Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


krb5 (24) Versions 3.0.0

Installs and configures Kerberos V authentication

cookbook 'krb5', '~> 3.0.0', :supermarket
cookbook 'krb5', '~> 3.0.0'
knife supermarket install krb5
knife supermarket download krb5
Quality 17%

krb5 Cookbook

Cookbook Version
Build Status


Installs and configures Kerberos version 5 authentication modules
on RedHat and Debian family systems.


Requires some PAM configuration script such as pam-auth-update on Debian
family systems, or authconfig on Redhat family systems. Best effort is
made to use one of these two tools based on detected platform.

You can override krb5['authconfig'] with an execute command, as a string.
Which should configure PAM to use Kerberos on other systems.

You really need to have time synchronized within 5 minutes of your domain
controllers, or key distribution centers. Therefore the recipe depends
on the Chef NTP cookbook. If you have another method of keeping accurate
clocks, change the metadata according to your needs.


This cookbook has changed the attribute format and is no longer compatible
with older versions. If you wish to use the older syntax, pin your version
to < 2.0 or switch to the new syntax.

The new format used for template variables consists of krb5[file][section][key] = 'value' where file is one of krb5_conf, kadm5_acl, or kdc_conf.

Client / Libs

  • krb5['client']['packages'] - Packages and libraries needed for Kerberos v5 authentication, detected for Redhat/Debian family systems.
  • krb5['client']['authconfig'] - Configuration script for PAM, detected for RedHat and Debian family systems.

Section: includedir

  • krb5['krb5_conf']['includedir'] - Array of directories to include, in order. Default is empty.

Section: logging

  • krb5['krb5_conf']['logging']['default'] - Default log location. Default, 'FILE:/var/log/krb5libs.log'

Section: libdefaults

  • krb5['krb5_conf']['libdefaults']['default_realm'] - The default realm, defaults to OHAI's domain attribute.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_kdc'] - Set to true if you have SRV records for KDC discovery. Default is true.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_realm'] - Set to true if you have TXT records for realm discovery. Default is false.
  • krb5['krb5_conf']['libdefaults']['forwardable'] - Set to true to make initial credentials forwardable. Default is true.
  • krb5['krb5_conf']['libdefaults']['renew_lifetime'] - Default renewable ticket lifetime. Default is 24h.
  • krb5['krb5_conf']['libdefaults']['ticket_lifetime'] - Default ticket lifetime. Default is 24h.

Section: realms

  • krb5['krb5_conf']['realms']['default_realm'] - The default realm, defaults to krb5['krb5_conf']['libdefaults']['default_realm']
  • krb5['krb5_conf']['realms']['default_realm_kdcs'] - Array of Kerberos servers for default realm. Default is empty.
  • krb5['krb5_conf']['realms']['default_realm_admin_server'] - Address of Kerberos admin server. Defaults to empty.
  • krb5['krb5_conf']['realms']['realms'] - Array of all realms, including the default. Defaults to OHAI's domain attribute.

Section: appdefaults

  • krb5['krb5_conf']['appdefaults']['pam']['debug'] = Set to true to enable PAM/Kerberos debugging. Defaults to false.
  • krb5['krb5_conf']['appdefaults']['pam']['forwardable'] - Instruct PAM to create forwardable tickets. Defaults to krb5['krb5_conf']['libdefaults']['forwardable']
  • krb5['krb5_conf']['appdefaults']['pam']['renew_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['renew_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['ticket_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['ticket_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['krb4_convert'] - Set to true to use the Kerberos conversion daemon to get V4 tickets. Default is false.

Kerberos Admin Server (kadmind)

  • krb5['kadmin']['packages'] - Packages for Kerberos Admin Server, detected on Redhat/Debian family systems.
  • krb5['master_password'] - Master password for Kerberos database. Default is password. (Please, change this!)
  • krb5['admin_principal'] - Principal to create for administration. Default is admin/admin.
  • krb5['admin_password'] - Password for admin principal. Default is password. (Please, change this!)

Section: logging

  • krb5['krb5_conf']['logging']['admin_server'] - Kerberos Admin Server log location. Default, 'FILE:/var/log/kadmind.log'


  • krb5['kadm5_acl'][principal] - Sets up ACLs for principal. Default is "*/admin@#{node['krb5']['krb5_conf']['libdefaults']['default_realm'].upcase}" => ['*']

KDC and kdc.conf

  • krb5['kdc']['packages'] - Packages needed for a KDC, detected for Redhat/Debian family systems.

Section: logging

  • krb5['krb5_conf']['logging']['kdc'] - KDC log location. Default, 'FILE:/var/log/krb5kdc.log'

Section: kdcdefaults

  • krb5['kdc_conf']['kdcdefaults']['kdc_ports'] - Set KDC listen ports. Default is 88.

Section: realms

  • krb5['kdc_conf']['realms'][realm]['acl_file'] - Location of kadmind ACL file for realm. Defaults to default_realm.
  • krb5['kdc_conf']['realms'][realm]['admin_keytab'] - Location of admin keytab file for realm. Defaults to default_realm.


Here are two example roles to be used with this recipe. The first, is
a single realm configuration, using the OHAI domain attribute for the realm.

name "krb5_domain"
description "Configures Kerberos 5 Authentication for domain realm"
override_attributes "krb5" => {
   "krb5_conf" => {
    "realms" => {
      "default_realm_kdcs" => [
run_list "recipe[krb5]"

The second example is a role for multiple Kerberos realms.

name "krb5_multirealm"
description "Configures Kerberos 5 Authentication for and realm"
override_attributes "krb5" => {
  "krb5_conf" => {
    "libdefaults" => {
      "default_realm" => "",
      "dns_lookup_kdc" => "true"
   "realms" => {
      "realms" => [ 
      "default_realm_kdcs" => [
run_list "recipe[krb5]"

License and Authors

Author:: Eric G. Wolfe

Author:: Chris Gianelloni

Copyright:: © 2012-2014 Eric G. Wolfe

Copyright:: © 2014-2015 Cask Data, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License

krb5 cookbook


*** Breaking Change ***
This version of the cookbook is no longer compatible with Chef versions older than 12.15

  • Convert LWRPs to custom resources #49


  • Make authconfig optional #50


  • Use kitchen-dokken instead of kitchen-virtualbox
  • Split KDC DB to its own recipe


  • Support multiple DNS mappings to a realm
  • Change password echos via @JaBurd


  • Conditionally restart KDC on config change
  • Update how we default kadmind and KDC services


  • Restore functionality in "find" helpers


  • Add a service for kpropd
  • Update testing framework (ChefDK)


  • Fix typo is guard around senstive in krb5_keytab
  • Update testing framework (Gemfile/Berksfile)


  • Before creating keytab, kinit as admin user


  • Include ntp::default in default recipe
  • Remove extra whitespace to appease the almighty Rubocop


  • Remove default from name_property for GitHub issue #26
  • The execute[create-krb5-db] resource creates the DB file
  • Update Gem/cookbook restrictions and rubocop configuration
  • Support includedir directive


  • Make execute block sensitive
  • Authconfig Execute w/ Test via @joerocklin
  • Only use compile_time on chef_gem when defined
  • Only use sensitive on execute when defined
  • Control expected service state via attribute
  • Only close rkerberos objects when defined
  • Install build dependencies for rkerberos gem


  • Remove deprecated attribute support
  • Remove testing vendored gems via rubocop


  • Remove ChefSpec deprecation warnings
  • Use container-based Travis CI infrastructure
  • Add missing tests for 100% coverage
  • LWRP for krb5_keytab and krb5_principal


  • Fix default realm attributes properly


  • Cleanups for Rubocop
  • Switch to CentOS 6.5 in ChefSpec


  • Update README to new attribute layout via @joraff
  • Simplify default realm configuration


  • Fix a bug with the new default realm attributes


  • Switch to attribute-driven templates
  • Add support for KDC and kadmind
  • Add Chef ntp cookbook to dependencies
  • Add Vagrantfile for direct Vagrant testing


  • Support for different logging options
  • Add rubocop, foodcritic, and chefspec tests


  • Support more options: forwardable, ticket/renew_lifetime via @jblaine
  • Add support for Suse via @jackl0phty


  • Correct brackets on not_if conditional


  • Depend on Opscode NTP cookbook for accurate clocks


  • Public release of krb5 cookbook

Collaborator Number Metric

3.0.0 failed this metric

Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric

3.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Foodcritic Metric

3.0.0 failed this metric

FC122: Use the build_essential resource instead of the recipe: krb5/recipes/rkerberos_gem.rb:20
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric

3.0.0 passed this metric

Testing File Metric

3.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

3.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must include a tag that matches this cookbook version number