Jan-Piet Mens <jpmens....@gmail.com> writes: >> My next step is to create a puppet recipe to automatize all the >> process and to packet-ize wallet so it is easier to install it.
> I, for one, would be interested in your Puppet solution once you have > it. :) Incidentally, here's the client-side receipe that we use with Puppet to deploy keytabs or files from wallet. This was written for 0.26 and is still using our old coding style, so it could use considerable cleanup and would be much simpler using Puppet 2.7 syntax (which I'll get around to someday). But it should give you the basic idea. Requires the kstart package be installed as well as wallet, and unfortunately you have to explicitly say in the resource if you're using Heimdal due to the utter incompatibility between MIT and Heimdal in how ktutil works. (Incidentally, it would be helpful if MIT ktutil could detect that it's being called like Heimdal's and error out instead of going into interactive mode, as the latter has a tendency to hang unsuspecting scripts that guess wrong.) # Download objects via the wallet. It assumes that proper settings have been # put in /etc/krb5.conf and the ACLs on the objects are set up appropriately. # # Examples: # # # Create primary keytab file (default is primary) # wallet { "service/adroit-gerbil": # path => "/etc/adroit/gerbil.keytab", # owner => "leroy", # primary => true, # ensure => present, # } # # # Add another keytab to the above primary keytab # wallet { "service/adroit-gerbil-another": # path => "/etc/adroit/gerbil.keytab", # primary => false, # require => Wallet["service/adroit-gerbil"], # ensure => present, # } # # # Remove the keytab file # wallet { "service/funky-chicken": # path => "/etc/funky/chicken.keytab", # ensure => absent, # } # # # Download a password file. # wallet { "unix-foobar-db-baz": # path => "/etc/foobar/password", # type => "file", # } # These helper routines are broken out separately to reduce indentation, but # shouldn't be called separately. They're purely an implementation detail. define wallet::keytab( $kstart_cmd, $path, $primary = true, $mode = 600, $owner = "root", $group = "root", $heimdal = false ) { $wallet_opts = "-f '$path' get keytab '$name'" exec { "wallet $wallet_opts": path => "/bin:/usr/bin:/usr/local/bin:/usr/kerberos/bin", command => "${kstart_cmd} wallet ${wallet_opts}", unless => $heimdal ? { true => "/usr/sbin/ktutil -k '$path' list | grep -i -q '$name'", false => "klist -k '$path' | grep -i -q '$name'", }, require => [ Package["kstart"], Package["wallet-client"] ], } case $primary { true, "true": { file { "$path": mode => $mode, owner => $owner, group => $group, require => Exec["wallet $wallet_opts"], } } false, "false": { } default: { crit "Invalid value for primary: $primary (not true or false)" } } } define wallet::other( $kstart_cmd, $path, $type, $mode = 600, $owner = "root", $group = "root", $onlyif = "NONE" ) { $wallet_opts = "-f '$path' get '$type' '$name'" case $onlyif { "NONE": { exec { "wallet $wallet_opts": path => "/bin:/usr/bin:/usr/local/bin:/usr/kerberos/bin", command => "${kstart_cmd} wallet ${wallet_opts}", creates => $path, require => [ Package["kstart"], Package["wallet-client"] ], } } default: { exec { "wallet $wallet_opts": path => "/bin:/usr/bin:/usr/local/bin:/usr/kerberos/bin", command => "${kstart_cmd} wallet ${wallet_opts}", onlyif => $onlyif, require => [ Package["kstart"], Package["wallet-client"] ], } } } file { "$path": mode => $mode, owner => $owner, group => $group, require => Exec["wallet $wallet_opts"], } } define wallet( $auth_keytab = "/etc/krb5.keytab", $auth_principal = "NA", $ensure = "present", $owner = "root", $group = "root", $mode = 600, $path, $primary = "true", $type = "keytab", $onlyif = "NONE", $heimdal = false ) { case $auth_principal { "NA": { $kstart_cmd = "k5start -Uqf '$auth_keytab' --" } default: { $kstart_cmd = "k5start -qf '$auth_keytab' '$auth_principal' --" } } case $ensure { "absent": { file { "$path": ensure => absent } } "present": { case $type { "keytab": { wallet::keytab { "$name": kstart_cmd => $kstart_cmd, path => $path, primary => $primary, mode => $mode, owner => $owner, group => $group, heimdal => $heimdal, } } default: { wallet::other { "$name": kstart_cmd => $kstart_cmd, path => $path, type => $type, mode => $mode, owner => $owner, group => $group, onlyif => $onlyif, } } } } } } -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos