From 791e9c07fcaf46639a2952ce6f80be25fdb30a8d Mon Sep 17 00:00:00 2001
From: Karl Kornel <akkornel@stanford.edu>
Date: Tue, 18 Aug 2015 23:29:56 -0700
Subject: [PATCH] base::kerberos: Automatically detect if we are in Livermore.
If the system's primary IP address is in one of the two well-known Livermore
netblocks, then automatically set the Livermore-based Kerberos server as the
primary KDC.
base::kerberos::dr is now deprecated.
---
NEWS | 6 +
files/kerberos/etc/krb5.conf | 213 -----------------------------------
manifests/kerberos.pp | 18 ++-
3 files changed, 18 insertions(+), 219 deletions(-)
delete mode 100644 files/kerberos/etc/krb5.conf
diff --git a/NEWS b/NEWS
index 85a1dfc..36d581e 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,12 @@ Unreleased
[dns] Changes Livermore detection to use the system's primary IP address,
instead of using a manually-set parameter. (akkornel)
+ [kerberos] Automatically determine if we are in Livermore; if we are, place
+ the Livermore-based KDC at the top of the list. (akkornel)
+
+ Clients who are using the base::kerberos::dr class should immediately switch
+ to using base::kerberos. base::kerberos::dr is deprecated.
+
release/004.053 (2015-07-28)
[rpm] Adding a dag-EL7.repo file so that EL7 hosts can get a
diff --git a/files/kerberos/etc/krb5.conf b/files/kerberos/etc/krb5.conf
deleted file mode 100644
index c038751..0000000
--- a/files/kerberos/etc/krb5.conf
+++ /dev/null
@@ -1,213 +0,0 @@
-# /etc/krb5.conf -- Kerberos V5 general configuration.
-#
-# This is the standard Kerberos v5 configuration file for all of our
-# servers. It is based on the Stanford-wide configuration, the canonical
-# version of which is in /usr/pubsw/etc/krb5.conf.
-#
-# This configuration allows any enctypes. Some systems with really old
-# Kerberos software may have to limit to triple-DES and DES.
-
-[appdefaults]
- default_lifetime = 25hrs
- krb4_convert = false
- krb4_convert_524 = false
-
- ksu = {
- forwardable = false
- }
-
- pam = {
- minimum_uid = 100
- search_k5login = true
- forwardable = true
- }
-
- pam-afs-session = {
- minimum_uid = 100
- }
-
- libkafs = {
- IR.STANFORD.EDU = {
- afs-use-524 = no
- }
- }
-
- passwd_change = {
- passwd_file = /afs/ir.stanford.edu/service/etc/passwd.all
- server = password-change.stanford.edu
- port = 4443
- service_principal = service/password-change@stanford.edu
- }
-
- wallet = {
- wallet_server = wallet.stanford.edu
- }
-
-[libdefaults]
- default_realm = stanford.edu
- ticket_lifetime = 25h
- renew_lifetime = 7d
- forwardable = true
- noaddresses = true
- allow_weak_crypto = true
-
-[realms]
- stanford.edu = {
- kdc = krb5auth1.stanford.edu:88
- kdc = krb5auth2.stanford.edu:88
- kdc = krb5auth3.stanford.edu:88
- master_kdc = krb5auth1.stanford.edu:88
- admin_server = krb5-admin.stanford.edu
- kpasswd_server = krb5-admin.stanford.edu
- default_domain = stanford.edu
- kadmind_port = 749
- }
- heimdal.stanford.edu = {
- kdc = kerberos-dev.stanford.edu:88
- master_kdc = kerberos-dev.stanford.edu:88
- admin_server = kerberos-dev.stanford.edu
- kpasswd_server = kerberos-dev.stanford.edu
- kadmind_port = 749
- }
- WIN.STANFORD.EDU = {
- kdc = mothra.win.stanford.edu:88
- kdc = rodan.win.stanford.edu:88
- kpasswd_server = mothra.win.stanford.edu
- }
- MS.STANFORD.EDU = {
- kdc = msdc0.ms.stanford.edu:88
- kdc = msdc1.ms.stanford.edu:88
- kpasswd_server = msdc0.ms.stanford.edu
- }
- NT.STANFORD.EDU = {
- kdc = ntdc2.nt.stanford.edu:88
- kdc = ntdc3.nt.stanford.edu:88
- kpasswd_server = ntdc2.nt.stanford.edu
- }
- GUEST.STANFORD.EDU = {
- kdc = guestdc0.guest.stanford.edu:88
- kdc = guestdc1.guest.stanford.edu:88
- kpasswd_server = guestdc0.guest.stanford.edu
- default_domain = guest.stanford.edu
- }
- GUESTUAT.STANFORD.EDU = {
- kdc = guestuatdc0.guestuat.stanford.edu:88
- kdc = guestuatdc1.guestuat.stanford.edu:88
- kpasswd_server = guestuatdc0.guestuat.stanford.edu
- default_domain = guestuat.stanford.edu
- }
- CS.STANFORD.EDU = {
- kdc = cs-kdc-1.stanford.edu:88
- kdc = cs-kdc-2.stanford.edu:88
- kdc = cs-kdc-3.stanford.edu:88
- admin_server = cs-kdc-1.stanford.edu:749
- }
- SLAC.STANFORD.EDU = {
- kdc = k5auth1.slac.stanford.edu:88
- kdc = k5auth2.slac.stanford.edu:88
- kdc = k5auth3.slac.stanford.edu:88
- admin_server = k5admin.slac.stanford.edu
- kpasswd_server = k5passwd.slac.stanford.edu
- default_domain = slac.stanford.edu
- }
- WIN.SLAC.STANFORD.EDU = {
- kdc = dc01.slac.stanford.edu:88
- kdc = dc02.slac.stanford.edu:88
- kdc = dc03.slac.stanford.edu:88
- master_kdc = dc01.slac.stanford.edu:88
- admin_server = dc01.slac.stanford.edu
- default_domain = win.slac.stanford.edu
- }
- ATHENA.MIT.EDU = {
- kdc = kerberos.mit.edu:88
- kdc = kerberos-1.mit.edu:88
- kdc = kerberos-2.mit.edu:88
- kdc = kerberos-3.mit.edu:88
- admin_server = kerberos.mit.edu
- default_domain = mit.edu
- }
- ISC.ORG = {
- kdc = k1.isc.org:88
- kdc = k2.isc.org:88
- admin_server = k1.isc.org:749
- default_domain = isc.org
- }
- OPENLDAP.ORG = {
- kdc = kerberos.openldap.org
- default_domain = openldap.org
- }
- SUCHDAMAGE.ORG = {
- kdc = kerberos.suchdamage.org:88
- admin_server = kerberos.suchdamage.org:749
- default_domain = suchdamage.org
- }
- VIX.COM = {
- kdc = kerberos-0.vix.com:88
- kdc = kerberos-1.vix.com:88
- kdc = kerberos-2.vix.com:88
- admin_server = kerberos-0.vix.com:749
- default_domain = vix.com
- }
- ZEPA.NET = {
- kdc = kerberos.zepa.net
- kdc = kerberos-too.zepa.net
- admin_server = kerberos.zepa.net
- }
-
-[domain_realm]
- stanford.edu = stanford.edu
- .stanford.edu = stanford.edu
- .dc.stanford.org = stanford.edu
- .sunet = stanford.edu
- .eyrie.org = stanford.edu
- .killfile.org = stanford.edu
- .lpch.net = stanford.edu
- .lpch.org = stanford.edu
- .oit.duke.edu = stanford.edu
- win.stanford.edu = WIN.STANFORD.EDU
- .win.stanford.edu = WIN.STANFORD.EDU
- atragon.stanford.edu = WIN.STANFORD.EDU
- itcert.stanford.edu = WIN.STANFORD.EDU
- daper.stanford.edu = IT.WIN.STANFORD.EDU
- gsbworkspace.stanford.edu = IT.WIN.STANFORD.EDU
- infraappprod.stanford.edu = IT.WIN.STANFORD.EDU
- radmed.stanford.edu = IT.WIN.STANFORD.EDU
- windows-new.stanford.edu = IT.WIN.STANFORD.EDU
- windows.stanford.edu = IT.WIN.STANFORD.EDU
- workspace.stanford.edu = IT.WIN.STANFORD.EDU
- ms.stanford.edu = MS.STANFORD.EDU
- .ms.stanford.edu = MS.STANFORD.EDU
- mscert1.stanford.edu = MS.STANFORD.EDU
- msweb2.stanford.edu = EX.MS.STANFORD.EDU
- windows-ms.stanford.edu = EX.MS.STANFORD.EDU
- nt.stanford.edu = NT.STANFORD.EDU
- .nt.stanford.edu = NT.STANFORD.EDU
- ntcert1.stanford.edu = NT.STANFORD.EDU
- ntweb2.stanford.edu = TYR.NT.STANFORD.EDU
- windows-nt.stanford.edu = TYR.NT.STANFORD.EDU
- guest.stanford.edu = GUEST.STANFORD.EDU
- .guest.stanford.edu = GUEST.STANFORD.EDU
- guest-mgmt.stanford.edu = GUEST.STANFORD.EDU
- guest-mgmt2.stanford.edu = GUEST.STANFORD.EDU
- guestidmweb.stanford.edu = GUEST.STANFORD.EDU
- guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
- .guestuat.stanford.edu = GUESTUAT.STANFORD.EDU
- guestuat-mgmt.stanford.edu = GUESTUAT.STANFORD.EDU
- guestuatidmweb.stanford.edu = GUESTUAT.STANFORD.EDU
- .slac.stanford.edu = SLAC.STANFORD.EDU
- .win.slac.stanford.edu = WIN.SLAC.STANFORD.EDU
- .isc.org = ISC.ORG
- mit.edu = ATHENA.MIT.EDU
- .mit.edu = ATHENA.MIT.EDU
- openldap.org = OPENLDAP.ORG
- .openldap.org = OPENLDAP.ORG
- whoi.edu = ATHENA.MIT.EDU
- .whoi.edu = ATHENA.MIT.EDU
- .vix.com = VIX.COM
- zepa.net = ZEPA.NET
- .zepa.net = ZEPA.NET
-
-[logging]
- kdc = SYSLOG:NOTICE
- admin_server = SYSLOG:NOTICE
- default = SYSLOG:NOTICE
diff --git a/manifests/kerberos.pp b/manifests/kerberos.pp
index 35321e6..44dd729 100644
--- a/manifests/kerberos.pp
+++ b/manifests/kerberos.pp
@@ -16,16 +16,22 @@ class base::kerberos {
}
}
+ # Check to see if we are in Livermore right now
+ if ( ip_in_cidr($::ipaddress, '204.63.224.0/21')
+ or ip_in_cidr($::ipaddress, '172.20.224.0/21')
+ ) {
+ $drSite = 'yes'
+ }
+
# Basic Kerberos configuration.
file { '/etc/krb5.conf':
- source => 'puppet:///modules/base/kerberos/etc/krb5.conf',
+ content => template('base/kerberos/krb5.conf.erb')
}
}
+# base::kerberos::dr is no longer needed, because it's functionality has been
+# implemented in base::kerberos.
+# Thie class should eventually start failing Puppet builds, and eventually be
+# removed altogether.
class base::kerberos::dr inherits base::kerberos {
- $drSite = 'yes'
- File['/etc/krb5.conf'] {
- source => undef,
- content => template('base/kerberos/krb5.conf.erb')
- }
}
--
GitLab