From 27b5a15ec4774368f978797fcb7d3c22898c613f Mon Sep 17 00:00:00 2001 From: Steve Moyer Date: Wed, 6 Dec 2017 17:36:51 -0500 Subject: [PATCH] Updates the Kerberos role to serve both DCE and FOPS realms. --- kerberos.yml | 4 +-- .../{add_test_users => add_dce_test_users} | 0 roles/kerberos/files/add_fops_test_users | 5 +++ .../files/{kadm5.acl => kadm5_dce.acl} | 0 roles/kerberos/files/kadm5_fops.acl | 2 ++ roles/kerberos/files/kdc.conf | 14 ++++++-- roles/kerberos/files/krb5.conf | 17 ++++++--- roles/kerberos/handlers/main.yml | 21 +++++++---- roles/kerberos/tasks/main.yml | 35 +++++++++++++------ 9 files changed, 74 insertions(+), 24 deletions(-) rename roles/kerberos/files/{add_test_users => add_dce_test_users} (100%) create mode 100644 roles/kerberos/files/add_fops_test_users rename roles/kerberos/files/{kadm5.acl => kadm5_dce.acl} (100%) create mode 100644 roles/kerberos/files/kadm5_fops.acl diff --git a/kerberos.yml b/kerberos.yml index 2a7b40a..b618613 100644 --- a/kerberos.yml +++ b/kerberos.yml @@ -1,7 +1,7 @@ --- -# file: fortress.yml +# file: kerberos.yml - hosts: vagrant - sudo: yes + become: yes roles: - base - kerberos diff --git a/roles/kerberos/files/add_test_users b/roles/kerberos/files/add_dce_test_users similarity index 100% rename from roles/kerberos/files/add_test_users rename to roles/kerberos/files/add_dce_test_users diff --git a/roles/kerberos/files/add_fops_test_users b/roles/kerberos/files/add_fops_test_users new file mode 100644 index 0000000..3265c9a --- /dev/null +++ b/roles/kerberos/files/add_fops_test_users @@ -0,0 +1,5 @@ +add_principal -pw secret admin/admin@fops.psu.edu +add_principal -pw Password123 -e aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-md5:normal +requires_preauth gud1 +add_principal -pw Password123 -e des-cbc-md5:normal +requires_preauth gud2 +add_principal -pw Password123 -expire 1/1/2017 +requires_preauth bad1 +add_principal -pw Password123 -pwexpire 1/1/2017 +requires_preauth bad2 diff --git a/roles/kerberos/files/kadm5.acl b/roles/kerberos/files/kadm5_dce.acl similarity index 100% rename from roles/kerberos/files/kadm5.acl rename to roles/kerberos/files/kadm5_dce.acl diff --git a/roles/kerberos/files/kadm5_fops.acl b/roles/kerberos/files/kadm5_fops.acl new file mode 100644 index 0000000..23ee0c1 --- /dev/null +++ b/roles/kerberos/files/kadm5_fops.acl @@ -0,0 +1,2 @@ +*/admin@fops.psu.edu * +admin@fops.psu.edu icm diff --git a/roles/kerberos/files/kdc.conf b/roles/kerberos/files/kdc.conf index 137f786..16a01d6 100644 --- a/roles/kerberos/files/kdc.conf +++ b/roles/kerberos/files/kdc.conf @@ -4,6 +4,7 @@ allow_weak_crypto = true [realms] + #EXAMPLE.COM = { # #master_key_type = aes256-cts # acl_file = /var/kerberos/krb5kdc/kadm5.acl @@ -11,9 +12,18 @@ # admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab # supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal #} + dce.psu.edu = { - acl_file = /var/kerberos/krb5kdc/kadm5.acl - admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + database_name = /var/kerberos/krb5kdc/kdb5_dce + acl_file = /var/kerberos/krb5kdc/kadm5_dce.acl + admin_keytab = /var/kerberos/krb5kdc/kadm5_dce.keytab + supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-cbc-sha1-kd:normal des3-cbc-md5:normal des-cbc-md5:normal + } + + fops.psu.edu = { + database_name = /var/kerberos/krb5kdc/kdb5_fops + acl_file = /var/kerberos/krb5kdc/kadm5_fops.acl + admin_keytab = /var/kerberos/krb5kdc/kadm5_fops.keytab supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-cbc-sha1-kd:normal des3-cbc-md5:normal des-cbc-md5:normal } diff --git a/roles/kerberos/files/krb5.conf b/roles/kerberos/files/krb5.conf index c6e1e56..ec5b3af 100644 --- a/roles/kerberos/files/krb5.conf +++ b/roles/kerberos/files/krb5.conf @@ -1,19 +1,28 @@ [domain_realm] 192.168.33.0/24 = dce.psu.edu localhost = dce.psu.edu + local_dce = dce.psu.edu + local_fops = fops.psu.edu [libdefaults] default_realm = dce.psu.edu dns_lookup_kdc = false + dns_lookup_realm = false forwardable = true noaddresses = true allow_weak_crypto = true [realms] dce.psu.edu = { - kdc = localhost - master_kdc = localhost - admin_server = localhost - default_domain = localhost + kdc = local_dce + master_kdc = local_dce + admin_server = local_dce + default_domain = local_dce } + fops.psu.edu = { + kdc = local_fops + master_kdc = local_fops + admin_server = local_fops + default_domain = local_fops + } diff --git a/roles/kerberos/handlers/main.yml b/roles/kerberos/handlers/main.yml index 7e44ebe..a1584f5 100644 --- a/roles/kerberos/handlers/main.yml +++ b/roles/kerberos/handlers/main.yml @@ -1,8 +1,11 @@ --- -# file: roles/jboss/handlers/main.yml +# file: roles/kerberos/handlers/main.yml -- name: initialize kerberos - shell: kdb5_util create -s < ~/kdb_password +- name: initialize dce kerberos database + shell: kdb5_util create -d /var/kerberos/krb5kdc/kdb5_dce -r dce.psu.edu -s -W < ~/kdb_password + +- name: initialize fops kerberos database + shell: kdb5_util create -d /var/kerberos/krb5kdc/kdb5_fops -r fops.psu.edu -s -W < ~/kdb_password - name: restart kdc service: name=krb5kdc state=restarted @@ -11,7 +14,13 @@ service: name=kadmin state=restarted - name: create test users - shell: kadmin.local < ~/add_test_users + shell: kadmin.local -r {{ item.realm }} < ~/{{ item.script }} + with_items: + - { "realm": "dce.psu.edu", "script": "add_dce_test_users" } + - { "realm": "fops.psu.edu", "script": "add_fops_test_users" } + +- name: create dce keytab + command: kadmin.local -d /var/kerberos/krb5kdc/kdb5_dce r dce.psu.edu -q "ktadd -k /etc/krb5_dce.keytab -norandkey admin/admin@dce.psu.edu" -- name: create keytab - command: kadmin.local -q "ktadd -k /etc/krb5.keytab -norandkey admin/admin@dce.psu.edu" +- name: create fops keytab + command: kadmin.local -d /var/kerberos/krb5kdc/kdb5_fops -r fops.psu.edu -q "ktadd -k /etc/krb5_fops.keytab -norandkey admin/admin@fops.psu.edu" diff --git a/roles/kerberos/tasks/main.yml b/roles/kerberos/tasks/main.yml index 15b0aa5..85f69f9 100644 --- a/roles/kerberos/tasks/main.yml +++ b/roles/kerberos/tasks/main.yml @@ -14,18 +14,32 @@ - krb5kdc - kadmin -- name: copy the dummy kdb5 password - copy: src=../files/kdb_password dest=~ +- name: set up KDC host addresses + lineinfile: line={{ item }} state=present dest=/etc/hosts + with_items: + - "127.0.0.2 local_dce" + - "127.0.0.3 local_fops" + +- name: update the KDC server configuration + lineinfile: + line: KRB5REALM="dce.psu.edu -r fops.psu.edu" + regexp: ^KRB5REALM + dest: /etc/sysconfig/krb5kdc -- name: copy test users script - copy: src=../files/add_test_users dest=~ +- name: copy the dummy kdb5 password and test user creation scripts + copy: src={{ item }} dest=~ + with_items: + - ../files/kdb_password + - ../files/add_dce_test_users + - ../files/add_fops_test_users -- name: copy the kdc.conf file +- name: copy the kdc.conf and ACL files copy: src=../files/{{ item }} dest=/var/kerberos/krb5kdc/{{ item }} owner=root group=root with_items: - kdc.conf - - kadm5.acl + - kadm5_dce.acl + - kadm5_fops.acl - name: Creates logging directory file: path=/var/log/kerberos state=directory @@ -34,10 +48,11 @@ copy: src=../files/krb5.conf dest=/etc/krb5.conf owner=root group=root notify: - - initialize kerberos + - initialize dce kerberos database + - initialize fops kerberos database - restart kdc - restart kadmin - - create keytab + - create dce keytab + - create fops keytab - create test users - - + \ No newline at end of file -- GitLab