cookbook 'krb5', '~> 3.0.0'
krb5
(24) Versions
3.0.0
-
Follow5
Installs and configures Kerberos V authentication
cookbook 'krb5', '~> 3.0.0', :supermarket
knife supermarket install krb5
knife supermarket download krb5
krb5 Cookbook
Description
Installs and configures Kerberos version 5 authentication modules
on RedHat and Debian family systems.
Requirements
Requires some PAM configuration script such as pam-auth-update on Debian
family systems, or authconfig on Redhat family systems. Best effort is
made to use one of these two tools based on detected platform.
You can override krb5['authconfig'] with an execute command, as a string.
Which should configure PAM to use Kerberos on other systems.
You really need to have time synchronized within 5 minutes of your domain
controllers, or key distribution centers. Therefore the recipe depends
on the Chef NTP cookbook. If you have another method of keeping accurate
clocks, change the metadata according to your needs.
Attributes
This cookbook has changed the attribute format and is no longer compatible
with older versions. If you wish to use the older syntax, pin your version
to < 2.0
or switch to the new syntax.
The new format used for template variables consists of krb5[file][section][key] = 'value'
where file is one of krb5_conf
, kadm5_acl
, or kdc_conf
.
Client / Libs
-
krb5['client']['packages']
- Packages and libraries needed for Kerberos v5 authentication, detected for Redhat/Debian family systems. -
krb5['client']['authconfig']
- Configuration script for PAM, detected for RedHat and Debian family systems.
Section: includedir
-
krb5['krb5_conf']['includedir']
- Array of directories to include, in order. Default is empty.
Section: logging
-
krb5['krb5_conf']['logging']['default']
- Default log location. Default, 'FILE:/var/log/krb5libs.log'
Section: libdefaults
-
krb5['krb5_conf']['libdefaults']['default_realm']
- The default realm, defaults to OHAI's domain attribute. -
krb5['krb5_conf']['libdefaults']['dns_lookup_kdc']
- Set to true if you have SRV records for KDC discovery. Default is true. -
krb5['krb5_conf']['libdefaults']['dns_lookup_realm']
- Set to true if you have TXT records for realm discovery. Default is false. -
krb5['krb5_conf']['libdefaults']['forwardable']
- Set to true to make initial credentials forwardable. Default is true. -
krb5['krb5_conf']['libdefaults']['renew_lifetime']
- Default renewable ticket lifetime. Default is24h
. -
krb5['krb5_conf']['libdefaults']['ticket_lifetime']
- Default ticket lifetime. Default is24h
.
Section: realms
-
krb5['krb5_conf']['realms']['default_realm']
- The default realm, defaults tokrb5['krb5_conf']['libdefaults']['default_realm']
-
krb5['krb5_conf']['realms']['default_realm_kdcs']
- Array of Kerberos servers for default realm. Default is empty. -
krb5['krb5_conf']['realms']['default_realm_admin_server']
- Address of Kerberos admin server. Defaults to empty. -
krb5['krb5_conf']['realms']['realms']
- Array of all realms, including the default. Defaults to OHAI's domain attribute.
Section: appdefaults
-
krb5['krb5_conf']['appdefaults']['pam']['debug']
= Set to true to enable PAM/Kerberos debugging. Defaults to false. -
krb5['krb5_conf']['appdefaults']['pam']['forwardable']
- Instruct PAM to create forwardable tickets. Defaults tokrb5['krb5_conf']['libdefaults']['forwardable']
-
krb5['krb5_conf']['appdefaults']['pam']['renew_lifetime']
- Defaults tokrb5['krb5_conf']['libdefaults']['renew_lifetime']
-
krb5['krb5_conf']['appdefaults']['pam']['ticket_lifetime']
- Defaults tokrb5['krb5_conf']['libdefaults']['ticket_lifetime']
-
krb5['krb5_conf']['appdefaults']['pam']['krb4_convert']
- Set to true to use the Kerberos conversion daemon to get V4 tickets. Default is false.
Kerberos Admin Server (kadmind)
-
krb5['kadmin']['packages']
- Packages for Kerberos Admin Server, detected on Redhat/Debian family systems. -
krb5['master_password']
- Master password for Kerberos database. Default ispassword
. (Please, change this!) -
krb5['admin_principal']
- Principal to create for administration. Default isadmin/admin
. -
krb5['admin_password']
- Password for admin principal. Default ispassword
. (Please, change this!)
Section: logging
-
krb5['krb5_conf']['logging']['admin_server']
- Kerberos Admin Server log location. Default, 'FILE:/var/log/kadmind.log'
kadm5.acl
-
krb5['kadm5_acl'][principal]
- Sets up ACLs forprincipal
. Default is"*/admin@#{node['krb5']['krb5_conf']['libdefaults']['default_realm'].upcase}" => ['*']
KDC and kdc.conf
-
krb5['kdc']['packages']
- Packages needed for a KDC, detected for Redhat/Debian family systems.
Section: logging
-
krb5['krb5_conf']['logging']['kdc']
- KDC log location. Default, 'FILE:/var/log/krb5kdc.log'
Section: kdcdefaults
-
krb5['kdc_conf']['kdcdefaults']['kdc_ports']
- Set KDC listen ports. Default is88
.
Section: realms
-
krb5['kdc_conf']['realms'][realm]['acl_file']
- Location of kadmind ACL file forrealm
. Defaults todefault_realm
. -
krb5['kdc_conf']['realms'][realm]['admin_keytab']
- Location of admin keytab file forrealm
. Defaults todefault_realm
.
Usage
Here are two example roles to be used with this recipe. The first, is
a single realm configuration, using the OHAI domain attribute for the realm.
name "krb5_domain"
description "Configures Kerberos 5 Authentication for domain realm"
override_attributes "krb5" => {
"krb5_conf" => {
"realms" => {
"default_realm_kdcs" => [
"kdc1.example.com",
"kdc2.example.com",
"kdc3.example.com"
]
}
}
}
run_list "recipe[krb5]"
The second example is a role for multiple Kerberos realms.
name "krb5_multirealm"
description "Configures Kerberos 5 Authentication for example.com and example.org realm"
override_attributes "krb5" => {
"krb5_conf" => {
"libdefaults" => {
"default_realm" => "example.com",
"dns_lookup_kdc" => "true"
},
"realms" => {
"realms" => [
"example.com",
"example.org"
],
"default_realm_kdcs" => [
"kdc1.example.com",
"kdc2.example.com",
"kdc3.example.com"
],
}
}
}
run_list "recipe[krb5]"
License and Authors
Author:: Eric G. Wolfe
Author:: Chris Gianelloni
Copyright:: © 2012-2014 Eric G. Wolfe
Copyright:: © 2014-2015 Cask Data, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License
krb5 cookbook
v3.0.0
*** Breaking Change ***
This version of the cookbook is no longer compatible with Chef versions older than 12.15
- Convert LWRPs to custom resources #49
v2.6.0
- Make authconfig optional #50
v2.5.0
- Use kitchen-dokken instead of kitchen-virtualbox
- Split KDC DB to its own recipe
v2.4.0
- Support multiple DNS mappings to a realm
- Change password echos via @JaBurd
v2.3.0
- Conditionally restart KDC on config change
- Update how we default kadmind and KDC services
v2.2.3
- Restore functionality in "find" helpers
v2.2.2
- Add a service for kpropd
- Update testing framework (ChefDK)
v2.2.1
- Fix typo is guard around senstive in krb5_keytab
- Update testing framework (Gemfile/Berksfile)
v2.2.0
- Before creating keytab, kinit as admin user
v2.1.0
- Include ntp::default in default recipe
- Remove extra whitespace to appease the almighty Rubocop
v2.0.2
- Remove default from name_property for GitHub issue #26
- The execute[create-krb5-db] resource creates the DB file
- Update Gem/cookbook restrictions and rubocop configuration
- Support includedir directive
v2.0.1
- Make execute block sensitive
- Authconfig Execute w/ Test via @joerocklin
- Only use compile_time on chef_gem when defined
- Only use sensitive on execute when defined
- Control expected service state via attribute
- Only close rkerberos objects when defined
- Install build dependencies for rkerberos gem
v2.0.0
- Remove deprecated attribute support
- Remove testing vendored gems via rubocop
v1.1.0
- Remove ChefSpec deprecation warnings
- Use container-based Travis CI infrastructure
- Add missing tests for 100% coverage
- LWRP for krb5_keytab and krb5_principal
v1.0.4
- Fix default realm attributes properly
v1.0.3
- Cleanups for Rubocop
- Switch to CentOS 6.5 in ChefSpec
v1.0.2
- Update README to new attribute layout via @joraff
- Simplify default realm configuration
v1.0.1
- Fix a bug with the new default realm attributes
v1.0.0
- Switch to attribute-driven templates
- Add support for KDC and kadmind
- Add Chef ntp cookbook to dependencies
- Add Vagrantfile for direct Vagrant testing
v0.2.0
- Support for different logging options
- Add rubocop, foodcritic, and chefspec tests
v0.1.0
- Support more options: forwardable, ticket/renew_lifetime via @jblaine
- Add support for Suse via @jackl0phty
v0.0.7
- Correct brackets on not_if conditional
v0.0.6
- Depend on Opscode NTP cookbook for accurate clocks
v0.0.2
- Public release of krb5 cookbook
Collaborator Number Metric
3.0.0 failed this metric
Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
3.0.0 failed this metric
FC122: Use the build_essential resource instead of the recipe: krb5/recipes/rkerberos_gem.rb:20
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
3.0.0 failed this metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
3.0.0 failed this metric
FC122: Use the build_essential resource instead of the recipe: krb5/recipes/rkerberos_gem.rb:20
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
3.0.0 failed this metric
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
3.0.0 failed this metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number