Updates the Kerberos role to serve both DCE and FOPS realms.

kerberos.yml

 ---
-# file: fortress.yml
+# file: kerberos.yml
 - hosts: vagrant
-  sudo: yes
+  become: yes
   roles:
     - base
     - kerberos

roles/kerberos/files/add_fops_test_users

+add_principal -pw secret admin/admin@fops.psu.edu
+add_principal -pw Password123 -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-md5:normal +requires_preauth gud1
+add_principal -pw Password123 -e des-cbc-md5:normal +requires_preauth gud2
+add_principal -pw Password123 -expire 1/1/2017 +requires_preauth bad1
+add_principal -pw Password123 -pwexpire 1/1/2017 +requires_preauth bad2

roles/kerberos/files/kadm5_fops.acl

+*/admin@fops.psu.edu	*
+admin@fops.psu.edu	icm

roles/kerberos/files/kdc.conf

@@ -4,6 +4,7 @@
  allow_weak_crypto = true
 
 [realms]
+
  #EXAMPLE.COM = {
  # #master_key_type = aes256-cts
  # acl_file = /var/kerberos/krb5kdc/kadm5.acl
@@ -11,9 +12,18 @@
  # admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  # supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  #}
+ 
  dce.psu.edu = {
-  acl_file = /var/kerberos/krb5kdc/kadm5.acl
-  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+  database_name = /var/kerberos/krb5kdc/kdb5_dce
+  acl_file = /var/kerberos/krb5kdc/kadm5_dce.acl
+  admin_keytab = /var/kerberos/krb5kdc/kadm5_dce.keytab
+  supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-cbc-sha1-kd:normal des3-cbc-md5:normal des-cbc-md5:normal
+ }
+
+ fops.psu.edu = {
+  database_name = /var/kerberos/krb5kdc/kdb5_fops
+  acl_file = /var/kerberos/krb5kdc/kadm5_fops.acl
+  admin_keytab = /var/kerberos/krb5kdc/kadm5_fops.keytab
   supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-cbc-sha1-kd:normal des3-cbc-md5:normal des-cbc-md5:normal
  }
 

roles/kerberos/files/krb5.conf

 [domain_realm]
 	192.168.33.0/24 = dce.psu.edu
 	localhost = dce.psu.edu
+	local_dce = dce.psu.edu
+	local_fops = fops.psu.edu
 
 [libdefaults]
 	default_realm = dce.psu.edu
 	dns_lookup_kdc = false
+	dns_lookup_realm = false
 	forwardable = true
 	noaddresses = true
 	allow_weak_crypto = true
 
 [realms]
 	dce.psu.edu = {
-		kdc = localhost
-		master_kdc = localhost
-		admin_server = localhost
-		default_domain = localhost
+		kdc = local_dce
+		master_kdc = local_dce
+		admin_server = local_dce
+		default_domain = local_dce
 	}
 
+	fops.psu.edu = {
+		kdc = local_fops
+		master_kdc = local_fops
+		admin_server = local_fops
+		default_domain = local_fops
+	}

roles/kerberos/handlers/main.yml

 ---
-# file: roles/jboss/handlers/main.yml
+# file: roles/kerberos/handlers/main.yml
 
-- name: initialize kerberos
-  shell: kdb5_util create -s < ~/kdb_password
+- name: initialize dce kerberos database
+  shell: kdb5_util create -d /var/kerberos/krb5kdc/kdb5_dce -r dce.psu.edu -s -W < ~/kdb_password
+
+- name: initialize fops kerberos database
+  shell: kdb5_util create -d /var/kerberos/krb5kdc/kdb5_fops -r fops.psu.edu -s -W < ~/kdb_password
 
 - name: restart kdc
   service: name=krb5kdc state=restarted
@@ -11,7 +14,13 @@
   service: name=kadmin state=restarted
 
 - name: create test users
-  shell: kadmin.local < ~/add_test_users
+  shell: kadmin.local -r {{ item.realm }} < ~/{{ item.script }}
+  with_items:
+  - { "realm": "dce.psu.edu", "script": "add_dce_test_users" }
+  - { "realm": "fops.psu.edu", "script": "add_fops_test_users" }
+
+- name: create dce keytab
+  command: kadmin.local -d /var/kerberos/krb5kdc/kdb5_dce r dce.psu.edu -q "ktadd -k /etc/krb5_dce.keytab -norandkey admin/admin@dce.psu.edu"
 
-- name: create keytab
-  command: kadmin.local -q "ktadd -k /etc/krb5.keytab -norandkey admin/admin@dce.psu.edu"
+- name: create fops keytab
+  command: kadmin.local -d /var/kerberos/krb5kdc/kdb5_fops -r fops.psu.edu -q "ktadd -k /etc/krb5_fops.keytab -norandkey admin/admin@fops.psu.edu"

roles/kerberos/tasks/main.yml

@@ -14,18 +14,32 @@
     - krb5kdc
     - kadmin
 
-- name: copy the dummy kdb5 password
-  copy: src=../files/kdb_password dest=~
+- name: set up KDC host addresses
+  lineinfile: line={{ item }} state=present dest=/etc/hosts
+  with_items:
+    - "127.0.0.2   local_dce"
+    - "127.0.0.3   local_fops"
+
+- name: update the KDC server configuration
+  lineinfile:
+    line: KRB5REALM="dce.psu.edu -r fops.psu.edu"
+    regexp: ^KRB5REALM
+    dest: /etc/sysconfig/krb5kdc
 
-- name: copy test users script
-  copy: src=../files/add_test_users dest=~
+- name: copy the dummy kdb5 password and test user creation scripts
+  copy: src={{ item }} dest=~
+  with_items:
+    - ../files/kdb_password
+    - ../files/add_dce_test_users
+    - ../files/add_fops_test_users
 
-- name: copy the kdc.conf file
+- name: copy the kdc.conf and ACL files
   copy: src=../files/{{ item }} dest=/var/kerberos/krb5kdc/{{ item }}
         owner=root group=root
   with_items:
     - kdc.conf
-    - kadm5.acl
+    - kadm5_dce.acl
+    - kadm5_fops.acl
         
 - name: Creates logging directory
   file: path=/var/log/kerberos state=directory
@@ -34,10 +48,11 @@
   copy: src=../files/krb5.conf dest=/etc/krb5.conf
         owner=root group=root
   notify:
-    - initialize kerberos
+    - initialize dce kerberos database
+    - initialize fops kerberos database
     - restart kdc
     - restart kadmin
-    - create keytab
+    - create dce keytab
+    - create fops keytab
     - create test users
-    
-
+    
\ No newline at end of file