forked from saratov/infra
Role to deploy Kerberos 5 KDC and client introduced
This commit is contained in:
NIR
parent
284cc6c782
commit
f550d0bac9
24
roles/kerberos5/defaults/main.yml
Normal file
24
roles/kerberos5/defaults/main.yml
Normal file
@ -0,0 +1,24 @@
|
||||
---
|
||||
|
||||
krb5_required_vars:
|
||||
- krb5_flavor
|
||||
- krb5_realm
|
||||
- krb5_domain
|
||||
- krb5_admin_pass
|
||||
- krb5_master_address
|
||||
|
||||
krb5_packages:
|
||||
- bind-utils
|
||||
- krb5-kinit
|
||||
- krb5-kdc
|
||||
- krb5-kadmin
|
||||
|
||||
krb5_cl_required_vars:
|
||||
- krb5_master_address
|
||||
|
||||
krb5_cl_packages:
|
||||
- krb5-kinit
|
||||
- bind-utils
|
||||
|
||||
kdc_var_path: '/var/lib/kerberos/krb5kdc'
|
||||
|
||||
12
roles/kerberos5/handlers/main.yml
Normal file
12
roles/kerberos5/handlers/main.yml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
|
||||
- name: Restart NetworkManager
|
||||
service:
|
||||
name: NetworkManager
|
||||
state: restarted
|
||||
|
||||
- name: Restart networking service
|
||||
service:
|
||||
name: network
|
||||
state: restarted
|
||||
|
||||
81
roles/kerberos5/tasks/client.yml
Normal file
81
roles/kerberos5/tasks/client.yml
Normal file
@ -0,0 +1,81 @@
|
||||
---
|
||||
|
||||
- name: check required variables
|
||||
fail: msg="{{ item }} is not defined"
|
||||
when: item not in vars
|
||||
with_items: "{{ krb5_cl_required_vars }}"
|
||||
|
||||
- name: check if NetworkManager is present (ALTLinux)
|
||||
command: >
|
||||
rpm -q NetworkManager-daemon
|
||||
register: networkmanager_present
|
||||
failed_when: false
|
||||
|
||||
- name: disable resolv.conf management by NM
|
||||
lineinfile:
|
||||
path: /etc/NetworkManager/NetworkManager.conf
|
||||
regexp: '^dns='
|
||||
line: 'dns=none'
|
||||
backrefs: yes
|
||||
state: present
|
||||
register: nm_conf_is
|
||||
notify: Restart NetworkManager
|
||||
when: networkmanager_present.rc == 0
|
||||
|
||||
- name: Add line if not configured
|
||||
lineinfile:
|
||||
state : present
|
||||
dest : /etc/NetworkManager/NetworkManager.conf
|
||||
line : 'dns=none'
|
||||
regexp : ''
|
||||
insertafter: EOF
|
||||
when:
|
||||
- networkmanager_present.rc == 0
|
||||
- nm_conf_is.changed == false
|
||||
notify: Restart NetworkManager
|
||||
|
||||
- name: check if /etc/net/ifaces/eth0 exists
|
||||
stat: path=/etc/net/ifaces/eth0
|
||||
register: ifaces_eth0_st
|
||||
failed_when: false
|
||||
|
||||
- set_fact:
|
||||
managed_by_etcnet: "{{ ifaces_eth0_st.stat.exists and ifaces_eth0_st.stat.isdir }}"
|
||||
|
||||
- name: enable eth0 (etcnet)
|
||||
lineinfile:
|
||||
path: /etc/net/ifaces/eth0/options
|
||||
regexp: '^DISABLED='
|
||||
line: 'DISABLED=no'
|
||||
backrefs: yes
|
||||
state: present
|
||||
register: net_conf_is
|
||||
changed_when: managed_by_etcnet|bool and net_conf_is.changed
|
||||
when: managed_by_etcnet|bool
|
||||
notify: Restart networking service
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: update resolver, step 1
|
||||
command: resolvconf -d NetworkManager
|
||||
when: networkmanager_present.rc == 0
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
|
||||
- name: update resolver, step 2
|
||||
command: resolvconf -u
|
||||
changed_when: false
|
||||
|
||||
- name: install Kerberos 5 client packages
|
||||
apt_rpm:
|
||||
pkg: "{{ krb5_cl_packages | join(',')}}"
|
||||
state: installed
|
||||
update_cache: yes
|
||||
when: krb5_cl_packages | length > 0
|
||||
|
||||
- name: register node in localhost hostvars
|
||||
set_fact:
|
||||
kdc_clients: "{{ hostvars['localhost']['kdc_clients'] | default([]) }} + [ '{{ inventory_hostname_short }}' ]"
|
||||
delegate_to: localhost
|
||||
delegate_facts: true
|
||||
|
||||
69
roles/kerberos5/tasks/main.yml
Normal file
69
roles/kerberos5/tasks/main.yml
Normal file
@ -0,0 +1,69 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: check required variables
|
||||
fail: msg="{{ item }} is not defined"
|
||||
when: item not in vars
|
||||
with_items: "{{ krb5_required_vars }}"
|
||||
|
||||
- name: install openresolv and etcnet
|
||||
apt_rpm: pkg=openresolv,etcnet state=present
|
||||
register: openresolv_install
|
||||
|
||||
- name: check if altlinux-openresolv service exists
|
||||
command: service altlinux-openresolv status
|
||||
register:
|
||||
altlinux_openresolv_status
|
||||
failed_when: False
|
||||
|
||||
- set_fact:
|
||||
altlinux_openresolv_exists: "{{ altlinux_openresolv_status.rc != 3 }}"
|
||||
|
||||
# XXX: touching /etc/resolv.conf might start altlinux-openresolv.service,
|
||||
# (if it hasn't been started before, i.e. if the openresolv package haven't
|
||||
# been installed before applying this role). altlinux-openresolv overwrites
|
||||
# modifications of /etc/resolv.conf done by this role. Therefore explicitly
|
||||
# start altlinux-openresolv before adjusting /etc/resolv.conf
|
||||
- name: start altlinux-openresolv
|
||||
service: name=altlinux-openresolv state=started
|
||||
when: altlinux_openresolv_exists|bool and openresolv_install.changed|bool
|
||||
|
||||
- name: create /etc/krb5.conf
|
||||
template:
|
||||
src: krb5.conf.j2
|
||||
dest: /etc/krb5.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: set hostname (non permanent)
|
||||
shell: hostname "{{inventory_hostname_short}}.{{krb5_realm}}"
|
||||
changed_when: false
|
||||
|
||||
- name: Deploy Kerberos 5 server
|
||||
include_tasks: master.yml
|
||||
when: krb5_flavor == 'kdc_master'
|
||||
|
||||
- name: Deploy Kerberos 5 client
|
||||
include_tasks: client.yml
|
||||
when: krb5_flavor == 'kdc_client'
|
||||
|
||||
- debug:
|
||||
msg: '{{ krb5_master_address }}'
|
||||
|
||||
- name: Configure /etc/hosts for Kerberos 5
|
||||
template:
|
||||
src: hosts.j2
|
||||
dest: /etc/hosts
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Refresh Kerberos 5 key
|
||||
shell: 'echo {{ krb5_admin_pass}} | kinit admin/admin@{{ krb5_realm | upper}}'
|
||||
changed_when: false
|
||||
register: task_result
|
||||
until: task_result.rc == 0
|
||||
retries: 30
|
||||
delay: 1
|
||||
|
||||
73
roles/kerberos5/tasks/master.yml
Normal file
73
roles/kerberos5/tasks/master.yml
Normal file
@ -0,0 +1,73 @@
|
||||
---
|
||||
|
||||
- name: check required variables
|
||||
fail: msg="{{ item }} is not defined"
|
||||
when: item not in vars
|
||||
with_items: "{{ krb5_required_vars }}"
|
||||
|
||||
# Install KDC and kadmin daemons
|
||||
- name: Install Kerberos 5 KDC packages
|
||||
apt_rpm:
|
||||
pkg: "{{ krb5_packages | join(',')}}"
|
||||
state: installed
|
||||
update_cache: yes
|
||||
when: krb5_packages | length > 0
|
||||
|
||||
# Configure /etc/hosts and avoid complex DNS configuration for KDC
|
||||
- name: Configure /etc/hosts for Kerberos 5
|
||||
template:
|
||||
src: hosts.j2
|
||||
dest: /etc/hosts
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
# We need to initialize principal database on the new system in order
|
||||
# 'krb5kdc` to work.
|
||||
- name: Initialize Kerberos 5 local database
|
||||
shell: "kdb5_util create -P '{{ krb5_admin_pass }}' -r {{ krb5_realm | upper }} -s"
|
||||
|
||||
# We must configure Kerberos 5 realm properly for krb5kdc
|
||||
- name: Configure krb5kdc
|
||||
template:
|
||||
src: kdc.conf.j2
|
||||
dest: '{{ kdc_var_path }}/kdc.conf'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
||||
# We need to configure the principal to have ALL permissions. It's\
|
||||
# like 'root' user but for Kerberos KDC.
|
||||
- name: Configure kadmin user permissions
|
||||
template:
|
||||
src: kadm5.acl.j2
|
||||
dest: '{{ kdc_var_path }}/kadm5.acl'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
||||
# Then we need at least one principal with administrative privileges
|
||||
# in order to work with Kerberos database via `kadmin` daemon.
|
||||
- name: Create Kerberos 5 admin principal
|
||||
shell: "kadmin.local -q 'addprinc -pw {{ krb5_admin_pass }} admin/admin@{{ krb5_realm | upper }}'"
|
||||
|
||||
# Start krb5kdc finally
|
||||
- name: Enable and start krb5kdc
|
||||
systemd:
|
||||
name: krb5kdc
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
# kadmin daemon needs krb5kdc to work with so it starts after it
|
||||
- name: Enable and start kadmin
|
||||
systemd:
|
||||
name: kadmin
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: register node in localhost hostvars
|
||||
set_fact:
|
||||
krb5_masters: "{{ hostvars['localhost']['krb5_masters'] | default([]) }} + [ '{{ inventory_hostname_short }}' ]"
|
||||
delegate_to: localhost
|
||||
delegate_facts: true
|
||||
|
||||
3
roles/kerberos5/templates/hosts.j2
Normal file
3
roles/kerberos5/templates/hosts.j2
Normal file
@ -0,0 +1,3 @@
|
||||
127.0.0.1 localhost.localdomain localhost
|
||||
{{ krb5_master_address }} {{ krb5_master_hostname }}
|
||||
|
||||
1
roles/kerberos5/templates/kadm5.acl.j2
Normal file
1
roles/kerberos5/templates/kadm5.acl.j2
Normal file
@ -0,0 +1 @@
|
||||
*/admin@{{ krb5_realm | upper }} *
|
||||
21
roles/kerberos5/templates/kdc.conf.j2
Normal file
21
roles/kerberos5/templates/kdc.conf.j2
Normal file
@ -0,0 +1,21 @@
|
||||
[kdcdefaults]
|
||||
kdc_ports = 88
|
||||
kdc_tcp_ports = 88
|
||||
|
||||
[realms]
|
||||
{{ krb5_realm | upper }} = {
|
||||
master_key_type = aes256-cts
|
||||
kadmind_port = 749
|
||||
max_life = 12h 0m 0s
|
||||
max_renewable_life = 7d 0h 0m 0s
|
||||
acl_file = {{ kdc_var_path }}/kadm5.acl
|
||||
dict_file = /usr/share/dict/words
|
||||
admin_keytab = {{ kdc_var_path }}/kadm5.keytab
|
||||
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
|
||||
}
|
||||
|
||||
[logging]
|
||||
kdc = FILE:/var/log/krb5kdc.log
|
||||
admin_server = FILE:/var/log/kadmin.log
|
||||
default = FILE:/var/log/krb5lib.log
|
||||
|
||||
28
roles/kerberos5/templates/krb5.conf.j2
Normal file
28
roles/kerberos5/templates/krb5.conf.j2
Normal file
@ -0,0 +1,28 @@
|
||||
#includedir /etc/krb5.conf.d/
|
||||
|
||||
[logging]
|
||||
# default = FILE:/var/log/krb5libs.log
|
||||
# kdc = FILE:/var/log/krb5kdc.log
|
||||
# admin_server = FILE:/var/log/kadmind.log
|
||||
|
||||
[libdefaults]
|
||||
dns_lookup_kdc = false
|
||||
dns_lookup_realm = false
|
||||
ticket_lifetime = 24h
|
||||
renew_lifetime = 7d
|
||||
forwardable = true
|
||||
rdns = false
|
||||
default_realm = {{ krb5_realm | upper }}
|
||||
# default_ccache_name = KEYRING:persistent:%{uid}
|
||||
|
||||
[realms]
|
||||
{{ krb5_realm | upper }} = {
|
||||
kdc = kdc0.{{ krb5_realm | lower }}
|
||||
admin_server = kdc0.{{ krb5_realm | lower }}
|
||||
default_domain = {{ krb5_realm | lower }}
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.{{ krb5_realm }} = {{ krb5_realm | upper }}
|
||||
{{ krb5_realm }} = {{ krb5_realm | upper }}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user