Git Product home page Git Product logo

cookbook-krb5's Introduction

krb5 Cookbook

Cookbook Version Build Status

Description

Installs and configures Kerberos version 5 authentication modules on RedHat and Debian family systems.

Requirements

Requires some PAM configuration script such as pam-auth-update on Debian family systems, or authconfig on Redhat family systems. Best effort is made to use one of these two tools based on detected platform.

You can override krb5['authconfig'] with an execute command, as a string. Which should configure PAM to use Kerberos on other systems.

You really need to have time synchronized within 5 minutes of your domain controllers, or key distribution centers. Therefore the recipe depends on the Chef NTP cookbook. If you have another method of keeping accurate clocks, change the metadata according to your needs.

Attributes

This cookbook has changed the attribute format and is no longer compatible with older versions. If you wish to use the older syntax, pin your version to < 2.0 or switch to the new syntax.

The new format used for template variables consists of krb5[file][section][key] = 'value' where file is one of krb5_conf, kadm5_acl, or kdc_conf.

Client / Libs

  • krb5['client']['packages'] - Packages and libraries needed for Kerberos v5 authentication, detected for Redhat/Debian family systems.
  • krb5['client']['authconfig'] - Configuration script for PAM, detected for RedHat and Debian family systems.

Section: includedir

  • krb5['krb5_conf']['includedir'] - Array of directories to include, in order. Default is empty.

Section: logging

  • krb5['krb5_conf']['logging']['default'] - Default log location. Default, 'FILE:/var/log/krb5libs.log'

Section: libdefaults

  • krb5['krb5_conf']['libdefaults']['default_realm'] - The default realm, defaults to OHAI's domain attribute.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_kdc'] - Set to true if you have SRV records for KDC discovery. Default is true.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_realm'] - Set to true if you have TXT records for realm discovery. Default is false.
  • krb5['krb5_conf']['libdefaults']['forwardable'] - Set to true to make initial credentials forwardable. Default is true.
  • krb5['krb5_conf']['libdefaults']['renew_lifetime'] - Default renewable ticket lifetime. Default is 24h.
  • krb5['krb5_conf']['libdefaults']['ticket_lifetime'] - Default ticket lifetime. Default is 24h.

Section: realms

  • krb5['krb5_conf']['realms']['default_realm'] - The default realm, defaults to krb5['krb5_conf']['libdefaults']['default_realm']
  • krb5['krb5_conf']['realms']['default_realm_kdcs'] - Array of Kerberos servers for default realm. Default is empty.
  • krb5['krb5_conf']['realms']['default_realm_admin_server'] - Address of Kerberos admin server. Defaults to empty.
  • krb5['krb5_conf']['realms']['realms'] - Array of all realms, including the default. Defaults to OHAI's domain attribute.

Section: appdefaults

  • krb5['krb5_conf']['appdefaults']['pam']['debug'] = Set to true to enable PAM/Kerberos debugging. Defaults to false.
  • krb5['krb5_conf']['appdefaults']['pam']['forwardable'] - Instruct PAM to create forwardable tickets. Defaults to krb5['krb5_conf']['libdefaults']['forwardable']
  • krb5['krb5_conf']['appdefaults']['pam']['renew_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['renew_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['ticket_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['ticket_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['krb4_convert'] - Set to true to use the Kerberos conversion daemon to get V4 tickets. Default is false.

Kerberos Admin Server (kadmind)

  • krb5['kadmin']['packages'] - Packages for Kerberos Admin Server, detected on Redhat/Debian family systems.
  • krb5['master_password'] - Master password for Kerberos database. Default is password. (Please, change this!)
  • krb5['admin_principal'] - Principal to create for administration. Default is admin/admin.
  • krb5['admin_password'] - Password for admin principal. Default is password. (Please, change this!)

Section: logging

  • krb5['krb5_conf']['logging']['admin_server'] - Kerberos Admin Server log location. Default, 'FILE:/var/log/kadmind.log'

kadm5.acl

  • krb5['kadm5_acl'][principal] - Sets up ACLs for principal. Default is "*/admin@#{node['krb5']['krb5_conf']['libdefaults']['default_realm'].upcase}" => ['*']

KDC and kdc.conf

  • krb5['kdc']['packages'] - Packages needed for a KDC, detected for Redhat/Debian family systems.

Section: logging

  • krb5['krb5_conf']['logging']['kdc'] - KDC log location. Default, 'FILE:/var/log/krb5kdc.log'

Section: kdcdefaults

  • krb5['kdc_conf']['kdcdefaults']['kdc_ports'] - Set KDC listen ports. Default is 88.

Section: realms

  • krb5['kdc_conf']['realms'][realm]['acl_file'] - Location of kadmind ACL file for realm. Defaults to default_realm.
  • krb5['kdc_conf']['realms'][realm]['admin_keytab'] - Location of admin keytab file for realm. Defaults to default_realm.

Usage

Here are two example roles to be used with this recipe. The first, is a single realm configuration, using the OHAI domain attribute for the realm.

name "krb5_domain"
description "Configures Kerberos 5 Authentication for domain realm"
override_attributes "krb5" => {
   "krb5_conf" => {
    "realms" => {
      "default_realm_kdcs" => [
        "kdc1.example.com",
        "kdc2.example.com",
        "kdc3.example.com"
      ]
    }
  }
}
run_list "recipe[krb5]"

The second example is a role for multiple Kerberos realms.

name "krb5_multirealm"
description "Configures Kerberos 5 Authentication for example.com and example.org realm"
override_attributes "krb5" => {
  "krb5_conf" => {
    "libdefaults" => {
      "default_realm" => "example.com",
      "dns_lookup_kdc" => "true"
   },
   "realms" => {
      "realms" => [ 
        "example.com",
        "example.org"
      ],
      "default_realm_kdcs" => [
        "kdc1.example.com",
        "kdc2.example.com",
        "kdc3.example.com"
      ],
    }
  } 
}
run_list "recipe[krb5]"

License and Authors

Author:: Eric G. Wolfe

Author:: Chris Gianelloni

Copyright:: © 2012-2014 Eric G. Wolfe

Copyright:: © 2014-2015 Cask Data, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License

cookbook-krb5's People

Contributors

atomic-penguin avatar jaburd avatar jackl0phty avatar joerocklin avatar joraff avatar wolf31o2 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

almumontiel jblaine bbense jbnote nicholaspeshek appliedcode greatsinner ifenriz joerocklin dereklwood joraff gannettdigital gmti publicstuff ist-dsi kamihacker jaburd

cookbook-krb5's Issues

Enable installation of krb5 client software without pam settings

I have a use case, openafs servers, where I want to use this cookbook to install krb5 software without pam-krb5 being enabled. I have not found a set of settings that would work on Debian. For now I am trying to use the following code on my wrapper cookbook:

case node['platform_family']
when 'debian'
node.normal['krb5']['client']['packages'] = %w(libkrb5-3 krb5-user)
end
node.normal['krb5']['client']['authconfig'] = 'true'

Cannot specify both default and name_property together

When converging the krb5::default recipe, I get the following warning:

Deprecated features used!
         Cannot specify both default and name_property together on property path of resource krb5_keytab. Only one (name_property) will be obeyed. In Chef 13, this will become an error. at 1 location:
           - /tmp/kitchen/cache/cookbooks/krb5/resources/keytab.rb:23:in `class_from_file'
         Cannot specify both default and name_property together on property principal of resource krb5_principal. Only one (name_property) will be obeyed. In Chef 13, this will become an error. at 1 location:
           - /tmp/kitchen/cache/cookbooks/krb5/resources/principal.rb:23:in `class_from_file'

As this will soon be an error instead of a warning, it should be fixed.

(If I have the time, I'll try to look into this and submit a PR to fix it.)

Overriding attributes

I can't seem to override an attribute. I tried creating a wrapper cookbook and overriding default['krb5']['krb5_conf']['libdefaults']['default_realm'] with override['krb5']['krb5_conf']['libdefaults']['default_realm'] in an attribute file, however, the value doesn't seem to be propagated into the included recipe.

Tried displaying their values on attributes/default.rb, attributes/kdc.rb, and recipe/kadmin.rb, here is the output:

log.txt

undefined method `[]' for nil:NilClass in attributes/default.rb

Hey there! I'm getting an error when I run this guy:

   Relevant File Content:
   ----------------------
   /tmp/kitchen/cookbooks/krb5/attributes/default.rb:

    56:  default['krb5']['ticket_lifetime'] = '24h'
    57:  default['krb5']['renew_lifetime'] = '24h'
    58:  default['krb5']['forwardable'] = 'true'
    59:  
    60:  default_realm =
    61:    if node['krb5']['default_realm']
    62:      node['krb5']['default_realm'].upcase
    63>>   elsif node['krb5']['krb5_conf']['libdefaults']['default_realm']
    64:      ['krb5']['krb5_conf']['libdefaults']['default_realm'].upcase
    65:    else
    66:      'LOCAL'
    67:    end
    68:  
    69:  # Client Packages
    70:  default['krb5']['client']['packages'] = node['krb5']['packages']
    71:  default['krb5']['client']['authconfig'] = node['krb5']['authconfig']
    72:

node['krb5']['krb5_conf'] isn't autovivified till after this appears. (unless I'm missing something). Also, I believe that the line following the error is missing a 'node' in front of the hash brackets.

Beyond that, I can't get it to run unless I comment out the entire if else block and just assign default_realm = 'LOCAL'. I don't think you can call node this way since node hasn't been defined until after these attributes are setup? I'm wrapping this and including the recipe, so maybe it's that?

kdb5_util: Cannot read password while reading master key from keyboard

I was getting an error when trying to create-admin-principal in the kadmin_init recipe. I walked back manually to troubleshoot and found the failure actually happens at the krb5 db creation step. It appears kdb5_util doesn't like the echo of the passwords as manually typing them in and hitting enter does not result in the same error.

Centos 7.5 - 3.10.0-862.14.4.el7.x86_64

Chef 14.5.33

Kerberos 5 version 1.15.1

# echo 'password\npassword\n' | kdb5_util -r <default_realm create> -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm '<default_realm>',
master key name 'K/M@<default_realm>'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Cannot read password while reading master key from keyboard

Chef 13.7.16 attribute problem seen

When I run chef client 13.7 (13.7.16-1 today), ['krb5']['packages'] is set, but the assignment to ['krb5']['client']['packages'] ends up empty. It is not empty with 13.6 (13.6.4-1 tested.) I have seen this on CentOS 7.4 and SUSE 12 SP2. With the latest chef client, pre-requisite packages are not installed and then I fail later in the recipe.

This behavior does not occur with very similar attribute 'authconfig.' The primary difference is in the initialization of the attribute -- 'packages' uses an array and 'authconfig' uses just a simple string.

Have not tested other distros. Can you reproduce this?

kadm5_init_with_password: Incorrect password

Issue creating principals via host_keytab recipe.

We're setting the passwords via databag:

node.default['krb5']['master_password'] = passwords['kdcadmin'].to_s

# admin user
node.default['krb5']['admin_principal'] = 'kdcadmin/admin'
node.default['krb5']['admin_password'] = passwords['kdcadmin'].to_s

and appears they should be getting passed via the init:

https://github.com/atomic-penguin/cookbook-krb5/blob/master/resources/principal.rb#L30

Recipe: krb5::host_keytab
  * krb5_principal[host/kerberos.master.com] action create
  Recipe: build-essential::default
    * build_essential[install_packages] action install
      * yum_package[autoconf, bison, flex, gcc, gcc-c++, gettext, kernel-devel, make, m4, ncurses-devel, patch] action install (up to date)
       (up to date)
  Recipe: krb5::rkerberos_gem
    * yum_package[krb5-devel] action install (up to date)
    * chef_gem[rkerberos] action install (up to date)

    ================================================================================
    Error executing action `create` on resource 'krb5_principal[host/kerberos.master.com]'
    ================================================================================

    Kerberos::Kadm5::Exception
    --------------------------
    kadm5_init_with_password: Incorrect password

    Cookbook Trace:
    ---------------
    /var/chef/cache/cookbooks/krb5/libraries/helpers.rb:28:in `initialize'
    /var/chef/cache/cookbooks/krb5/libraries/helpers.rb:28:in `new'
    /var/chef/cache/cookbooks/krb5/libraries/helpers.rb:28:in `kadm5_init'
    /var/chef/cache/cookbooks/krb5/resources/principal.rb:30:in `block in class_from_file'

    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/krb5/recipes/host_keytab.rb

     21:   krb5_principal princ do
     22:     action :create
     23:   end
     24: end

    Compiled Resource:
    ------------------
    # Declared in /var/chef/cache/cookbooks/krb5/recipes/host_keytab.rb:21:in `block in from_file'

    krb5_principal("host/kerberos.master.com") do
      action [:create]
      default_guard_interpreter :default
      declared_type :krb5_principal
      cookbook_name "krb5"
      recipe_name "host_keytab"
    end

    System Info:
    ------------
    chef_version=14.5.33
    platform=centos
    platform_version=7.5.1804
    ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
    program_name=/usr/bin/chef-client
    executable=/opt/chef/bin/chef-client

Still trying to debug, looking for additional options to try as well.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.