Change kerberos create host logic to match new ad create host logic

manifests/kerberos.pp

@@ -98,20 +98,31 @@
 
     # KERBEROS HOST PRINCIPAL CREATION
     if ( $createhostkeytab and $createhostuser ) {
-      # CREATE KEYS AND SETUP RENEWAL
-      file { '/root/createhostkeytab.sh':
-        ensure => file,
-        mode   => '0500',
-        source => "puppet:///modules/${module_name}/root/createhostkeytab.sh",
+      $kerberos_domains = split($facts['kerberos_keytab_domains'], ',')
+      if ( 'NCSA.EDU' in $kerberos_domains ) {
+        $ensure_parm = 'absent'
+      } else {
+        $ensure_parm = 'present'
+
+        exec { 'run_create_host_keytab_script':
+          path    => ['/usr/bin', '/usr/sbin', '/usr/lib/mit/bin'],
+          command => Sensitive(
+            "/root/createhostkeytab.sh '${createhostkeytab}' '${createhostuser}'"
+          ),
+          require => File['/root/createhostkeytab.sh'],
+        }
+
+        # FOLLOWING IS JUST IN CASE THE run_create_host_keytab_script TIMES OUT, WHICH IT HAS
+        file { '/root/createhost.keytab':
+          ensure  => absent,
+          require => Exec['run_create_host_keytab_script'],
+        }
       }
-      ## THIS MIGHT NEED TO BE SMARTER TO ALLOW FOR MULTIPLE HOSTNAMES ON ONE SERVER
-      exec { 'create_host_keytab':
-        path    => ['/usr/bin', '/usr/sbin', '/usr/lib/mit/bin'],
-        command => "/root/createhostkeytab.sh ${createhostkeytab} ${createhostuser}",
-        unless  => 'klist -kt /etc/krb5.keytab 2>&1 | grep "host/`hostname -f`@NCSA.EDU"',
-        require => [
-          File['/root/createhostkeytab.sh'],
-        ],
+
+      file { '/root/createhostkeytab.sh':
+        ensure  => $ensure_parm,
+        mode    => '0500',
+        content => template("${module_name}/createhostkeytab.sh.erb"),
       }
 
       Cron {
@@ -146,7 +157,6 @@
           command => Sensitive(
             "/root/ad_createhostkeytab.sh '${ad_domain}' '${ad_computers_ou}' '${ad_createhostuser}' '${ad_createhostkeytab}' "
           ),
-          #refreshonly => true,
           require => File['/root/ad_createhostkeytab.sh'],
         }
 

templates/createhostkeytab.sh.erb

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+# Enable debugging mode
+set -x
+
+# ASSIGN ARGUMENTS FROM COMMAND LINE ARGUMENTS
+CREATEHOST_USER=$2  # User with permissions to create host in AD
+KEYTAB_BASE64=$1    # Base64 encoded keytab for creating host
+
+# ASSIGN STATIC VARIABLES
+DOMAIN="NCSA.EDU"
+HOST_FQDN="<%= @fqdn %>"  # Fully Qualified Domain Name of the host
+KEYTAB_FILE="/root/createhost.keytab"  # Path to store the decoded keytab file
+
+RANDSTRING=`head -c 16 /dev/random  | base64 | grep -o . | sort -R | tr -d "\n" | head -c 14`
+REQCLASS1=`date | base64 | tr -dc A-Z | grep -o . | sort -R | tr -d "\n" | head -c2`
+REQCLASS2=`date | base64 | tr -dc a-z | grep -o . | sort -R | tr -d "\n" | head -c2`
+REQCLASS3=`date | tr -dc 0-9 | grep -o . | sort -R | tr -d "\n" | head -c2`
+REQCHARS=`echo $REQCLASS1$REQCLASS2$REQCLASS3`
+TEMPPASS=`echo "$RANDSTRING$REQCHARS" | grep -o . | sort -R | tr -d "\n"`
+
+# Decode the base64 encoded keytab and save it to a file
+echo "${KEYTAB_BASE64}" | base64 --decode > $KEYTAB_FILE
+
+echo -e "$TEMPPASS\n$TEMPPASS" | kadmin -kt /root/createhost.keytab -p ${CREATEHOST_USER}/createhost@${DOMAIN} -q "addprinc host/${HOST_FQDN}@${DOMAIN}"
+echo -e "$TEMPPASS" | kadmin -p host/${HOST_FQDN}@${DOMAIN} -q "ktadd host/${HOST_FQDN}@${DOMAIN}"
+
+# Optionally, list the contents of the keytab file (uncomment for debugging)
+# klist -kte
+
+# Remove the keytab file for security reasons
+rm -f $KEYTAB_FILE