first pass at improved krb5_conf define

119decac · Adam Lewenberg · 213f08b2 · 119decac · 119decac · 119decac
Verified Commit 119decac authored 7 years ago by Adam Lewenberg
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,9 @@ release/005.007 (unreleased)
    [kerberos] Add option to completely override /etc/krb5.conf using
    the parameter 'source'. [adamhl]

+    [kerberos] Add a new 'define' that makes it easier to setup a
+    krb5.conf file. The define is base::kerberos::krb5_conf [adamhl]
+
    [newsyslog] Pull out filter-syslog from newsyslog so filtersyslog can
    be used separately from newsyslog. [adamhl]


--- a/manifests/kerberos/krb5_conf.pp
+++ b/manifests/kerberos/krb5_conf.pp
+# A define that creates a krb5.conf file.
+#
+# The $name parameter is where the file will be put.
+#
+# $prefer_tcp:
+#   Normal kerberos traffic uses UDP, but some applications
+#   (lookin' at you Java!) work better with TCP. Set this parameter to
+#   "true" to force the client to prefer TCP to UDP.
+#   Default: false
+#
+# $rdns_enabled:
+#   If 'true' have the Kerberos client do a reverse DNS lookup on the
+#   hostname when connecting to a server. This should be set to 'false' if
+#   you want the client to be able to connect to services where the service
+#   name's IP address PTR record may not match the hostname (e.g., for
+#   services running in Amazon Web Services).
+#   Default: true
+#
+## ADVANCED
+#
+# $env: Valid values:
+#  * prod (default)
+#  * dev
+#  * test
+#  * uat
+#  * qa
+#  * custom
+#
+# In the "stanford.edu" section of [realms], by default the production
+# settings will appear:
+#
+#   [realms]
+#       stanford.edu = {
+#           kdc            = krb5auth1.stanford.edu:88
+#           kdc            = krb5auth2.stanford.edu:88
+#           kdc            = krb5auth3.stanford.edu:88
+#           master_kdc     = master-kdc.stanford.edu:88
+#           admin_server   = krb5-admin.stanford.edu
+#           kpasswd_server = krb5-admin.stanford.edu
+#           default_domain = stanford.edu
+#           kadmind_port   = 749
+#       }
+#
+# If the environment is set to a different value, then that section will
+# instead look like this:
+#
+#   [realms]
+#       stanford.edu = {
+#           kdc            = krb5auth-<env>1.stanford.edu:88
+#           kdc            = krb5auth-<env>2.stanford.edu:88
+#           kdc            = krb5auth-<env>3.stanford.edu:88
+#           kdc            = krb5auth-<env>4.stanford.edu:88
+#           master_kdc     = master-kdc-<env>.stanford.edu:88
+#           admin_server   = krb5-admin-<env>.stanford.edu
+#           kpasswd_server = krb5-admin-<env>.stanford.edu
+#           default_domain = stanford.edu
+#           kadmind_port   = 749
+#       }
+#
+# For example, if $env is set to 'test', then the above would be
+#
+#   [realms]
+#       stanford.edu = {
+#           kdc            = krb5auth-test1.stanford.edu:88
+#           kdc            = krb5auth-test2.stanford.edu:88
+#           kdc            = krb5auth-test3.stanford.edu:88
+#           kdc            = krb5auth-test4.stanford.edu:88
+#           master_kdc     = master-kdc-test.stanford.edu:88
+#           admin_server   = krb5-admin-test.stanford.edu
+#           kpasswd_server = krb5-admin-test.stanford.edu
+#           default_domain = stanford.edu
+#           kadmind_port   = 749
+#       }
+#
+#
+# Finally, if you want to override these using these parameters, set the
+# $env variable to 'custom' and set these parameters:
+#
+#
+# $kdcs: Use this set of server names for the "kdc" entries in the
+#   realm. If the array is empty, use the the normal production KDC list.
+#
+# Example:
+#  kdcs => ['kerberos-qa2.stanford.edu', 'kerberos-qa1.stanford.edu'],
+#
+# will result in
+#
+# [realms]
+#   stanford.edu = {
+#     kdc            = kerberos-qa2.stanford.edu:88
+#     kdc            = kerberos-qa1.stanford.edu:88
+#
+# $master_kdc: sets the master_kdc setting.
+#
+# $admin_server: sets the admin_server setting
+#
+# $kpasswd_server: sets the kpasswd_server setting.
+#
+# NOTE! If $env is set to 'custom', then ALL of $kdcs, $master_kdc,
+# $admin_server, and $kpasswd_server MUST be set. If not, Puppet will
+# raise an exception.
+
+
+define kerberos::krb5_conf (
+  $env                             = 'prod',
+  $realm                           = 'stanford.edu',
+  $default_realm                   = 'stanford.edu',
+  $stanford_realm_is_production    = true,
+  $kdcs                            = [],
+  $master_kdc                      = undef,
+  $admin_server                    = undef,
+  $kpasswd_server                  = undef,
+  $rdns_enabled                    = true,
+  $prefer_tcp                      = false,
+) {
+
+  case $env {
+    'prod': {
+      $kdcs_actual = [
+        "krb5auth1.stanford.edu",
+        "krb5auth2.stanford.edu",
+        "krb5auth3.stanford.edu",
+      ]
+      $master_kdc_actual     = "master-kdc.stanford.edu"
+      $admin_server_actual   = "krb5-admin.stanford.edu"
+      $kpasswd_server_actual = "krb5-admin.stanford.edu"
+    }
+    'dev', 'test', 'uat', 'qa': {
+      $kdcs_actual = [
+        "krb5auth-${env}1.stanford.edu",
+        "krb5auth-${env}2.stanford.edu",
+        "krb5auth-${env}3.stanford.edu",
+        "krb5auth-${env}4.stanford.edu",
+      ]
+      $master_kdc_actual     = "master-kdc-${env}.stanford.edu"
+      $admin_server_actual   = "krb5-admin-${env}.stanford.edu"
+      $kpasswd_server_actual = "krb5-admin-${env}.stanford.edu"
+    }
+    'custom': {
+      $kdcs_actual           = $kdcs
+      $master_kdc_actual     = $master_kdc
+      $admin_server_actual   = $admin_server
+      $kpasswd_server_actual = $kpasswd_server
+    }
+    default : {
+      fail("do not know env '${env}'")
+    }
+  }
+
+  file { $name:
+    content => template('base/kerberos/etc/krb5.conf.erb'),
+  }
+}
--- a/templates/kerberos/etc/krb5.conf.erb
+++ b/templates/kerberos/etc/krb5.conf.erb
+# /etc/krb5.conf -- Kerberos V5 general configuration.
+#
+# This is the standard Kerberos v5 configuration file for all of our
+# servers.  It is based on the Stanford-wide configuration, the canonical
+# version of which is in /usr/pubsw/etc/krb5.conf.
+#
+# This configuration allows any enctypes.  Some systems with really old
+# Kerberos software may have to limit to triple-DES and DES.
+
+[appdefaults]
+    default_lifetime      = 25hrs
+    krb4_convert          = false
+    krb4_convert_524      = false
+
+    ksu = {
+        forwardable       = false
+    }
+
+    pam = {
+        minimum_uid       = 100
+        search_k5login    = true
+        forwardable       = true
+    }
+
+    pam-afs-session = {
+        minimum_uid       = 100
+    }
+
+    libkafs = {
+        IR.STANFORD.EDU = {
+            afs-use-524   = no
+        }
+    }
+
+    passwd_change = {
+        passwd_file       = /afs/ir.stanford.edu/service/etc/passwd.all
+        server            = password-change.stanford.edu
+        port              = 4443
+        service_principal = service/password-change@stanford.edu
+    }
+
+    wallet = {
+        wallet_server     = wallet.stanford.edu
+    }
+
+[libdefaults]
+    default_realm         = <%= @default_realm %>
+    ticket_lifetime       = 25h
+    renew_lifetime        = 7d
+    forwardable           = true
+    noaddresses           = true
+    allow_weak_crypto     = true
+<%- if (@rdns_enabled) then -%>
+    rdns                  = true
+<%- else -%>
+    rdns                  = false
+<%- end -%>
+<% if (@prefer_tcp) then -%>
+    udp_preference_limit  = 1
+<% end -%>
+
+[realms]
+    stanford.edu = {
+<%-
+    @kdcs_actual.each do |kdc|
+-%>
+        kdc            = <%= kdc %>:88
+<%-
+    end
+-%>
+        master_kdc     = <%= @master_kdc_actual %>:88
+        admin_server   = <%= @admin_server_actual %>
+        kpasswd_server = <%= @kpasswd_server_actual %>
+        default_domain = stanford.edu
+        kadmind_port   = 749
+    }
+    heimdal.stanford.edu = {
+        kdc            = kerberos-dev.stanford.edu:88
+        master_kdc     = kerberos-dev.stanford.edu:88
+        admin_server   = kerberos-dev.stanford.edu
+        kpasswd_server = kerberos-dev.stanford.edu
+        kadmind_port   = 749
+    }
+    WIN.STANFORD.EDU = {
+        kdc            = mothra.win.stanford.edu:88
+        kdc            = rodan.win.stanford.edu:88
+        kpasswd_server = mothra.win.stanford.edu
+    }
+    WINUAT.STANFORD.EDU = {
+        kdc            = winuatdc1.winuat.stanford.edu:88
+        kpasswd_server = winuatdc1.winuat.stanford.edu
+    }
+    NT.STANFORD.EDU = {
+        kdc            = ntdc2.nt.stanford.edu:88
+        kdc            = ntdc3.nt.stanford.edu:88
+        kpasswd_server = ntdc2.nt.stanford.edu
+    }
+    GUEST.STANFORD.EDU = {
+        kdc            = guestdc0.guest.stanford.edu:88
+        kdc            = guestdc1.guest.stanford.edu:88
+        kpasswd_server = guestdc0.guest.stanford.edu
+        default_domain = guest.stanford.edu
+    }
+    GUESTUAT.STANFORD.EDU = {
+        kdc            = guestuatdc0.guestuat.stanford.edu:88
+        kdc            = guestuatdc1.guestuat.stanford.edu:88
+        kpasswd_server = guestuatdc0.guestuat.stanford.edu
+        default_domain = guestuat.stanford.edu
+    }
+    CS.STANFORD.EDU = {
+        kdc            = cs-kdc-1.stanford.edu:88
+        kdc            = cs-kdc-2.stanford.edu:88
+        kdc            = cs-kdc-3.stanford.edu:88
+        admin_server   = cs-kdc-1.stanford.edu:749
+    }
+    SLAC.STANFORD.EDU = {
+        kdc            = k5auth1.slac.stanford.edu:88
+        kdc            = k5auth2.slac.stanford.edu:88
+        kdc            = k5auth3.slac.stanford.edu:88
+        admin_server   = k5admin.slac.stanford.edu
+        kpasswd_server = k5passwd.slac.stanford.edu
+        default_domain = slac.stanford.edu
+    }
+    WIN.SLAC.STANFORD.EDU = {
+        kdc            = winmaster2.win.slac.stanford.edu
+        default_domain = win.slac.stanford.edu
+    }
+    ATHENA.MIT.EDU = {
+        kdc            = kerberos.mit.edu:88
+        kdc            = kerberos-1.mit.edu:88
+        kdc            = kerberos-2.mit.edu:88
+        kdc            = kerberos-3.mit.edu:88
+        admin_server   = kerberos.mit.edu
+        default_domain = mit.edu
+    }
+    ISC.ORG = {
+        kdc            = k1.isc.org:88
+        kdc            = k2.isc.org:88
+        admin_server   = k1.isc.org:749
+        default_domain = isc.org
+    }
+    OPENLDAP.ORG = {
+        kdc            = kerberos.openldap.org
+        default_domain = openldap.org
+    }
+    SUCHDAMAGE.ORG = {
+        kdc            = kerberos.suchdamage.org:88
+        admin_server   = kerberos.suchdamage.org:749
+        default_domain = suchdamage.org
+    }
+    VIX.COM = {
+        kdc            = kerberos-0.vix.com:88
+        kdc            = kerberos-1.vix.com:88
+        kdc            = kerberos-2.vix.com:88
+        admin_server   = kerberos-0.vix.com:749
+        default_domain = vix.com
+    }
+    ZEPA.NET = {
+        kdc            = kerberos.zepa.net
+        kdc            = kerberos-too.zepa.net
+        admin_server   = kerberos.zepa.net
+    }
+
+[domain_realm]
+    stanford.edu                = stanford.edu
+    .stanford.edu               = stanford.edu
+    .dc.stanford.org            = stanford.edu
+    .sunet                      = stanford.edu
+    .eyrie.org                  = stanford.edu
+    .killfile.org               = stanford.edu
+    .lpch.net                   = stanford.edu
+    .lpch.org                   = stanford.edu
+    .oit.duke.edu               = stanford.edu
+    win.stanford.edu            = WIN.STANFORD.EDU
+    .win.stanford.edu           = WIN.STANFORD.EDU
+    daper.stanford.edu          = IT.WIN.STANFORD.EDU
+    gsbworkspace.stanford.edu   = IT.WIN.STANFORD.EDU
+    infraappprod.stanford.edu   = IT.WIN.STANFORD.EDU
+    radmed.stanford.edu         = IT.WIN.STANFORD.EDU
+    windows-new.stanford.edu    = IT.WIN.STANFORD.EDU
+    windows.stanford.edu        = IT.WIN.STANFORD.EDU
+    workspace.stanford.edu      = IT.WIN.STANFORD.EDU
+    winuat.stanford.edu         = WINUAT.STANFORD.EDU
+    .winuat.stanford.edu        = WINUAT.STANFORD.EDU
+    nt.stanford.edu             = NT.STANFORD.EDU
+    .nt.stanford.edu            = NT.STANFORD.EDU
+    guest.stanford.edu          = GUEST.STANFORD.EDU
+    .guest.stanford.edu         = GUEST.STANFORD.EDU
+    guest-mgmt.stanford.edu     = GUEST.STANFORD.EDU
+    guest-mgmt2.stanford.edu    = GUEST.STANFORD.EDU
+    guestidmweb.stanford.edu    = GUEST.STANFORD.EDU
+    guestuat.stanford.edu       = GUESTUAT.STANFORD.EDU
+    .guestuat.stanford.edu      = GUESTUAT.STANFORD.EDU
+    guestuat-mgmt.stanford.edu  = GUESTUAT.STANFORD.EDU
+    guestuatidmweb.stanford.edu = GUESTUAT.STANFORD.EDU
+    .slac.stanford.edu          = SLAC.STANFORD.EDU
+    .isc.org                    = ISC.ORG
+    mit.edu                     = ATHENA.MIT.EDU
+    .mit.edu                    = ATHENA.MIT.EDU
+    openldap.org                = OPENLDAP.ORG
+    .openldap.org               = OPENLDAP.ORG
+    whoi.edu                    = ATHENA.MIT.EDU
+    .whoi.edu                   = ATHENA.MIT.EDU
+    .vix.com                    = VIX.COM
+    zepa.net                    = ZEPA.NET
+    .zepa.net                   = ZEPA.NET
+
+[logging]
+    kdc          = SYSLOG:NOTICE
+    admin_server = SYSLOG:NOTICE
+    default      = SYSLOG:NOTICE