Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

krb5 (24) Versions 2.3.0

Installs and configures Kerberos V authentication

Policyfile
Berkshelf
Knife
cookbook 'krb5', '= 2.3.0', :supermarket
cookbook 'krb5', '= 2.3.0'
knife supermarket install krb5
knife supermarket download krb5
README
Dependencies
Changelog
Quality 33%

krb5 Cookbook

Cookbook Version
Build Status

Description

Installs and configures Kerberos version 5 authentication modules
on RedHat and Debian family systems.

Requirements

Requires some PAM configuration script such as pam-auth-update on Debian
family systems, or authconfig on Redhat family systems. Best effort is
made to use one of these two tools based on detected platform.

You can override krb5['authconfig'] with an execute command, as a string.
Which should configure PAM to use Kerberos on other systems.

You really need to have time synchronized within 5 minutes of your domain
controllers, or key distribution centers. Therefore the recipe depends
on the Chef NTP cookbook. If you have another method of keeping accurate
clocks, change the metadata according to your needs.

Attributes

This cookbook has changed the attribute format and is no longer compatible
with older versions. If you wish to use the older syntax, pin your version
to < 2.0 or switch to the new syntax.

The new format used for template variables consists of krb5[file][section][key] = 'value' where file is one of krb5_conf, kadm5_acl, or kdc_conf.

Client / Libs

  • krb5['client']['packages'] - Packages and libraries needed for Kerberos v5 authentication, detected for Redhat/Debian family systems.
  • krb5['client']['authconfig'] - Configuration script for PAM, detected for RedHat and Debian family systems.

Section: includedir

  • krb5['krb5_conf']['includedir'] - Array of directories to include, in order. Default is empty.

Section: logging

  • krb5['krb5_conf']['logging']['default'] - Default log location. Default, 'FILE:/var/log/krb5libs.log'

Section: libdefaults

  • krb5['krb5_conf']['libdefaults']['default_realm'] - The default realm, defaults to OHAI's domain attribute.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_kdc'] - Set to true if you have SRV records for KDC discovery. Default is true.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_realm'] - Set to true if you have TXT records for realm discovery. Default is false.
  • krb5['krb5_conf']['libdefaults']['forwardable'] - Set to true to make initial credentials forwardable. Default is true.
  • krb5['krb5_conf']['libdefaults']['renew_lifetime'] - Default renewable ticket lifetime. Default is 24h.
  • krb5['krb5_conf']['libdefaults']['ticket_lifetime'] - Default ticket lifetime. Default is 24h.

Section: realms

  • krb5['krb5_conf']['realms']['default_realm'] - The default realm, defaults to krb5['krb5_conf']['libdefaults']['default_realm']
  • krb5['krb5_conf']['realms']['default_realm_kdcs'] - Array of Kerberos servers for default realm. Default is empty.
  • krb5['krb5_conf']['realms']['default_realm_admin_server'] - Address of Kerberos admin server. Defaults to empty.
  • krb5['krb5_conf']['realms']['realms'] - Array of all realms, including the default. Defaults to OHAI's domain attribute.

Section: appdefaults

  • krb5['krb5_conf']['appdefaults']['pam']['debug'] = Set to true to enable PAM/Kerberos debugging. Defaults to false.
  • krb5['krb5_conf']['appdefaults']['pam']['forwardable'] - Instruct PAM to create forwardable tickets. Defaults to krb5['krb5_conf']['libdefaults']['forwardable']
  • krb5['krb5_conf']['appdefaults']['pam']['renew_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['renew_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['ticket_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['ticket_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['krb4_convert'] - Set to true to use the Kerberos conversion daemon to get V4 tickets. Default is false.

Kerberos Admin Server (kadmind)

  • krb5['kadmin']['packages'] - Packages for Kerberos Admin Server, detected on Redhat/Debian family systems.
  • krb5['master_password'] - Master password for Kerberos database. Default is password. (Please, change this!)
  • krb5['admin_principal'] - Principal to create for administration. Default is admin/admin.
  • krb5['admin_password'] - Password for admin principal. Default is password. (Please, change this!)

Section: logging

  • krb5['krb5_conf']['logging']['admin_server'] - Kerberos Admin Server log location. Default, 'FILE:/var/log/kadmind.log'

kadm5.acl

  • krb5['kadm5_acl'][principal] - Sets up ACLs for principal. Default is "*/admin@#{node['krb5']['krb5_conf']['libdefaults']['default_realm'].upcase}" => ['*']

KDC and kdc.conf

  • krb5['kdc']['packages'] - Packages needed for a KDC, detected for Redhat/Debian family systems.

Section: logging

  • krb5['krb5_conf']['logging']['kdc'] - KDC log location. Default, 'FILE:/var/log/krb5kdc.log'

Section: kdcdefaults

  • krb5['kdc_conf']['kdcdefaults']['kdc_ports'] - Set KDC listen ports. Default is 88.

Section: realms

  • krb5['kdc_conf']['realms'][realm]['acl_file'] - Location of kadmind ACL file for realm. Defaults to default_realm.
  • krb5['kdc_conf']['realms'][realm]['admin_keytab'] - Location of admin keytab file for realm. Defaults to default_realm.

Usage

Here are two example roles to be used with this recipe. The first, is
a single realm configuration, using the OHAI domain attribute for the realm.

name "krb5_domain"
description "Configures Kerberos 5 Authentication for domain realm"
override_attributes "krb5" => {
   "krb5_conf" => {
    "realms" => {
      "default_realm_kdcs" => [
        "kdc1.example.com",
        "kdc2.example.com",
        "kdc3.example.com"
      ]
    }
  }
}
run_list "recipe[krb5]"

The second example is a role for multiple Kerberos realms.

name "krb5_multirealm"
description "Configures Kerberos 5 Authentication for example.com and example.org realm"
override_attributes "krb5" => {
  "krb5_conf" => {
    "libdefaults" => {
      "default_realm" => "example.com",
      "dns_lookup_kdc" => "true"
   },
   "realms" => {
      "realms" => [ 
        "example.com",
        "example.org"
      ],
      "default_realm_kdcs" => [
        "kdc1.example.com",
        "kdc2.example.com",
        "kdc3.example.com"
      ],
    }
  } 
}
run_list "recipe[krb5]"

License and Authors

Author:: Eric G. Wolfe

Author:: Chris Gianelloni

Copyright:: © 2012-2014 Eric G. Wolfe

Copyright:: © 2014-2015 Cask Data, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License

Unreleased

v2.3.0

Conditionally restart KDC on config change
Update how we default kadmind and KDC services

v2.2.3

Restore functionality in "find" helpers

v2.2.2

Add a service for kpropd
Update testing framework (ChefDK)

v2.2.1

Fix typo is guard around senstive in krb5_keytab
Update testing framework (Gemfile/Berksfile)

v2.2.0

Before creating keytab, kinit as admin user

v2.1.0

Include ntp::default in default recipe
Remove extra whitespace to appease the almighty Rubocop

v2.0.2

Remove default from name_property for GitHub issue #26
The execute[create-krb5-db] resource creates the DB file
Update Gem/cookbook restrictions and rubocop configuration
Support includedir directive

v2.0.1

Make execute block sensitive
Authconfig Execute w/ Test via @joerocklin
Only use compile_time on chef_gem when defined
Only use sensitive on execute when defined
Control expected service state via attribute
Only close rkerberos objects when defined
Install build dependencies for rkerberos gem

v2.0.0

Remove deprecated attribute support
Remove testing vendored gems via rubocop

v1.1.0

Remove ChefSpec deprecation warnings
Use container-based Travis CI infrastructure
Add missing tests for 100% coverage
LWRP for krb5_keytab and krb5_principal

v1.0.4

Fix default realm attributes properly

v1.0.3

Cleanups for Rubocop
Switch to CentOS 6.5 in ChefSpec

v1.0.2

Update README to new attribute layout via @joraff
Simplify default realm configuration

v1.0.1

Fix a bug with the new default realm attributes

v1.0.0

Switch to attribute-driven templates
Add support for KDC and kadmind
Add Chef ntp cookbook to dependencies
Add Vagrantfile for direct Vagrant testing

v0.2.0

Support for different logging options
Add rubocop, foodcritic, and chefspec tests

v0.1.0

Support more options: forwardable, ticket/renew_lifetime via @jblaine
Add support for Suse via @jackl0phty

v0.0.7

Correct brackets on not_if conditional

v0.0.6

Depend on Opscode NTP cookbook for accurate clocks

v0.0.2

Public release of krb5 cookbook

Collaborator Number Metric
            

2.3.0 failed this metric

Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

2.3.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

2.3.0 failed this metric

FC122: Use the build_essential resource instead of the recipe: krb5/recipes/rkerberos_gem.rb:20
Run with Foodcritic Version 14.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric
            

2.3.0 passed this metric

Testing File Metric
            

2.3.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

2.3.0 passed this metric