20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
# File 'manifests/server/kinit.pp', line 20
class ipa::server::kinit(
$realm
) {
include ipa::common
$valid_realm = "${realm}"
# since we're on the kdc, we can use our root access to get a ticket...
# < me> kaduk_: [...] is this an evil hack? [...]
# < kaduk_> [...] It's not really a hack, but things running on the KDC
# are always a bit special.
#exec { "/bin/cat '${vardir}/admin.password' | /usr/bin/kinit admin":
# NOTE: i added a lifetime of 1 hour... no sense needing any longer
$rr = "krbtgt/${valid_realm}@${valid_realm}"
$tl = '900' # 60*15 => 15 minutes
exec { "/usr/bin/kinit -k -t KDB: admin -l 1h": # thanks to: kaduk_
logoutput => on_failure,
#unless => "/usr/bin/klist -s", # is there a credential cache
# NOTE: we need to check if the ticket has at least a certain
# amount of time left. if not, it could expire mid execution!
# this should definitely get patched, but in the meantime, we
# check that the current time is greater than the valid start
# time (in seconds) and that we have within $tl seconds left!
unless => "/usr/bin/klist -s && /usr/bin/test \$(( `/bin/date +%s` - `/usr/bin/klist | /bin/grep -F '${rr}' | /bin/awk '{print \$1\" \"\$2}' | /bin/date --file=- +%s` )) -gt 0 && /usr/bin/test \$(( `/usr/bin/klist | /bin/grep -F '${rr}' | /bin/awk '{print \$3\" \"\$4}' | /bin/date --file=- +%s` - `/bin/date +%s` )) -gt ${tl}",
onlyif => "${::ipa::common::ipa_installed}",
# NOTE: we need the 'require' to actually be a 'before', coming
# from the ipa-install exec since that may not exist right away
# if it's a replica that pulls in the exported resource exec...
require => [
Exec['ipa-install'],
#File["${vardir}/admin.password"],
],
alias => 'ipa-server-kinit',
}
}
|