Resource Type: krb5kdc_auto_keytabs

Defined in:
lib/puppet/type/krb5kdc_auto_keytabs.rb
Providers:
generate

Overview

Auto-generates principals and keytabs on a functional KDC and outputs the keytabs to a directory of the user’s choosing.

Can optionally take a hash of hosts, with associated principal metadata, to be created on the KDC. Will warn if you are attempting to add a host that does not have a valid REALM.

Properties

  • ensure (defaults to: present)

    The state to enforce on the resource

    Supported values:
    • present
    • generated
    • absent

Parameters

  • all_known (defaults to: false)

    Generate keytabs for any ‘host/.*’ entires known to the KDC.

    Supported values:
    • true
    • false
    • yes
    • no
  • global_services

    The global services that should be applied to every auto-generated principal

  • group (defaults to: group)

    The group that should own the generated keytabs, defaults to ‘#:group’ when installing into a Puppet Environment and ‘root’ otherwise.

  • hosts

    A Hash of hosts that should be managed in the KDC.

    The Hash format should be as follows:

    {

    'fqdn' => {
  'ensure'   => ('absent' | 'present') # Required
  'realms'   => ['REALM1', 'REALM2']   # Optional. Will be auto-upcased
  'services' => ['svc1','svc2']        # Optional
}

    }

    If ‘$global_services’ is set, it will be added to the list of services for each host here.

  • introspect (defaults to: true)

    Attempt to discover, and create, all relevant keytabs from data on the Puppet server.

    This will create host principals for discovered entities if they do not exist already!

    This takes a best guess from the SIMP default PKI key locations:

    * `${environmentpath}/${environment}/keydist`
* `/var/simp/environments/${environment}/site_files/pki_files/files/keydist`

    If ‘$environmentpath` is not set, then `$confdir` will be substituted for `$environmentpath/$environment`

    Supported values:
    • true
    • false
    • yes
    • no
  • name (namevar)

    The output directory to which to write the keytabs

    If ‘__default__’ will be set to either ‘/var/simp/environments/$environment/site_files/krb5_files/files/keytabs` or `/var/kerberos/krb5kdc/generated_keytabs` depending on which target path exists.

  • provider

    The specific backend to use for this ‘krb5kdc_auto_keytabs` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.

  • purge (defaults to: true)

    Remove all unmanaged keytabs from the ‘$name’ directory

    Supported values:
    • true
    • false
    • yes
    • no
  • realms (defaults to: Facter.value(:domain))

    The realms under which the hosts should be generated

  • user (defaults to: root)

    The user that should own the generated keytabs, defaults to ‘#:user’ when installing into a Puppet Environment and ‘root’ otherwise.