From 6ff9582848a2330bf667dd7bf466acd7096d4ec5 Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Mon, 9 Jan 2017 09:26:32 -0800
Subject: [PATCH] add kerberos rdns option

---
 NEWS                             |  8 ++++++++
 manifests/kerberos.pp            | 13 ++++++++++---
 templates/kerberos/krb5.conf.erb |  5 +++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index f54209f..73b3931 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+release/005.005 (unreleased)
+
+    [kerberos] Add the option rdns_enabled so that Kerberos can be
+    configured not to require clients to do a reverse DNS lookup on the
+    hostname of a service principal. The default is set to true, so
+    unless specifically overridden to false Kerberos
+    clients will behave as they always have. [adamhl]
+
 release/005.004 (2017-01-09)
 
     [os] Change the exec resource in the 'aptitude' staged
diff --git a/manifests/kerberos.pp b/manifests/kerberos.pp
index 72a8467..8f41cda 100644
--- a/manifests/kerberos.pp
+++ b/manifests/kerberos.pp
@@ -25,10 +25,17 @@
 #   (lookin' at you Java!) work better with TCP. Set this parameter to
 #   "true" to force the client to prefer TCP to UDP.
 #   Default: false
-
+#
+# $rdns_enabled: if 'true' have the Kerberos client do a reverse DNS
+# lookup on the hostname when connecting to a server. This should be set
+# to 'false' if you want the client to be able to connect to services where
+# the service name's IP address PTR record may not match the hostname
+# (e.g., for services running in Amazon Web Services).
+#   Default: true
 class base::kerberos(
-  $prefer_tcp = false,
-  $krb_env    = 'prod',
+  $prefer_tcp   = false,
+  $krb_env      = 'prod',
+  $rdns_enabled = true,
 ){
 
   # We only allow the 'prod', 'uat', and 'test' environments.
diff --git a/templates/kerberos/krb5.conf.erb b/templates/kerberos/krb5.conf.erb
index 7f962be..f0494cf 100644
--- a/templates/kerberos/krb5.conf.erb
+++ b/templates/kerberos/krb5.conf.erb
@@ -50,6 +50,11 @@
     forwardable           = true
     noaddresses           = true
     allow_weak_crypto     = true
+<%- if (@rdns_enabled) then -%>
+    rdns                  = true
+<%- else -%>
+    rdns                  = false
+<%- end -%>
 <% if (@prefer_tcp) then -%>
     udp_preference_limit  = 1
 <% end -%>
-- 
GitLab