $ensure_rsync = 'absent'
        $ensure_rsync_secrets_file = 'absent'
    }

    if $is_krb_master {
        class { 'rsync::server': }
    }

    $rsync_secrets_file = '/srv/kerberos/rsync_secrets_file'
    file { $rsync_secrets_file:
        ensure    => $ensure_rsync_secrets_file,
        owner     => 'root',
        group     => 'root',
        mode      => '0400',
        content   => secret('kerberos/rsync_secrets_file'),
        show_diff => false,
        require   => File['/srv/kerberos']
    }

    rsync::server::module { 'srv-keytabs':
        ensure        => $ensure_rsync,
        path          => '/srv/kerberos/keytabs',
        read_only     => 'yes',
        hosts_allow   => $krb_kadmin_keytabs_repo,
        auto_firewall => true,
        auth_users    => $rsync_secrets_file_auth_users,
        secrets_file  => $rsync_secrets_file,
        require       => File[$rsync_secrets_file],
    }

    if $enable_replication {
        include ::profile::kerberos::replication
    }
}