Commit 27b5a15e authored by Steve Moyer's avatar Steve Moyer

Updates the Kerberos role to serve both DCE and FOPS realms.

parent 6d9f82cd
---
# file: fortress.yml
# file: kerberos.yml
- hosts: vagrant
sudo: yes
become: yes
roles:
- base
- kerberos
......
add_principal -pw secret admin/admin@fops.psu.edu
add_principal -pw Password123 -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-md5:normal +requires_preauth gud1
add_principal -pw Password123 -e des-cbc-md5:normal +requires_preauth gud2
add_principal -pw Password123 -expire 1/1/2017 +requires_preauth bad1
add_principal -pw Password123 -pwexpire 1/1/2017 +requires_preauth bad2
*/admin@fops.psu.edu *
admin@fops.psu.edu icm
......@@ -4,6 +4,7 @@
allow_weak_crypto = true
[realms]
#EXAMPLE.COM = {
# #master_key_type = aes256-cts
# acl_file = /var/kerberos/krb5kdc/kadm5.acl
......@@ -11,9 +12,18 @@
# admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
# supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
#}
dce.psu.edu = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
database_name = /var/kerberos/krb5kdc/kdb5_dce
acl_file = /var/kerberos/krb5kdc/kadm5_dce.acl
admin_keytab = /var/kerberos/krb5kdc/kadm5_dce.keytab
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-cbc-sha1-kd:normal des3-cbc-md5:normal des-cbc-md5:normal
}
fops.psu.edu = {
database_name = /var/kerberos/krb5kdc/kdb5_fops
acl_file = /var/kerberos/krb5kdc/kadm5_fops.acl
admin_keytab = /var/kerberos/krb5kdc/kadm5_fops.keytab
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-cbc-sha1-kd:normal des3-cbc-md5:normal des-cbc-md5:normal
}
......
[domain_realm]
192.168.33.0/24 = dce.psu.edu
localhost = dce.psu.edu
local_dce = dce.psu.edu
local_fops = fops.psu.edu
[libdefaults]
default_realm = dce.psu.edu
dns_lookup_kdc = false
dns_lookup_realm = false
forwardable = true
noaddresses = true
allow_weak_crypto = true
[realms]
dce.psu.edu = {
kdc = localhost
master_kdc = localhost
admin_server = localhost
default_domain = localhost
kdc = local_dce
master_kdc = local_dce
admin_server = local_dce
default_domain = local_dce
}
fops.psu.edu = {
kdc = local_fops
master_kdc = local_fops
admin_server = local_fops
default_domain = local_fops
}
---
# file: roles/jboss/handlers/main.yml
# file: roles/kerberos/handlers/main.yml
- name: initialize kerberos
shell: kdb5_util create -s < ~/kdb_password
- name: initialize dce kerberos database
shell: kdb5_util create -d /var/kerberos/krb5kdc/kdb5_dce -r dce.psu.edu -s -W < ~/kdb_password
- name: initialize fops kerberos database
shell: kdb5_util create -d /var/kerberos/krb5kdc/kdb5_fops -r fops.psu.edu -s -W < ~/kdb_password
- name: restart kdc
service: name=krb5kdc state=restarted
......@@ -11,7 +14,13 @@
service: name=kadmin state=restarted
- name: create test users
shell: kadmin.local < ~/add_test_users
shell: kadmin.local -r {{ item.realm }} < ~/{{ item.script }}
with_items:
- { "realm": "dce.psu.edu", "script": "add_dce_test_users" }
- { "realm": "fops.psu.edu", "script": "add_fops_test_users" }
- name: create dce keytab
command: kadmin.local -d /var/kerberos/krb5kdc/kdb5_dce r dce.psu.edu -q "ktadd -k /etc/krb5_dce.keytab -norandkey admin/admin@dce.psu.edu"
- name: create keytab
command: kadmin.local -q "ktadd -k /etc/krb5.keytab -norandkey admin/admin@dce.psu.edu"
- name: create fops keytab
command: kadmin.local -d /var/kerberos/krb5kdc/kdb5_fops -r fops.psu.edu -q "ktadd -k /etc/krb5_fops.keytab -norandkey admin/admin@fops.psu.edu"
......@@ -14,18 +14,32 @@
- krb5kdc
- kadmin
- name: copy the dummy kdb5 password
copy: src=../files/kdb_password dest=~
- name: set up KDC host addresses
lineinfile: line={{ item }} state=present dest=/etc/hosts
with_items:
- "127.0.0.2 local_dce"
- "127.0.0.3 local_fops"
- name: update the KDC server configuration
lineinfile:
line: KRB5REALM="dce.psu.edu -r fops.psu.edu"
regexp: ^KRB5REALM
dest: /etc/sysconfig/krb5kdc
- name: copy test users script
copy: src=../files/add_test_users dest=~
- name: copy the dummy kdb5 password and test user creation scripts
copy: src={{ item }} dest=~
with_items:
- ../files/kdb_password
- ../files/add_dce_test_users
- ../files/add_fops_test_users
- name: copy the kdc.conf file
- name: copy the kdc.conf and ACL files
copy: src=../files/{{ item }} dest=/var/kerberos/krb5kdc/{{ item }}
owner=root group=root
with_items:
- kdc.conf
- kadm5.acl
- kadm5_dce.acl
- kadm5_fops.acl
- name: Creates logging directory
file: path=/var/log/kerberos state=directory
......@@ -34,10 +48,11 @@
copy: src=../files/krb5.conf dest=/etc/krb5.conf
owner=root group=root
notify:
- initialize kerberos
- initialize dce kerberos database
- initialize fops kerberos database
- restart kdc
- restart kadmin
- create keytab
- create dce keytab
- create fops keytab
- create test users
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment