parent
549b14dc7e
commit
13500c7a9e
@ -0,0 +1,18 @@
|
||||
# msvsphere.ci.kerberos_kdc
|
||||
|
||||
An Ansible role that installs and configures a Kerberos KDC (Key Distribution
|
||||
Center).
|
||||
|
||||
## Variables
|
||||
|
||||
| Variable | Default value | Type | Description | Required |
|
||||
| -------- | ------------- | ---- |----------- | -------- |
|
||||
|
||||
|
||||
## License
|
||||
|
||||
MIT.
|
||||
|
||||
## Authors
|
||||
|
||||
* [Eugene Zamriy](mailto:ezamriy@msvsphere-os.ru)
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
kerberos_kdc_domain_name:
|
||||
kerberos_kdc_realm: "{{ kerberos_kdc_domain_name | upper }}"
|
||||
kerberos_kdc_admin_principal: "admin@{{ kerberos_kdc_realm }}"
|
||||
kerberos_kdc_db_password:
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
- name: restart krb5kdc
|
||||
ansible.builtin.service:
|
||||
name: krb5kdc
|
||||
state: restarted
|
@ -0,0 +1,28 @@
|
||||
---
|
||||
argument_specs:
|
||||
main:
|
||||
short_description: A role that installs and configures a Kerberos KDC.
|
||||
author: Eugene Zamriy
|
||||
version_added: '0.1.5'
|
||||
options:
|
||||
kerberos_kdc_domain_name:
|
||||
description: Kerberos KDC domain name.
|
||||
type: 'str'
|
||||
required: true
|
||||
|
||||
kerberos_kdc_realm:
|
||||
description: Kerberos KDC realm.
|
||||
default: '{{ kerberos_kdc_domain_name | upper }}'
|
||||
type: 'str'
|
||||
required: false
|
||||
|
||||
kerberos_kdc_admin_principal:
|
||||
description: Kerberos administrator principal.
|
||||
default: 'admin@{{ kerberos_kdc_realm }}'
|
||||
type: 'str'
|
||||
required: false
|
||||
|
||||
kerberos_kdc_db_password:
|
||||
description: Kerberos database password.
|
||||
type: 'str'
|
||||
required: true
|
@ -0,0 +1,16 @@
|
||||
---
|
||||
galaxy_info:
|
||||
author: Eugene Zamriy
|
||||
description: A role that installs and configures a Kerberos KDC.
|
||||
company: Softline PJSC
|
||||
license: MIT
|
||||
min_ansible_version: 2.13
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- "9"
|
||||
galaxy_tags:
|
||||
- kerberos
|
||||
- kdc
|
||||
|
||||
dependencies: []
|
@ -0,0 +1,79 @@
|
||||
---
|
||||
- name: Check if required variables are defined
|
||||
ansible.builtin.fail:
|
||||
msg: "{{ item }} is not defined or empty"
|
||||
when: |
|
||||
(vars[item] is undefined)
|
||||
or (vars[item] is none)
|
||||
or (vars[item] | trim | length == 0)
|
||||
with_items:
|
||||
- kerberos_kdc_domain_name
|
||||
- kerberos_kdc_realm
|
||||
- kerberos_kdc_admin_principal
|
||||
- kerberos_kdc_db_password
|
||||
|
||||
- name: Add Kerberos domain name to /etc/hosts
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/hosts
|
||||
regexp: ".*?\\s{{ kerberos_kdc_domain_name }}"
|
||||
line: "127.0.0.1 {{ kerberos_kdc_domain_name }}"
|
||||
state: present
|
||||
|
||||
- name: Install Kerberos packages
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- krb5-server
|
||||
- krb5-workstation
|
||||
state: installed
|
||||
|
||||
- name: Generate /etc/krb5.conf
|
||||
ansible.builtin.template:
|
||||
src: etc/krb5.conf.j2
|
||||
dest: /etc/krb5.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
setype: krb5_conf_t
|
||||
notify:
|
||||
- restart krb5kdc
|
||||
|
||||
- name: Generate /var/kerberos/krb5kdc/kdc.conf
|
||||
ansible.builtin.template:
|
||||
src: var/kerberos/krb5kdc/kdc.conf.j2
|
||||
dest: /var/kerberos/krb5kdc/kdc.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
setype: krb5kdc_conf_t
|
||||
notify:
|
||||
- restart krb5kdc
|
||||
|
||||
- name: Generate /var/kerberos/krb5kdc/kadm5.acl
|
||||
ansible.builtin.template:
|
||||
src: var/kerberos/krb5kdc/kadm5.acl.j2
|
||||
dest: /var/kerberos/krb5kdc/kadm5.acl
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0600'
|
||||
setype: krb5kdc_conf_t
|
||||
notify:
|
||||
- restart krb5kdc
|
||||
|
||||
- name: Create Kerberos database
|
||||
ansible.builtin.command: "/usr/sbin/kdb5_util create -s -P {{ kerberos_kdc_db_password | quote }}"
|
||||
args:
|
||||
creates: /var/kerberos/krb5kdc/principal.ok
|
||||
notify:
|
||||
- restart krb5kdc
|
||||
|
||||
- name: Enable and start krb5kdc service
|
||||
ansible.builtin.service:
|
||||
name: krb5kdc
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Enable and start kadmin service
|
||||
ansible.builtin.service:
|
||||
name: kadmin
|
||||
enabled: true
|
||||
state: started
|
@ -0,0 +1,31 @@
|
||||
# To opt out of the system crypto-policies configuration of krb5, remove the
|
||||
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
|
||||
includedir /etc/krb5.conf.d/
|
||||
|
||||
[logging]
|
||||
default = FILE:/var/log/krb5libs.log
|
||||
kdc = FILE:/var/log/krb5kdc.log
|
||||
admin_server = FILE:/var/log/kadmind.log
|
||||
|
||||
[libdefaults]
|
||||
dns_lookup_realm = false
|
||||
ticket_lifetime = 24h
|
||||
renew_lifetime = 7d
|
||||
forwardable = true
|
||||
rdns = false
|
||||
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
|
||||
spake_preauth_groups = edwards25519
|
||||
dns_canonicalize_hostname = fallback
|
||||
qualify_shortname = ""
|
||||
default_realm = {{ kerberos_kdc_realm }}
|
||||
default_ccache_name = KEYRING:persistent:%{uid}
|
||||
|
||||
[realms]
|
||||
{{ kerberos_kdc_realm }} = {
|
||||
kdc = {{ kerberos_kdc_domain_name }}
|
||||
admin_server = {{ kerberos_kdc_domain_name }}
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
# .example.com = EXAMPLE.COM
|
||||
# example.com = EXAMPLE.COM
|
@ -0,0 +1 @@
|
||||
*/{{ kerberos_kdc_admin_principal }} *
|
@ -0,0 +1,16 @@
|
||||
[kdcdefaults]
|
||||
kdc_ports = 88
|
||||
kdc_tcp_ports = 88
|
||||
spake_preauth_kdc_challenge = edwards25519
|
||||
|
||||
[realms]
|
||||
{{ kerberos_kdc_realm }} = {
|
||||
master_key_type = aes256-cts-hmac-sha384-192
|
||||
acl_file = /var/kerberos/krb5kdc/kadm5.acl
|
||||
dict_file = /usr/share/dict/words
|
||||
default_principal_flags = +preauth
|
||||
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
|
||||
supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
|
||||
# Supported encryption types for FIPS mode:
|
||||
#supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
|
||||
}
|
Loading…
Reference in new issue