diff --git a/NEWS b/NEWS
index dee869d32d5b2701ce34b1a7f1b26171c313a696..57e7b05eaccd39ce0a6c54604601cf97e4c2cb0a 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,9 @@ release/005.007 (unreleased)
[kerberos] Add option to completely override /etc/krb5.conf using
the parameter 'source'. [adamhl]
+ [kerberos] Add a new 'define' that makes it easier to setup a
+ krb5.conf file. The define is base::kerberos::krb5_conf [adamhl]
+
[newsyslog] Pull out filter-syslog from newsyslog so filtersyslog can
be used separately from newsyslog. [adamhl]
diff --git a/manifests/kerberos/krb5_conf.pp b/manifests/kerberos/krb5_conf.pp
new file mode 100644
index 0000000000000000000000000000000000000000..9ded137d67484b80b9705c8cf97e73562f9abd5c
--- /dev/null
+++ b/manifests/kerberos/krb5_conf.pp
@@ -0,0 +1,153 @@
+# A define that creates a krb5.conf file.
+#
+# The $name parameter is where the file will be put.
+#
+# $prefer_tcp:
+# Normal kerberos traffic uses UDP, but some applications
+# (lookin' at you Java!) work better with TCP. Set this parameter to
+# "true" to force the client to prefer TCP to UDP.
+# Default: false
+#
+# $rdns_enabled:
+# If 'true' have the Kerberos client do a reverse DNS lookup on the
+# hostname when connecting to a server. This should be set to 'false' if
+# you want the client to be able to connect to services where the service
+# name's IP address PTR record may not match the hostname (e.g., for
+# services running in Amazon Web Services).
+# Default: true
+#
+## ADVANCED
+#
+# $env: Valid values:
+# * prod (default)
+# * dev
+# * test
+# * uat
+# * qa
+# * custom
+#
+# In the "stanford.edu" section of [realms], by default the production
+# settings will appear:
+#
+# [realms]
+# stanford.edu = {
+# kdc = krb5auth1.stanford.edu:88
+# kdc = krb5auth2.stanford.edu:88
+# kdc = krb5auth3.stanford.edu:88
+# master_kdc = master-kdc.stanford.edu:88
+# admin_server = krb5-admin.stanford.edu
+# kpasswd_server = krb5-admin.stanford.edu
+# default_domain = stanford.edu
+# kadmind_port = 749
+# }
+#
+# If the environment is set to a different value, then that section will
+# instead look like this:
+#
+# [realms]
+# stanford.edu = {
+# kdc = krb5auth-<env>1.stanford.edu:88
+# kdc = krb5auth-<env>2.stanford.edu:88
+# kdc = krb5auth-<env>3.stanford.edu:88
+# kdc = krb5auth-<env>4.stanford.edu:88
+# master_kdc = master-kdc-<env>.stanford.edu:88
+# admin_server = krb5-admin-<env>.stanford.edu
+# kpasswd_server = krb5-admin-<env>.stanford.edu
+# default_domain = stanford.edu
+# kadmind_port = 749
+# }
+#
+# For example, if $env is set to 'test', then the above would be
+#
+# [realms]
+# stanford.edu = {
+# kdc = krb5auth-test1.stanford.edu:88
+# kdc = krb5auth-test2.stanford.edu:88
+# kdc = krb5auth-test3.stanford.edu:88
+# kdc = krb5auth-test4.stanford.edu:88
+# master_kdc = master-kdc-test.stanford.edu:88
+# admin_server = krb5-admin-test.stanford.edu
+# kpasswd_server = krb5-admin-test.stanford.edu
+# default_domain = stanford.edu
+# kadmind_port = 749
+# }
+#
+#
+# Finally, if you want to override these using these parameters, set the
+# $env variable to 'custom' and set these parameters:
+#
+#
+# $kdcs: Use this set of server names for the "kdc" entries in the
+# realm. If the array is empty, use the the normal production KDC list.
+#
+# Example:
+# kdcs => ['kerberos-qa2.stanford.edu', 'kerberos-qa1.stanford.edu'],
+#
+# will result in
+#
+# [realms]
+# stanford.edu = {
+# kdc = kerberos-qa2.stanford.edu:88
+# kdc = kerberos-qa1.stanford.edu:88
+#
+# $master_kdc: sets the master_kdc setting.
+#
+# $admin_server: sets the admin_server setting
+#
+# $kpasswd_server: sets the kpasswd_server setting.
+#
+# NOTE! If $env is set to 'custom', then ALL of $kdcs, $master_kdc,
+# $admin_server, and $kpasswd_server MUST be set. If not, Puppet will
+# raise an exception.
+
+
+define kerberos::krb5_conf (
+ $env = 'prod',
+ $realm = 'stanford.edu',
+ $default_realm = 'stanford.edu',
+ $stanford_realm_is_production = true,
+ $kdcs = [],
+ $master_kdc = undef,
+ $admin_server = undef,
+ $kpasswd_server = undef,
+ $rdns_enabled = true,
+ $prefer_tcp = false,
+) {
+
+ case $env {
+ 'prod': {
+ $kdcs_actual = [
+ "krb5auth1.stanford.edu",
+ "krb5auth2.stanford.edu",
+ "krb5auth3.stanford.edu",
+ ]
+ $master_kdc_actual = "master-kdc.stanford.edu"
+ $admin_server_actual = "krb5-admin.stanford.edu"
+ $kpasswd_server_actual = "krb5-admin.stanford.edu"
+ }
+ 'dev', 'test', 'uat', 'qa': {
+ $kdcs_actual = [
+ "krb5auth-${env}1.stanford.edu",
+ "krb5auth-${env}2.stanford.edu",
+ "krb5auth-${env}3.stanford.edu",
+ "krb5auth-${env}4.stanford.edu",
+ ]
+ $master_kdc_actual = "master-kdc-${env}.stanford.edu"
+ $admin_server_actual = "krb5-admin-${env}.stanford.edu"
+ $kpasswd_server_actual = "krb5-admin-${env}.stanford.edu"
+ }
+ 'custom': {
+ $kdcs_actual = $kdcs
+ $master_kdc_actual = $master_kdc
+ $admin_server_actual = $admin_server
+ $kpasswd_server_actual = $kpasswd_server
+ }
+ default : {
+ fail("do not know env '${env}'")
+ }
+ }
+
+ file { $name:
+ content => template('base/kerberos/etc/krb5.conf.erb'),
+ }
+}
diff --git a/templates/kerberos/etc/krb5.conf.erb b/templates/kerberos/etc/krb5.conf.erb
new file mode 100644
index 0000000000000000000000000000000000000000..dce58e888c09d7fd5d5c1ca4efd5b251230beebf
--- /dev/null
+++ b/templates/kerberos/etc/krb5.conf.erb
@@ -0,0 +1,211 @@
+# /etc/krb5.conf -- Kerberos V5 general configuration.
+#
+# This is the standard Kerberos v5 configuration file for all of our
+# servers. It is based on the Stanford-wide configuration, the canonical
+# version of which is in /usr/pubsw/etc/krb5.conf.
+#
+# This configuration allows any enctypes. Some systems with really old
+# Kerberos software may have to limit to triple-DES and DES.
+
+[appdefaults]
+ default_lifetime = 25hrs
+ krb4_convert = false
+ krb4_convert_524 = false
+
+ ksu = {
+ forwardable = false
+ }
+
+ pam = {
+ minimum_uid = 100
+ search_k5login = true
+ forwardable = true
+ }
+
+ pam-afs-session = {
+ minimum_uid = 100
+ }
+
+ libkafs = {
+ IR.STANFORD.EDU = {
+ afs-use-524 = no
+ }
+ }
+
+ passwd_change = {
+ passwd_file = /afs/ir.stanford.edu/service/etc/passwd.all
+ server = password-change.stanford.edu
+ port = 4443
+ service_principal = service/password-change@stanford.edu
+ }
+
+ wallet = {
+ wallet_server = wallet.stanford.edu
+ }
+
+[libdefaults]
+ default_realm = <%= @default_realm %>
+ ticket_lifetime = 25h
+ renew_lifetime = 7d
+ forwardable = true
+ noaddresses = true
+ allow_weak_crypto = true
+<%- if (@rdns_enabled) then -%>
+ rdns = true
+<%- else -%>
+ rdns = false
+<%- end -%>
+<% if (@prefer_tcp) then -%>
+ udp_preference_limit = 1
+<% end -%>
+
+[realms]
+ stanford.edu = {
+<%-
+ @kdcs_actual.each do |kdc|
+-%>
+ kdc = <%= kdc %>:88
+<%-
+ end
+-%>
+ master_kdc = <%= @master_kdc_actual %>:88
+ admin_server = <%= @admin_server_actual %>
+ kpasswd_server = <%= @kpasswd_server_actual %>
+ default_domain = stanford.edu
+ kadmind_port = 749
+ }
+ heimdal.stanford.edu = {
+ kdc = kerberos-dev.stanford.edu:88
+ master_kdc = kerberos-dev.stanford.edu:88
+ admin_server = kerberos-dev.stanford.edu
+ kpasswd_server = kerberos-dev.stanford.edu
+ kadmind_port = 749
+ }
+ WIN.STANFORD.EDU = {
+ kdc = mothra.win.stanford.edu:88
+ kdc = rodan.win.stanford.edu:88
+ kpasswd_server = mothra.win.stanford.edu
+ }
+ WINUAT.STANFORD.EDU = {
+ kdc = winuatdc1.winuat.stanford.edu:88
+ kpasswd_server = winuatdc1.winuat.stanford.edu
+ }
+ NT.STANFORD.EDU = {
+ kdc = ntdc2.nt.stanford.edu:88
+ kdc = ntdc3.nt.stanford.edu:88
+ kpasswd_server = ntdc2.nt.stanford.edu
+ }
+ GUEST.STANFORD.EDU = {
+ kdc = guestdc0.guest.stanford.edu:88
+ kdc = guestdc1.guest.stanford.edu:88
+ kpasswd_server = guestdc0.guest.stanford.edu
+ default_domain = guest.stanford.edu
+ }
+ GUESTUAT.STANFORD.EDU = {
+ kdc = guestuatdc0.guestuat.stanford.edu:88
+ kdc = guestuatdc1.guestuat.stanford.edu:88
+ kpasswd_server = guestuatdc0.guestuat.stanford.edu
+ default_domain = guestuat.stanford.edu
+ }
+ CS.STANFORD.EDU = {
+ kdc = cs-kdc-1.stanford.edu:88
+ kdc = cs-kdc-2.stanford.edu:88
+ kdc = cs-kdc-3.stanford.edu:88
+ admin_server = cs-kdc-1.stanford.edu:749
+ }
+ SLAC.STANFORD.EDU = {
+ kdc = k5auth1.slac.stanford.edu:88
+ kdc = k5auth2.slac.stanford.edu:88
+ kdc = k5auth3.slac.stanford.edu:88
+ admin_server = k5admin.slac.stanford.edu
+ kpasswd_server = k5passwd.slac.stanford.edu
+ default_domain = slac.stanford.edu
+ }
+ WIN.SLAC.STANFORD.EDU = {
+ kdc = winmaster2.win.slac.stanford.edu
+ default_domain = win.slac.stanford.edu
+ }
+ ATHENA.MIT.EDU = {
+ kdc = kerberos.mit.edu:88
+ kdc = kerberos-1.mit.edu:88
+ kdc = kerberos-2.mit.edu:88
+ kdc = kerberos-3.mit.edu:88
+ admin_server = kerberos.mit.edu
+ default_domain = mit.edu
+ }
+ ISC.ORG = {
+ kdc = k1.isc.org:88
+ kdc = k2.isc.org:88
+ admin_server = k1.isc.org:749
+ default_domain = isc.org
+ }
+ OPENLDAP.ORG = {
+ kdc = kerberos.openldap.org
+ default_domain = openldap.org
+ }
+ SUCHDAMAGE.ORG = {
+ kdc = kerberos.suchdamage.org:88
+ admin_server = kerberos.suchdamage.org:749
+ default_domain = suchdamage.org
+ }
+ VIX.COM = {
+ kdc = kerberos-0.vix.com:88
+ kdc = kerberos-1.vix.com:88
+ kdc = kerberos-2.vix.com:88
+ admin_server = kerberos-0.vix.com:749
+ default_domain = vix.com
+ }
+ ZEPA.NET = {
+ kdc = kerberos.zepa.net
+ kdc = kerberos-too.zepa.net
+ admin_server = kerberos.zepa.net
+ }
+
+[domain_realm]
+ stanford.edu = stanford.edu
+ .stanford.edu = stanford.edu
+ .dc.stanford.org = stanford.edu
+ .sunet = stanford.edu
+ .eyrie.org = stanford.edu
+ .killfile.org = stanford.edu
+ .lpch.net = stanford.edu
+ .lpch.org = stanford.edu
+ .oit.duke.edu = stanford.edu
+ win.stanford.edu = WIN.STANFORD.EDU
+ .win.stanford.edu = WIN.STANFORD.EDU
+ daper.stanford.edu = IT.WIN.STANFORD.EDU
+ gsbworkspace.stanford.edu = IT.WIN.STANFORD.EDU
+ infraappprod.stanford.edu = IT.WIN.STANFORD.EDU
+ radmed.stanford.edu = IT.WIN.STANFORD.EDU
+ windows-new.stanford.edu = IT.WIN.STANFORD.EDU
+ windows.stanford.edu = IT.WIN.STANFORD.EDU
+ workspace.stanford.edu = IT.WIN.STANFORD.EDU
+ winuat.stanford.edu = WINUAT.STANFORD.EDU
+ .winuat.stanford.edu = WINUAT.STANFORD.EDU
+ nt.stanford.edu = NT.STANFORD.EDU
+ .nt.stanford.edu = NT.STANFORD.EDU
+ guest.stanford.edu = GUEST.STANFORD.EDU
+ .guest.stanford.edu = GUEST.STANFORD.EDU
+ guest-mgmt.stanford.edu = GUEST.STANFORD.EDU
+ guest-mgmt2.stanford.edu = GUEST.STANFORD.EDU
+ guestidmweb.stanford.edu = GUEST.STANFORD.EDU
+ guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
+ .guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
+ guestuat-mgmt.stanford.edu = GUESTUAT.STANFORD.EDU
+ guestuatidmweb.stanford.edu = GUESTUAT.STANFORD.EDU
+ .slac.stanford.edu = SLAC.STANFORD.EDU
+ .isc.org = ISC.ORG
+ mit.edu = ATHENA.MIT.EDU
+ .mit.edu = ATHENA.MIT.EDU
+ openldap.org = OPENLDAP.ORG
+ .openldap.org = OPENLDAP.ORG
+ whoi.edu = ATHENA.MIT.EDU
+ .whoi.edu = ATHENA.MIT.EDU
+ .vix.com = VIX.COM
+ zepa.net = ZEPA.NET
+ .zepa.net = ZEPA.NET
+
+[logging]
+ kdc = SYSLOG:NOTICE
+ admin_server = SYSLOG:NOTICE
+ default = SYSLOG:NOTICE