Commit 791e9c07 authored by Karl Kornel's avatar Karl Kornel

base::kerberos: Automatically detect if we are in Livermore.

If the system's primary IP address is in one of the two well-known Livermore
netblocks, then automatically set the Livermore-based Kerberos server as the
primary KDC.

base::kerberos::dr is now deprecated.
parent 5fabc1c9
......@@ -3,6 +3,12 @@ Unreleased
[dns] Changes Livermore detection to use the system's primary IP address,
instead of using a manually-set parameter. (akkornel)
[kerberos] Automatically determine if we are in Livermore; if we are, place
the Livermore-based KDC at the top of the list. (akkornel)
Clients who are using the base::kerberos::dr class should immediately switch
to using base::kerberos. base::kerberos::dr is deprecated.
release/004.053 (2015-07-28)
[rpm] Adding a dag-EL7.repo file so that EL7 hosts can get a
......
# /etc/krb5.conf -- Kerberos V5 general configuration.
#
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.
[appdefaults]
default_lifetime = 25hrs
krb4_convert = false
krb4_convert_524 = false
ksu = {
forwardable = false
}
pam = {
minimum_uid = 100
search_k5login = true
forwardable = true
}
pam-afs-session = {
minimum_uid = 100
}
libkafs = {
IR.STANFORD.EDU = {
afs-use-524 = no
}
}
passwd_change = {
passwd_file = /afs/ir.stanford.edu/service/etc/passwd.all
server = password-change.stanford.edu
port = 4443
service_principal = service/password-change@stanford.edu
}
wallet = {
wallet_server = wallet.stanford.edu
}
[libdefaults]
default_realm = stanford.edu
ticket_lifetime = 25h
renew_lifetime = 7d
forwardable = true
noaddresses = true
allow_weak_crypto = true
[realms]
stanford.edu = {
kdc = krb5auth1.stanford.edu:88
kdc = krb5auth2.stanford.edu:88
kdc = krb5auth3.stanford.edu:88
master_kdc = krb5auth1.stanford.edu:88
admin_server = krb5-admin.stanford.edu
kpasswd_server = krb5-admin.stanford.edu
default_domain = stanford.edu
kadmind_port = 749
}
heimdal.stanford.edu = {
kdc = kerberos-dev.stanford.edu:88
master_kdc = kerberos-dev.stanford.edu:88
admin_server = kerberos-dev.stanford.edu
kpasswd_server = kerberos-dev.stanford.edu
kadmind_port = 749
}
WIN.STANFORD.EDU = {
kdc = mothra.win.stanford.edu:88
kdc = rodan.win.stanford.edu:88
kpasswd_server = mothra.win.stanford.edu
}
MS.STANFORD.EDU = {
kdc = msdc0.ms.stanford.edu:88
kdc = msdc1.ms.stanford.edu:88
kpasswd_server = msdc0.ms.stanford.edu
}
NT.STANFORD.EDU = {
kdc = ntdc2.nt.stanford.edu:88
kdc = ntdc3.nt.stanford.edu:88
kpasswd_server = ntdc2.nt.stanford.edu
}
GUEST.STANFORD.EDU = {
kdc = guestdc0.guest.stanford.edu:88
kdc = guestdc1.guest.stanford.edu:88
kpasswd_server = guestdc0.guest.stanford.edu
default_domain = guest.stanford.edu
}
GUESTUAT.STANFORD.EDU = {
kdc = guestuatdc0.guestuat.stanford.edu:88
kdc = guestuatdc1.guestuat.stanford.edu:88
kpasswd_server = guestuatdc0.guestuat.stanford.edu
default_domain = guestuat.stanford.edu
}
CS.STANFORD.EDU = {
kdc = cs-kdc-1.stanford.edu:88
kdc = cs-kdc-2.stanford.edu:88
kdc = cs-kdc-3.stanford.edu:88
admin_server = cs-kdc-1.stanford.edu:749
}
SLAC.STANFORD.EDU = {
kdc = k5auth1.slac.stanford.edu:88
kdc = k5auth2.slac.stanford.edu:88
kdc = k5auth3.slac.stanford.edu:88
admin_server = k5admin.slac.stanford.edu
kpasswd_server = k5passwd.slac.stanford.edu
default_domain = slac.stanford.edu
}
WIN.SLAC.STANFORD.EDU = {
kdc = dc01.slac.stanford.edu:88
kdc = dc02.slac.stanford.edu:88
kdc = dc03.slac.stanford.edu:88
master_kdc = dc01.slac.stanford.edu:88
admin_server = dc01.slac.stanford.edu
default_domain = win.slac.stanford.edu
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ISC.ORG = {
kdc = k1.isc.org:88
kdc = k2.isc.org:88
admin_server = k1.isc.org:749
default_domain = isc.org
}
OPENLDAP.ORG = {
kdc = kerberos.openldap.org
default_domain = openldap.org
}
SUCHDAMAGE.ORG = {
kdc = kerberos.suchdamage.org:88
admin_server = kerberos.suchdamage.org:749
default_domain = suchdamage.org
}
VIX.COM = {
kdc = kerberos-0.vix.com:88
kdc = kerberos-1.vix.com:88
kdc = kerberos-2.vix.com:88
admin_server = kerberos-0.vix.com:749
default_domain = vix.com
}
ZEPA.NET = {
kdc = kerberos.zepa.net
kdc = kerberos-too.zepa.net
admin_server = kerberos.zepa.net
}
[domain_realm]
stanford.edu = stanford.edu
.stanford.edu = stanford.edu
.dc.stanford.org = stanford.edu
.sunet = stanford.edu
.eyrie.org = stanford.edu
.killfile.org = stanford.edu
.lpch.net = stanford.edu
.lpch.org = stanford.edu
.oit.duke.edu = stanford.edu
win.stanford.edu = WIN.STANFORD.EDU
.win.stanford.edu = WIN.STANFORD.EDU
atragon.stanford.edu = WIN.STANFORD.EDU
itcert.stanford.edu = WIN.STANFORD.EDU
daper.stanford.edu = IT.WIN.STANFORD.EDU
gsbworkspace.stanford.edu = IT.WIN.STANFORD.EDU
infraappprod.stanford.edu = IT.WIN.STANFORD.EDU
radmed.stanford.edu = IT.WIN.STANFORD.EDU
windows-new.stanford.edu = IT.WIN.STANFORD.EDU
windows.stanford.edu = IT.WIN.STANFORD.EDU
workspace.stanford.edu = IT.WIN.STANFORD.EDU
ms.stanford.edu = MS.STANFORD.EDU
.ms.stanford.edu = MS.STANFORD.EDU
mscert1.stanford.edu = MS.STANFORD.EDU
msweb2.stanford.edu = EX.MS.STANFORD.EDU
windows-ms.stanford.edu = EX.MS.STANFORD.EDU
nt.stanford.edu = NT.STANFORD.EDU
.nt.stanford.edu = NT.STANFORD.EDU
ntcert1.stanford.edu = NT.STANFORD.EDU
ntweb2.stanford.edu = TYR.NT.STANFORD.EDU
windows-nt.stanford.edu = TYR.NT.STANFORD.EDU
guest.stanford.edu = GUEST.STANFORD.EDU
.guest.stanford.edu = GUEST.STANFORD.EDU
guest-mgmt.stanford.edu = GUEST.STANFORD.EDU
guest-mgmt2.stanford.edu = GUEST.STANFORD.EDU
guestidmweb.stanford.edu = GUEST.STANFORD.EDU
guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
.guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
guestuat-mgmt.stanford.edu = GUESTUAT.STANFORD.EDU
guestuatidmweb.stanford.edu = GUESTUAT.STANFORD.EDU
.slac.stanford.edu = SLAC.STANFORD.EDU
.win.slac.stanford.edu = WIN.SLAC.STANFORD.EDU
.isc.org = ISC.ORG
mit.edu = ATHENA.MIT.EDU
.mit.edu = ATHENA.MIT.EDU
openldap.org = OPENLDAP.ORG
.openldap.org = OPENLDAP.ORG
whoi.edu = ATHENA.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
.vix.com = VIX.COM
zepa.net = ZEPA.NET
.zepa.net = ZEPA.NET
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
......@@ -16,16 +16,22 @@ class base::kerberos {
}
}
# Check to see if we are in Livermore right now
if ( ip_in_cidr($::ipaddress, '204.63.224.0/21')
or ip_in_cidr($::ipaddress, '172.20.224.0/21')
) {
$drSite = 'yes'
}
# Basic Kerberos configuration.
file { '/etc/krb5.conf':
source => 'puppet:///modules/base/kerberos/etc/krb5.conf',
content => template('base/kerberos/krb5.conf.erb')
}
}
# base::kerberos::dr is no longer needed, because it's functionality has been
# implemented in base::kerberos.
# Thie class should eventually start failing Puppet builds, and eventually be
# removed altogether.
class base::kerberos::dr inherits base::kerberos {
$drSite = 'yes'
File['/etc/krb5.conf'] {
source => undef,
content => template('base/kerberos/krb5.conf.erb')
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment