parent
549b14dc7e
commit
13500c7a9e
@ -0,0 +1,18 @@
|
|||||||
|
# msvsphere.ci.kerberos_kdc
|
||||||
|
|
||||||
|
An Ansible role that installs and configures a Kerberos KDC (Key Distribution
|
||||||
|
Center).
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| Variable | Default value | Type | Description | Required |
|
||||||
|
| -------- | ------------- | ---- |----------- | -------- |
|
||||||
|
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT.
|
||||||
|
|
||||||
|
## Authors
|
||||||
|
|
||||||
|
* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
kerberos_kdc_domain_name:
|
||||||
|
kerberos_kdc_realm: "{{ kerberos_kdc_domain_name | upper }}"
|
||||||
|
kerberos_kdc_admin_principal: "admin@{{ kerberos_kdc_realm }}"
|
||||||
|
kerberos_kdc_db_password:
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: restart krb5kdc
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: krb5kdc
|
||||||
|
state: restarted
|
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
argument_specs:
|
||||||
|
main:
|
||||||
|
short_description: A role that installs and configures a Kerberos KDC.
|
||||||
|
author: Eugene Zamriy
|
||||||
|
version_added: '0.1.5'
|
||||||
|
options:
|
||||||
|
kerberos_kdc_domain_name:
|
||||||
|
description: Kerberos KDC domain name.
|
||||||
|
type: 'str'
|
||||||
|
required: true
|
||||||
|
|
||||||
|
kerberos_kdc_realm:
|
||||||
|
description: Kerberos KDC realm.
|
||||||
|
default: '{{ kerberos_kdc_domain_name | upper }}'
|
||||||
|
type: 'str'
|
||||||
|
required: false
|
||||||
|
|
||||||
|
kerberos_kdc_admin_principal:
|
||||||
|
description: Kerberos administrator principal.
|
||||||
|
default: 'admin@{{ kerberos_kdc_realm }}'
|
||||||
|
type: 'str'
|
||||||
|
required: false
|
||||||
|
|
||||||
|
kerberos_kdc_db_password:
|
||||||
|
description: Kerberos database password.
|
||||||
|
type: 'str'
|
||||||
|
required: true
|
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
galaxy_info:
|
||||||
|
author: Eugene Zamriy
|
||||||
|
description: A role that installs and configures a Kerberos KDC.
|
||||||
|
company: Softline PJSC
|
||||||
|
license: MIT
|
||||||
|
min_ansible_version: 2.13
|
||||||
|
platforms:
|
||||||
|
- name: EL
|
||||||
|
versions:
|
||||||
|
- "9"
|
||||||
|
galaxy_tags:
|
||||||
|
- kerberos
|
||||||
|
- kdc
|
||||||
|
|
||||||
|
dependencies: []
|
@ -0,0 +1,79 @@
|
|||||||
|
---
|
||||||
|
- name: Check if required variables are defined
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: "{{ item }} is not defined or empty"
|
||||||
|
when: |
|
||||||
|
(vars[item] is undefined)
|
||||||
|
or (vars[item] is none)
|
||||||
|
or (vars[item] | trim | length == 0)
|
||||||
|
with_items:
|
||||||
|
- kerberos_kdc_domain_name
|
||||||
|
- kerberos_kdc_realm
|
||||||
|
- kerberos_kdc_admin_principal
|
||||||
|
- kerberos_kdc_db_password
|
||||||
|
|
||||||
|
- name: Add Kerberos domain name to /etc/hosts
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/hosts
|
||||||
|
regexp: ".*?\\s{{ kerberos_kdc_domain_name }}"
|
||||||
|
line: "127.0.0.1 {{ kerberos_kdc_domain_name }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Install Kerberos packages
|
||||||
|
ansible.builtin.dnf:
|
||||||
|
name:
|
||||||
|
- krb5-server
|
||||||
|
- krb5-workstation
|
||||||
|
state: installed
|
||||||
|
|
||||||
|
- name: Generate /etc/krb5.conf
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: etc/krb5.conf.j2
|
||||||
|
dest: /etc/krb5.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
setype: krb5_conf_t
|
||||||
|
notify:
|
||||||
|
- restart krb5kdc
|
||||||
|
|
||||||
|
- name: Generate /var/kerberos/krb5kdc/kdc.conf
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: var/kerberos/krb5kdc/kdc.conf.j2
|
||||||
|
dest: /var/kerberos/krb5kdc/kdc.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
setype: krb5kdc_conf_t
|
||||||
|
notify:
|
||||||
|
- restart krb5kdc
|
||||||
|
|
||||||
|
- name: Generate /var/kerberos/krb5kdc/kadm5.acl
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: var/kerberos/krb5kdc/kadm5.acl.j2
|
||||||
|
dest: /var/kerberos/krb5kdc/kadm5.acl
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
setype: krb5kdc_conf_t
|
||||||
|
notify:
|
||||||
|
- restart krb5kdc
|
||||||
|
|
||||||
|
- name: Create Kerberos database
|
||||||
|
ansible.builtin.command: "/usr/sbin/kdb5_util create -s -P {{ kerberos_kdc_db_password | quote }}"
|
||||||
|
args:
|
||||||
|
creates: /var/kerberos/krb5kdc/principal.ok
|
||||||
|
notify:
|
||||||
|
- restart krb5kdc
|
||||||
|
|
||||||
|
- name: Enable and start krb5kdc service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: krb5kdc
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Enable and start kadmin service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: kadmin
|
||||||
|
enabled: true
|
||||||
|
state: started
|
@ -0,0 +1,31 @@
|
|||||||
|
# To opt out of the system crypto-policies configuration of krb5, remove the
|
||||||
|
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
|
||||||
|
includedir /etc/krb5.conf.d/
|
||||||
|
|
||||||
|
[logging]
|
||||||
|
default = FILE:/var/log/krb5libs.log
|
||||||
|
kdc = FILE:/var/log/krb5kdc.log
|
||||||
|
admin_server = FILE:/var/log/kadmind.log
|
||||||
|
|
||||||
|
[libdefaults]
|
||||||
|
dns_lookup_realm = false
|
||||||
|
ticket_lifetime = 24h
|
||||||
|
renew_lifetime = 7d
|
||||||
|
forwardable = true
|
||||||
|
rdns = false
|
||||||
|
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
spake_preauth_groups = edwards25519
|
||||||
|
dns_canonicalize_hostname = fallback
|
||||||
|
qualify_shortname = ""
|
||||||
|
default_realm = {{ kerberos_kdc_realm }}
|
||||||
|
default_ccache_name = KEYRING:persistent:%{uid}
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
{{ kerberos_kdc_realm }} = {
|
||||||
|
kdc = {{ kerberos_kdc_domain_name }}
|
||||||
|
admin_server = {{ kerberos_kdc_domain_name }}
|
||||||
|
}
|
||||||
|
|
||||||
|
[domain_realm]
|
||||||
|
# .example.com = EXAMPLE.COM
|
||||||
|
# example.com = EXAMPLE.COM
|
@ -0,0 +1 @@
|
|||||||
|
*/{{ kerberos_kdc_admin_principal }} *
|
@ -0,0 +1,16 @@
|
|||||||
|
[kdcdefaults]
|
||||||
|
kdc_ports = 88
|
||||||
|
kdc_tcp_ports = 88
|
||||||
|
spake_preauth_kdc_challenge = edwards25519
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
{{ kerberos_kdc_realm }} = {
|
||||||
|
master_key_type = aes256-cts-hmac-sha384-192
|
||||||
|
acl_file = /var/kerberos/krb5kdc/kadm5.acl
|
||||||
|
dict_file = /usr/share/dict/words
|
||||||
|
default_principal_flags = +preauth
|
||||||
|
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
|
||||||
|
supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
|
||||||
|
# Supported encryption types for FIPS mode:
|
||||||
|
#supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
|
||||||
|
}
|
Loading…
Reference in new issue