Puppet Class: krb5::config

Inherits:
krb5
Defined in:
manifests/config.pp

Overview

**NOTE: THIS IS A [PRIVATE](github.com/puppetlabs/puppetlabs-stdlib#assert_private) CLASS**

Basic configuration of the MIT Kerberos client

Parameters:

  • config_dir (Stdlib::Absolutepath) (defaults to: '/etc/krb5.conf.simp.d')

    The path to the Puppet managed config files.

  • default_realm (String) (defaults to: inline_template('<%= @domain.upcase %>'))

    Default realm to which to bind.

  • realm_domains (Array[String]) (defaults to: [ ".${facts['networking']['domain']}", $facts['networking']['domain'] ])

    Array of domains bound to the default realm set in $default_realm.

  • dns_lookup_realm (Boolean) (defaults to: false)

    Use DNS TXT records to lookup the realm.

  • dns_lookup_kdc (Boolean) (defaults to: true)

    Use DNS SRV records to lookup the KDC.

  • renew_lifetime (String) (defaults to: '7d')

    The default renewable lifetime for initial tickets. Should be a valid krb5 Time Duration string. @see web.mit.edu/kerberos/krb5-1.13/doc/basic/date_format.html#duration

  • forwardable (Boolean) (defaults to: true)

    Whether or not to make initial tickets forwardable by default. This is needed for SSH GSSAPI.

  • clockskew (Integer[0]) (defaults to: 500)

    Max allowable amount of seconds of clockskew allowed before assuming that a message is invalid.

  • permitted_tgs_enctypes (Array[String]) (defaults to: $krb5::enctypes)

    Supported encryption types reported by the KDC.

  • permitted_tkt_enctypes (Array[String]) (defaults to: $krb5::enctypes)

    Permitted client encryption types.

  • permitted_enctypes (Array[String]) (defaults to: $krb5::enctypes)

    Permitted session key encryption types.

  • puppet_exclusive_managed (Boolean) (defaults to: true)

    Set to false to allow users to add files to the /etc/krb5.conf.d directory manually.

Author:

  • Trevor Vaughan <tvaughan@onyxpoint.com>



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# File 'manifests/config.pp', line 26

class krb5::config (
  Stdlib::Absolutepath $config_dir               = '/etc/krb5.conf.simp.d',
  String               $default_realm            = inline_template('<%= @domain.upcase %>'),
  Array[String]        $realm_domains            = [ ".${facts['networking']['domain']}", $facts['networking']['domain'] ],
  Boolean              $dns_lookup_realm         = false,
  Boolean              $dns_lookup_kdc           = true,
  String               $renew_lifetime           = '7d',
  Boolean              $forwardable              = true,
  Integer[0]           $clockskew                = 500,
  Array[String]        $permitted_tgs_enctypes   = $krb5::enctypes,
  Array[String]        $permitted_tkt_enctypes   = $krb5::enctypes,
  Array[String]        $permitted_enctypes       = $krb5::enctypes,
  Boolean              $puppet_exclusive_managed = true
) inherits krb5 {

  assert_private()

  krb5::validate_time_duration($renew_lifetime)

  $_base_config_dir = inline_template('<%= File.dirname(@config_dir) %>')

  include 'krb5::config::default_settings'

  # Include Directories
  file { '/etc/krb5.conf.d':
    ensure  => 'directory',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    seltype => 'krb5_conf_t',
    before  => File['/etc/krb5.conf']
  }

  file { '/etc/krb5.conf.simp.d':
    ensure  => 'directory',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    purge   => true,
    recurse => true,
    seltype => 'krb5_conf_t',
    before  => File['/etc/krb5.conf']
  }

  file { '/etc/krb5.conf':
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => "# This file managed by Puppet
# Any changes made will be reverted at the next run
# If you wish to `enhance` the Puppet managed settings, add your settings to
# /etc/krb5.conf.d.
#
# Please be aware though, that the last item in the includedir list below will
# be authoritative for any given option.

includedir ${_base_config_dir}/krb5.conf.d
includedir ${config_dir}\n"
  }
}