Verified Commit 119decac authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

first pass at improved krb5_conf define

parent 213f08b2
......@@ -3,6 +3,9 @@ release/005.007 (unreleased)
[kerberos] Add option to completely override /etc/krb5.conf using
the parameter 'source'. [adamhl]
[kerberos] Add a new 'define' that makes it easier to setup a
krb5.conf file. The define is base::kerberos::krb5_conf [adamhl]
[newsyslog] Pull out filter-syslog from newsyslog so filtersyslog can
be used separately from newsyslog. [adamhl]
......
# A define that creates a krb5.conf file.
#
# The $name parameter is where the file will be put.
#
# $prefer_tcp:
# Normal kerberos traffic uses UDP, but some applications
# (lookin' at you Java!) work better with TCP. Set this parameter to
# "true" to force the client to prefer TCP to UDP.
# Default: false
#
# $rdns_enabled:
# If 'true' have the Kerberos client do a reverse DNS lookup on the
# hostname when connecting to a server. This should be set to 'false' if
# you want the client to be able to connect to services where the service
# name's IP address PTR record may not match the hostname (e.g., for
# services running in Amazon Web Services).
# Default: true
#
## ADVANCED
#
# $env: Valid values:
# * prod (default)
# * dev
# * test
# * uat
# * qa
# * custom
#
# In the "stanford.edu" section of [realms], by default the production
# settings will appear:
#
# [realms]
# stanford.edu = {
# kdc = krb5auth1.stanford.edu:88
# kdc = krb5auth2.stanford.edu:88
# kdc = krb5auth3.stanford.edu:88
# master_kdc = master-kdc.stanford.edu:88
# admin_server = krb5-admin.stanford.edu
# kpasswd_server = krb5-admin.stanford.edu
# default_domain = stanford.edu
# kadmind_port = 749
# }
#
# If the environment is set to a different value, then that section will
# instead look like this:
#
# [realms]
# stanford.edu = {
# kdc = krb5auth-<env>1.stanford.edu:88
# kdc = krb5auth-<env>2.stanford.edu:88
# kdc = krb5auth-<env>3.stanford.edu:88
# kdc = krb5auth-<env>4.stanford.edu:88
# master_kdc = master-kdc-<env>.stanford.edu:88
# admin_server = krb5-admin-<env>.stanford.edu
# kpasswd_server = krb5-admin-<env>.stanford.edu
# default_domain = stanford.edu
# kadmind_port = 749
# }
#
# For example, if $env is set to 'test', then the above would be
#
# [realms]
# stanford.edu = {
# kdc = krb5auth-test1.stanford.edu:88
# kdc = krb5auth-test2.stanford.edu:88
# kdc = krb5auth-test3.stanford.edu:88
# kdc = krb5auth-test4.stanford.edu:88
# master_kdc = master-kdc-test.stanford.edu:88
# admin_server = krb5-admin-test.stanford.edu
# kpasswd_server = krb5-admin-test.stanford.edu
# default_domain = stanford.edu
# kadmind_port = 749
# }
#
#
# Finally, if you want to override these using these parameters, set the
# $env variable to 'custom' and set these parameters:
#
#
# $kdcs: Use this set of server names for the "kdc" entries in the
# realm. If the array is empty, use the the normal production KDC list.
#
# Example:
# kdcs => ['kerberos-qa2.stanford.edu', 'kerberos-qa1.stanford.edu'],
#
# will result in
#
# [realms]
# stanford.edu = {
# kdc = kerberos-qa2.stanford.edu:88
# kdc = kerberos-qa1.stanford.edu:88
#
# $master_kdc: sets the master_kdc setting.
#
# $admin_server: sets the admin_server setting
#
# $kpasswd_server: sets the kpasswd_server setting.
#
# NOTE! If $env is set to 'custom', then ALL of $kdcs, $master_kdc,
# $admin_server, and $kpasswd_server MUST be set. If not, Puppet will
# raise an exception.
define kerberos::krb5_conf (
$env = 'prod',
$realm = 'stanford.edu',
$default_realm = 'stanford.edu',
$stanford_realm_is_production = true,
$kdcs = [],
$master_kdc = undef,
$admin_server = undef,
$kpasswd_server = undef,
$rdns_enabled = true,
$prefer_tcp = false,
) {
case $env {
'prod': {
$kdcs_actual = [
"krb5auth1.stanford.edu",
"krb5auth2.stanford.edu",
"krb5auth3.stanford.edu",
]
$master_kdc_actual = "master-kdc.stanford.edu"
$admin_server_actual = "krb5-admin.stanford.edu"
$kpasswd_server_actual = "krb5-admin.stanford.edu"
}
'dev', 'test', 'uat', 'qa': {
$kdcs_actual = [
"krb5auth-${env}1.stanford.edu",
"krb5auth-${env}2.stanford.edu",
"krb5auth-${env}3.stanford.edu",
"krb5auth-${env}4.stanford.edu",
]
$master_kdc_actual = "master-kdc-${env}.stanford.edu"
$admin_server_actual = "krb5-admin-${env}.stanford.edu"
$kpasswd_server_actual = "krb5-admin-${env}.stanford.edu"
}
'custom': {
$kdcs_actual = $kdcs
$master_kdc_actual = $master_kdc
$admin_server_actual = $admin_server
$kpasswd_server_actual = $kpasswd_server
}
default : {
fail("do not know env '${env}'")
}
}
file { $name:
content => template('base/kerberos/etc/krb5.conf.erb'),
}
}
# /etc/krb5.conf -- Kerberos V5 general configuration.
#
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.
[appdefaults]
default_lifetime = 25hrs
krb4_convert = false
krb4_convert_524 = false
ksu = {
forwardable = false
}
pam = {
minimum_uid = 100
search_k5login = true
forwardable = true
}
pam-afs-session = {
minimum_uid = 100
}
libkafs = {
IR.STANFORD.EDU = {
afs-use-524 = no
}
}
passwd_change = {
passwd_file = /afs/ir.stanford.edu/service/etc/passwd.all
server = password-change.stanford.edu
port = 4443
service_principal = service/password-change@stanford.edu
}
wallet = {
wallet_server = wallet.stanford.edu
}
[libdefaults]
default_realm = <%= @default_realm %>
ticket_lifetime = 25h
renew_lifetime = 7d
forwardable = true
noaddresses = true
allow_weak_crypto = true
<%- if (@rdns_enabled) then -%>
rdns = true
<%- else -%>
rdns = false
<%- end -%>
<% if (@prefer_tcp) then -%>
udp_preference_limit = 1
<% end -%>
[realms]
stanford.edu = {
<%-
@kdcs_actual.each do |kdc|
-%>
kdc = <%= kdc %>:88
<%-
end
-%>
master_kdc = <%= @master_kdc_actual %>:88
admin_server = <%= @admin_server_actual %>
kpasswd_server = <%= @kpasswd_server_actual %>
default_domain = stanford.edu
kadmind_port = 749
}
heimdal.stanford.edu = {
kdc = kerberos-dev.stanford.edu:88
master_kdc = kerberos-dev.stanford.edu:88
admin_server = kerberos-dev.stanford.edu
kpasswd_server = kerberos-dev.stanford.edu
kadmind_port = 749
}
WIN.STANFORD.EDU = {
kdc = mothra.win.stanford.edu:88
kdc = rodan.win.stanford.edu:88
kpasswd_server = mothra.win.stanford.edu
}
WINUAT.STANFORD.EDU = {
kdc = winuatdc1.winuat.stanford.edu:88
kpasswd_server = winuatdc1.winuat.stanford.edu
}
NT.STANFORD.EDU = {
kdc = ntdc2.nt.stanford.edu:88
kdc = ntdc3.nt.stanford.edu:88
kpasswd_server = ntdc2.nt.stanford.edu
}
GUEST.STANFORD.EDU = {
kdc = guestdc0.guest.stanford.edu:88
kdc = guestdc1.guest.stanford.edu:88
kpasswd_server = guestdc0.guest.stanford.edu
default_domain = guest.stanford.edu
}
GUESTUAT.STANFORD.EDU = {
kdc = guestuatdc0.guestuat.stanford.edu:88
kdc = guestuatdc1.guestuat.stanford.edu:88
kpasswd_server = guestuatdc0.guestuat.stanford.edu
default_domain = guestuat.stanford.edu
}
CS.STANFORD.EDU = {
kdc = cs-kdc-1.stanford.edu:88
kdc = cs-kdc-2.stanford.edu:88
kdc = cs-kdc-3.stanford.edu:88
admin_server = cs-kdc-1.stanford.edu:749
}
SLAC.STANFORD.EDU = {
kdc = k5auth1.slac.stanford.edu:88
kdc = k5auth2.slac.stanford.edu:88
kdc = k5auth3.slac.stanford.edu:88
admin_server = k5admin.slac.stanford.edu
kpasswd_server = k5passwd.slac.stanford.edu
default_domain = slac.stanford.edu
}
WIN.SLAC.STANFORD.EDU = {
kdc = winmaster2.win.slac.stanford.edu
default_domain = win.slac.stanford.edu
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ISC.ORG = {
kdc = k1.isc.org:88
kdc = k2.isc.org:88
admin_server = k1.isc.org:749
default_domain = isc.org
}
OPENLDAP.ORG = {
kdc = kerberos.openldap.org
default_domain = openldap.org
}
SUCHDAMAGE.ORG = {
kdc = kerberos.suchdamage.org:88
admin_server = kerberos.suchdamage.org:749
default_domain = suchdamage.org
}
VIX.COM = {
kdc = kerberos-0.vix.com:88
kdc = kerberos-1.vix.com:88
kdc = kerberos-2.vix.com:88
admin_server = kerberos-0.vix.com:749
default_domain = vix.com
}
ZEPA.NET = {
kdc = kerberos.zepa.net
kdc = kerberos-too.zepa.net
admin_server = kerberos.zepa.net
}
[domain_realm]
stanford.edu = stanford.edu
.stanford.edu = stanford.edu
.dc.stanford.org = stanford.edu
.sunet = stanford.edu
.eyrie.org = stanford.edu
.killfile.org = stanford.edu
.lpch.net = stanford.edu
.lpch.org = stanford.edu
.oit.duke.edu = stanford.edu
win.stanford.edu = WIN.STANFORD.EDU
.win.stanford.edu = WIN.STANFORD.EDU
daper.stanford.edu = IT.WIN.STANFORD.EDU
gsbworkspace.stanford.edu = IT.WIN.STANFORD.EDU
infraappprod.stanford.edu = IT.WIN.STANFORD.EDU
radmed.stanford.edu = IT.WIN.STANFORD.EDU
windows-new.stanford.edu = IT.WIN.STANFORD.EDU
windows.stanford.edu = IT.WIN.STANFORD.EDU
workspace.stanford.edu = IT.WIN.STANFORD.EDU
winuat.stanford.edu = WINUAT.STANFORD.EDU
.winuat.stanford.edu = WINUAT.STANFORD.EDU
nt.stanford.edu = NT.STANFORD.EDU
.nt.stanford.edu = NT.STANFORD.EDU
guest.stanford.edu = GUEST.STANFORD.EDU
.guest.stanford.edu = GUEST.STANFORD.EDU
guest-mgmt.stanford.edu = GUEST.STANFORD.EDU
guest-mgmt2.stanford.edu = GUEST.STANFORD.EDU
guestidmweb.stanford.edu = GUEST.STANFORD.EDU
guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
.guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
guestuat-mgmt.stanford.edu = GUESTUAT.STANFORD.EDU
guestuatidmweb.stanford.edu = GUESTUAT.STANFORD.EDU
.slac.stanford.edu = SLAC.STANFORD.EDU
.isc.org = ISC.ORG
mit.edu = ATHENA.MIT.EDU
.mit.edu = ATHENA.MIT.EDU
openldap.org = OPENLDAP.ORG
.openldap.org = OPENLDAP.ORG
whoi.edu = ATHENA.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
.vix.com = VIX.COM
zepa.net = ZEPA.NET
.zepa.net = ZEPA.NET
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment