add basic krb module

diff --git a/manifests/site.pp b/manifests/site.pp
index 89527a6..cee95a2 100644 (file)
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -107,7 +107,12 @@ node default {
     case $portforwarder_user_exists {
         "true":    { include portforwarder }
     }
+
     include samhain
+
+    case $hostname {
+        byrd,schuetz,draghi:    { include krb }
+    }
 }
 
 # vim:set et:

diff --git a/modules/krb/manifests/init.pp b/modules/krb/manifests/init.pp
new file mode 100644 (file)
index 0000000..08e4107
--- /dev/null
+++ b/modules/krb/manifests/init.pp
@@ -0,0 +1,10 @@
+class krb {
+    file {
+        "/etc/krb5.conf":
+            content => template("krb/krb5.conf.erb"),
+            ;
+    }
+}
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:

diff --git a/modules/krb/templates/krb5.conf.erb b/modules/krb/templates/krb5.conf.erb
new file mode 100644 (file)
index 0000000..5f8a664
--- /dev/null
+++ b/modules/krb/templates/krb5.conf.erb
@@ -0,0 +1,68 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+[libdefaults]
+       default_realm = DEBIAN.ORG
+
+# The following krb5.conf variables are only for MIT Kerberos.
+       krb4_config = /etc/krb.conf
+       krb4_realms = /etc/krb.realms
+       kdc_timesync = 1
+       ccache_type = 4
+       forwardable = true
+       proxiable = true
+
+# The following encryption type specification will be used by MIT Kerberos
+# if uncommented.  In general, the defaults in the MIT Kerberos code are
+# correct and overriding these specifications only serves to disable new
+# encryption types as they are added, creating interoperability problems.
+#
+# Thie only time when you might need to uncomment these lines and change
+# the enctypes is if you have local software that will break on ticket
+# caches containing ticket encryption types it doesn't know about (such as
+# old versions of Sun Java).
+
+#      default_tgs_enctypes = des3-hmac-sha1
+#      default_tkt_enctypes = des3-hmac-sha1
+#      permitted_enctypes = des3-hmac-sha1
+
+# The following libdefaults parameters are only for Heimdal Kerberos.
+       v4_instance_resolve = false
+       v4_name_convert = {
+               host = {
+                       rcmd = host
+                       ftp = ftp
+               }
+               plain = {
+                       something = something-else
+               }
+       }
+       fcc-mit-ticketflags = true
+
+[realms]
+       DEBIAN.ORG = {
+               kdc = 82.195.75.92                           # byrd
+               kdc = [2001:41b8:202:deb:216:36ff:fe40:3908] # byrd
+               kdc = 206.12.19.119                           # schuetz
+               kdc = [2607:f8f0:610:4000:216:36ff:fe40:380a] # schuetz
+               master_kdc = 82.195.75.92                           # byrd
+               master_kdc = [2001:41b8:202:deb:216:36ff:fe40:3908] # byrd
+               admin_server = 82.195.75.92                           # byrd
+               admin_server = [2001:41b8:202:deb:216:36ff:fe40:3908] # byrd
+       }
+
+[domain_realm]
+       .debian.org = DEBIAN.ORG
+
+[login]
+       krb4_convert = true
+       krb4_get_tickets = false
+
+<% if fqdn == "byrd.debian.org" -%>
+[password_quality]
+       policies = builtin:minimum-length external-check
+       min_length = 8
+       external_program = /etc/heimdal-kdc/heimdal-password-quality-check
+<% end -%>