diff --git a/manifests/kerberos.pp b/manifests/kerberos.pp index 8d190ed..91f13fe 100644 --- a/manifests/kerberos.pp +++ b/manifests/kerberos.pp @@ -98,20 +98,31 @@ # KERBEROS HOST PRINCIPAL CREATION if ( $createhostkeytab and $createhostuser ) { - # CREATE KEYS AND SETUP RENEWAL - file { '/root/createhostkeytab.sh': - ensure => file, - mode => '0500', - source => "puppet:///modules/${module_name}/root/createhostkeytab.sh", + $kerberos_domains = split($facts['kerberos_keytab_domains'], ',') + if ( 'NCSA.EDU' in $kerberos_domains ) { + $ensure_parm = 'absent' + } else { + $ensure_parm = 'present' + + exec { 'run_create_host_keytab_script': + path => ['/usr/bin', '/usr/sbin', '/usr/lib/mit/bin'], + command => Sensitive( + "/root/createhostkeytab.sh '${createhostkeytab}' '${createhostuser}'" + ), + require => File['/root/createhostkeytab.sh'], + } + + # FOLLOWING IS JUST IN CASE THE run_create_host_keytab_script TIMES OUT, WHICH IT HAS + file { '/root/createhost.keytab': + ensure => absent, + require => Exec['run_create_host_keytab_script'], + } } - ## THIS MIGHT NEED TO BE SMARTER TO ALLOW FOR MULTIPLE HOSTNAMES ON ONE SERVER - exec { 'create_host_keytab': - path => ['/usr/bin', '/usr/sbin', '/usr/lib/mit/bin'], - command => "/root/createhostkeytab.sh ${createhostkeytab} ${createhostuser}", - unless => 'klist -kt /etc/krb5.keytab 2>&1 | grep "host/`hostname -f`@NCSA.EDU"', - require => [ - File['/root/createhostkeytab.sh'], - ], + + file { '/root/createhostkeytab.sh': + ensure => $ensure_parm, + mode => '0500', + content => template("${module_name}/createhostkeytab.sh.erb"), } Cron { @@ -146,7 +157,6 @@ command => Sensitive( "/root/ad_createhostkeytab.sh '${ad_domain}' '${ad_computers_ou}' '${ad_createhostuser}' '${ad_createhostkeytab}' " ), - #refreshonly => true, require => File['/root/ad_createhostkeytab.sh'], } diff --git a/templates/createhostkeytab.sh.erb b/templates/createhostkeytab.sh.erb new file mode 100644 index 0000000..14de13f --- /dev/null +++ b/templates/createhostkeytab.sh.erb @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e +# Enable debugging mode +set -x + +# ASSIGN ARGUMENTS FROM COMMAND LINE ARGUMENTS +CREATEHOST_USER=$2 # User with permissions to create host in AD +KEYTAB_BASE64=$1 # Base64 encoded keytab for creating host + +# ASSIGN STATIC VARIABLES +DOMAIN="NCSA.EDU" +HOST_FQDN="<%= @fqdn %>" # Fully Qualified Domain Name of the host +KEYTAB_FILE="/root/createhost.keytab" # Path to store the decoded keytab file + +RANDSTRING=`head -c 16 /dev/random | base64 | grep -o . | sort -R | tr -d "\n" | head -c 14` +REQCLASS1=`date | base64 | tr -dc A-Z | grep -o . | sort -R | tr -d "\n" | head -c2` +REQCLASS2=`date | base64 | tr -dc a-z | grep -o . | sort -R | tr -d "\n" | head -c2` +REQCLASS3=`date | tr -dc 0-9 | grep -o . | sort -R | tr -d "\n" | head -c2` +REQCHARS=`echo $REQCLASS1$REQCLASS2$REQCLASS3` +TEMPPASS=`echo "$RANDSTRING$REQCHARS" | grep -o . | sort -R | tr -d "\n"` + +# Decode the base64 encoded keytab and save it to a file +echo "${KEYTAB_BASE64}" | base64 --decode > $KEYTAB_FILE + +echo -e "$TEMPPASS\n$TEMPPASS" | kadmin -kt /root/createhost.keytab -p ${CREATEHOST_USER}/createhost@${DOMAIN} -q "addprinc host/${HOST_FQDN}@${DOMAIN}" +echo -e "$TEMPPASS" | kadmin -p host/${HOST_FQDN}@${DOMAIN} -q "ktadd host/${HOST_FQDN}@${DOMAIN}" + +# Optionally, list the contents of the keytab file (uncomment for debugging) +# klist -kte + +# Remove the keytab file for security reasons +rm -f $KEYTAB_FILE