Change kerberos create host logic to match new ad create host logic

REFERENCE.md

@@ -117,6 +117,7 @@ The following parameters are available in the `profile_system_auth::kerberos` cl
 * [`createhostkeytab`](#-profile_system_auth--kerberos--createhostkeytab)
 * [`createhostuser`](#-profile_system_auth--kerberos--createhostuser)
 * [`crons`](#-profile_system_auth--kerberos--crons)
+* [`domain`](#-profile_system_auth--kerberos--domain)
 * [`enable`](#-profile_system_auth--kerberos--enable)
 * [`files_remove_setuid`](#-profile_system_auth--kerberos--files_remove_setuid)
 * [`required_pkgs`](#-profile_system_auth--kerberos--required_pkgs)
@@ -170,6 +171,12 @@ Data type: `Hash`
 
 Hash of cron resource parameters for any CRON entries related to kerberos keytab cleanup
 
+##### <a name="-profile_system_auth--kerberos--domain"></a>`domain`
+
+Data type: `Optional[String]`
+
+Optional String of the Kerberos domain that the computer should join
+
 ##### <a name="-profile_system_auth--kerberos--enable"></a>`enable`
 
 Data type: `Boolean`

data/common.yaml

@@ -73,7 +73,6 @@ profile_system_auth::kerberos::cfg_file_settings:
 
 profile_system_auth::kerberos::createhostkeytab: null
 profile_system_auth::kerberos::createhostuser: null
-
 profile_system_auth::kerberos::crons:
   "key_cleanup":
     command: "k5srvutil delold >/tmp/k5srvutil_delold.$$ 2>&1 || cat /tmp/k5srvutil_delold.$$ && rm -f /tmp/k5srvutil_delold.$$"
@@ -91,6 +90,7 @@ profile_system_auth::kerberos::crons:
     minute: 30
     monthday: 1
     user: "root"
+profile_system_auth::kerberos::domain: "NCSA.EDU"
 profile_system_auth::kerberos::enable: true
 
 profile_system_auth::kerberos::root_k5login_principals: null

manifests/kerberos.pp

@@ -26,6 +26,9 @@
 # @param crons
 #   Hash of cron resource parameters for any CRON entries related to kerberos keytab cleanup
 #
+# @param domain
+#   Optional String of the Kerberos domain that the computer should join
+#
 # @param enable
 #   Used to enable or disable kerberos
 #
@@ -46,10 +49,11 @@
   Optional[String] $ad_createhostkeytab,  # BASE64 ENCODING OF KRB5 CREATEHOST KEYTAB FILE
   Optional[String] $ad_createhostuser,    # AD CREATEHOST USER
   Optional[String] $ad_domain,            # AD DOMAIN
-  Hash             $cfg_file_settings, # cfg files and their contents
-  Optional[String] $createhostkeytab,  # BASE64 ENCODING OF KRB5 CREATEHOST KEYTAB FILE
-  Optional[String] $createhostuser,    # CREATEHOST USER
+  Hash             $cfg_file_settings,    # cfg files and their contents
+  Optional[String] $createhostkeytab,     # BASE64 ENCODING OF KRB5 CREATEHOST KEYTAB FILE
+  Optional[String] $createhostuser,       # CREATEHOST USER
   Hash             $crons,
+  Optional[String] $domain,               # KERBEROS DOMAIN
   Boolean          $enable,
   Hash             $files_remove_setuid,
   Array[String[1]] $required_pkgs,     # DEFAULT SET VIA MODULE DATA
@@ -98,20 +102,31 @@
 
     # KERBEROS HOST PRINCIPAL CREATION
     if ( $createhostkeytab and $createhostuser ) {
-      # CREATE KEYS AND SETUP RENEWAL
-      file { '/root/createhostkeytab.sh':
-        ensure => file,
-        mode   => '0500',
-        source => "puppet:///modules/${module_name}/root/createhostkeytab.sh",
+      $kerberos_domains = split($facts['kerberos_keytab_domains'], ',')
+      if ( $domain in $kerberos_domains ) {
+        $ensure_parm = 'absent'
+      } else {
+        $ensure_parm = 'present'
+
+        exec { 'run_create_host_keytab_script':
+          path    => ['/usr/bin', '/usr/sbin', '/usr/lib/mit/bin'],
+          command => Sensitive(
+            "/root/createhostkeytab.sh '${createhostkeytab}' '${createhostuser}' '${domain}'"
+          ),
+          require => File['/root/createhostkeytab.sh'],
+        }
+
+        # FOLLOWING IS JUST IN CASE THE run_create_host_keytab_script TIMES OUT, WHICH IT HAS
+        file { '/root/createhost.keytab':
+          ensure  => absent,
+          require => Exec['run_create_host_keytab_script'],
+        }
       }
-      ## THIS MIGHT NEED TO BE SMARTER TO ALLOW FOR MULTIPLE HOSTNAMES ON ONE SERVER
-      exec { 'create_host_keytab':
-        path    => ['/usr/bin', '/usr/sbin', '/usr/lib/mit/bin'],
-        command => "/root/createhostkeytab.sh ${createhostkeytab} ${createhostuser}",
-        unless  => 'klist -kt /etc/krb5.keytab 2>&1 | grep "host/`hostname -f`@NCSA.EDU"',
-        require => [
-          File['/root/createhostkeytab.sh'],
-        ],
+
+      file { '/root/createhostkeytab.sh':
+        ensure  => $ensure_parm,
+        mode    => '0500',
+        content => template("${module_name}/createhostkeytab.sh.erb"),
       }
 
       Cron {
@@ -146,7 +161,6 @@
           command => Sensitive(
             "/root/ad_createhostkeytab.sh '${ad_domain}' '${ad_computers_ou}' '${ad_createhostuser}' '${ad_createhostkeytab}' "
           ),
-          #refreshonly => true,
           require => File['/root/ad_createhostkeytab.sh'],
         }
 

templates/createhostkeytab.sh.erb

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -e
+# Enable debugging mode
+set -x
+
+# ASSIGN ARGUMENTS FROM COMMAND LINE ARGUMENTS
+CREATEHOST_USER=$2  # User with permissions to create host in AD
+DOMAIN=$3           # KERBEROS DOMAIN
+KEYTAB_BASE64=$1    # Base64 encoded keytab for creating host
+
+# ASSIGN STATIC VARIABLES
+HOST_FQDN="<%= @fqdn %>"  # Fully Qualified Domain Name of the host
+KEYTAB_FILE="/root/createhost.keytab"  # Path to store the decoded keytab file
+
+RANDSTRING=`head -c 16 /dev/random  | base64 | grep -o . | sort -R | tr -d "\n" | head -c 14`
+REQCLASS1=`date | base64 | tr -dc A-Z | grep -o . | sort -R | tr -d "\n" | head -c2`
+REQCLASS2=`date | base64 | tr -dc a-z | grep -o . | sort -R | tr -d "\n" | head -c2`
+REQCLASS3=`date | tr -dc 0-9 | grep -o . | sort -R | tr -d "\n" | head -c2`
+REQCHARS=`echo $REQCLASS1$REQCLASS2$REQCLASS3`
+TEMPPASS=`echo "$RANDSTRING$REQCHARS" | grep -o . | sort -R | tr -d "\n"`
+
+# Decode the base64 encoded keytab and save it to a file
+echo "${KEYTAB_BASE64}" | base64 --decode > $KEYTAB_FILE
+
+echo -e "$TEMPPASS\n$TEMPPASS" | kadmin -kt /root/createhost.keytab -p ${CREATEHOST_USER}/createhost@${DOMAIN} -q "addprinc host/${HOST_FQDN}@${DOMAIN}"
+echo -e "$TEMPPASS" | kadmin -p host/${HOST_FQDN}@${DOMAIN} -q "ktadd host/${HOST_FQDN}@${DOMAIN}"
+
+# Optionally, list the contents of the keytab file (uncomment for debugging)
+# klist -kte
+
+# Remove the keytab file for security reasons
+rm -f $KEYTAB_FILE