Skip to content

This is a general Kerberos ansible role which installs and configure Kerberos KDC and Kerberos Master Server, including plugins (PKINIT, OTP, SASL and LDAP support)

Notifications You must be signed in to change notification settings

rnd42/ansible-krb5-server

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ansible-krb5

This is a general Kerberos ansible role which installs and configure Kerberos KDC and Kerberos Admin Server and extra modules (PKINIT, OTP, SASL and LDAP support)

The templates are based on krbkdc 1.15 so if you're using a newer version of Kerberos and settings are missing, pull request.

The role will install the requirements for OTP, TLS and PKINIT by default (pass false to the plugin variable if not desired).

Requirements

Tested on Ubuntu 14.x and 16.x and MIT Kerberos 1.15.

Role Variables

The variables have nomenclature kr5_kdc_[tag], where [tag] is the bracketless value of tags in the official MIT Kerberos documentation

Note empty defaults here means MIT Kerberos defaults will apply. Check the documentation for MIT Kerberos defaults.

  • KDC and Admin Server

  • krb5-kdc: [default value: true]: install the MIT Kerberos Key Server (KDC)

  • krb5-admin-server: [default value: true]: install the MIT Kerberos Admin Server

  • Plugins

  • krb5-ldap-plugin: [default value: true]: install the MIT Kerberos key server (KDC) LDAP plugin

  • krb5-pkinit: [default value: true]: install the PKINIT plugin for MIT Kerberos

  • krb5-otp: [default value: true]: install the OTP plugin for MIT Kerberos

  • krb5-k5tls: [default value: true]: install TLS plugin for MIT Kerberos

  • Extras

  • krb5-sals-support: [default value: false]: install support for SALS with Kerberos

  • kdc.conf

  • krb5kdc_kdcdefaults.: maps to MIT Kerberos [kdcdefaults] tag (kdc.conf)

    • acl_file: [default value: ""]
    • database_module: [default value: ""]
    • database_name: [default value: ""]
    • default_principal_expiration: [default value: ""]
    • default_principal_flags: [default value: [""]]
    • dict_file: [default value: ""]
    • host_based_services: [default value: [""]]
    • iprop_enable: [default value: ""]
    • iprop_master_ulogsize: [default value: ""]
    • iprop_slave_poll: [default value: ""]
    • iprop_port: [default value: ""]
    • iprop_resync_timeout: [default value: ""]
    • iprop_logfile: [default value: ""]
    • kadmind_port: [default value: ""]
    • key_stash_file: [default value: ""]
    • kdc_max_dgram_reply_size: [default value: ""]
    • kdc_ports: [default value: number[]:
    • kdc_tcp_ports: [default value: number[]:
    • master_key_name: [default value: ""]
    • master_key_type: [default value: "aes256-cts-hmac-sha1-96"]
    • max_life: [default value: ""]
    • max_renewable_life: [default value: ""]
    • no_host_referral: [default value: ""]
    • des_crc_session_supported: [default value: false]
    • reject_bad_transit: [default value: ""]
    • restrict_anonymous_to_tgt: [default value: true]
    • supported_enctypes: [default value: ["aes256-cts-hmac-sha1-96", "normal camellia256-cts-cmac", "normal aes128-cts-hmac-sha1-96", "normal camellia128-cts-cmac", "normal" ]]
  • krb5kdc_realms. (dictionary): maps to MIT Kerberos [realms] tag (kdc.conf)

    • {n}. - supports multiple realms
      • name (required) [default value: "REALM.COM"]: A REALM name.
      • acl_file: [default value: ""]
      • database_module: [default value: ""]
      • database_name: [default value: ""]
      • default_principal_flags: [default value: [""]]
      • dict_file: [default value: ""]
      • host_based_services: [default value: [""]]
      • iprop_enable: [default value: ""]
      • iprop_master_ulogsize: [default value: ""]
      • iprop_slave_poll: [default value: ""]
      • iprop_port: [default value: ""]
      • iprop_resync_timeout: [default value: ""]
      • iprop_logfile: [default value: ""]
      • kadmind_port: [default value: ""]
      • key_stash_file: [default value: ""]
      • kdc_ports: [default value: [""]]
      • kdc_tcp_ports: [default value: [""]]
      • master_key_name: [default value: ""]
      • master_key_type: [default value: "aes256-cts-hmac-sha1-96"]
      • max_life: [default value: ""]
      • max_renewable_life: [default value: ""]
      • no_host_referral: [default value: [""]]
      • des_crc_session_supported: [default value: ""]
      • reject_bad_transit: [default value: ""]
      • restrict_anonymous_to_tgt: [default value: "true"]
      • supported_enctypes: [default value: [""]]
      • pkinit_allow_upn: [default value: ""]
      • pkinit_anchors: [default value: [""]]
      • pkinit_dh_min_bits: [default value: ""]
      • pkinit_eku_checking: [default value: ""]
      • pkinit_identity: [default value: ""]
      • pkinit_kdc_ocsp: [default value: ""]
      • pkinit_pool: [default value: ""]
      • pkinit_require_crl_checking: [default value: ""]
      • pkinit_revoke: [default value: ""]
  • krb5kdc_dbdefaults.: maps to MIT Kerberos [dbdefaults] tag (kdc.conf)

    • ldap_kerberos_container_dn: [default value: ""]

    • ldap_kdc_dn: [default value: ""]

    • ldap_kdc_sasl_authcid: [default value: ""]

    • ldap_kdc_sasl_authzid: [default value: ""]

    • ldap_kdc_sasl_mech: [default value: ""]

    • ldap_kdc_sasl_realm: [default value: ""]

    • ldap_kadmind_dn: [default value: ""]

    • ldap_kadmind_sasl_authcid: [default value: ""]

    • ldap_kadmind_sasl_authzid: [default value: ""]

    • ldap_kadmind_sasl_mech: [default value: ""]

    • ldap_kadmind_sasl_realm: [default value: ""]

    • ldap_service_password_file: [default value: ""]

    • ldap_servers: [default value: ""]

    • ldap_conns_per_server: [default value: ""]

    • krb5kdc_dbmodules. (dictionary): maps to MIT Kerberos [dbmodules] tag (kdc.conf)

      • {n}. - supports multiple dbmodules
        • name (required) [default value: "REALM.COM"]
        • database_name: [default value: ""]
        • db_library: [default value: ""]
        • db_module_dir: [default value: ""]
        • disable_last_success: [default value: ""]
        • disable_lockout: [default value: ""]
        • ldap_conns_per_server: [default value: ""]
        • ldap_kadmind_dn: [default value: ""]
        • ldap_kadmind_sasl_authcid: [default value: ""]
        • ldap_kadmind_sasl_authzid: [default value: ""]
        • ldap_kadmind_sasl_mech: [default value: ""]
        • ldap_kadmind_sasl_realm: [default value: ""]
        • ldap_kdc_dn: [default value: ""]
        • ldap_kdc_sasl_authcid: [default value: ""]
        • ldap_kdc_sasl_authzid: [default value: ""]
        • ldap_kdc_sasl_mech: [default value: ""]
        • ldap_kdc_sasl_realm: [default value: ""]
        • ldap_kerberos_container_dn: [default value: ""]
        • ldap_servers: [default value: ""]
        • ldap_service_password_file: [default value: ""]
        • unlockiter: [default value: ""]
    • krb5kdc_otp. (dictionary): maps to MIT Kerberos [otp] tag (kdc.conf)

      • {n}. - supports multiple otp token types
        • retries: [default value: ""]
        • secret: [default value: ""]
        • server: [default value: ""]
        • strip_realm: [default value: ""]
        • timeout: [default value: ""]

Dependencies

none

Example Playbook

Note the usage of two realms (REALM.COM and REALM2.COM) and how REALM2.COM uses the database_module value "REALM.COM". The realm "REALM.COM" doesn't require explicit value for database_value because the MIT kerberos defaults the value to the realm name (check the MIT Kerberos documentation for details). Also, this playbook doesn't install the Master Server (Admin Server)

- hosts: kdc-slave
  become: yes
  vars:
    krb5-admin-server: false
    krb5kdc_kdcdefaults:
      - kdc_max_dgram_reply_size: 4096
        default_principal_flags:
            - flags:
                - "+proxy"
                - "+preauth"
                - "-renewable"
                - "+postdateable"
                - "+forwardable"
                - "+tgt-based"
                - "+proxiable"
                - "+dup-skey"
                - "+allow-tickets"
                - "+service"
        host_based_services:
            - services:
                - '*'
        kadmind_port: 749
        kdc_ports: 
            - number: 
                - 88
        kdc_tcp_ports: 
            - number: 
                - 88
        master_key_type: "aes256-cts-hmac-sha1-96"
        max_life: "24h"
        no_host_referral: 
            - hosts: 
                - hostA
                - hostnameB
        des_crc_session_supported: false
        restrict_anonymous_to_tgt: true
        supported_enctypes: 
            - types: 
                - "aes256-cts-hmac-sha1-96"
                - "normal camellia256-cts-cmac"
                - "normal aes128-cts-hmac-sha1-96"
                - "normal camellia128-cts-cmac"
                - "normal"

    krb5kdc_dbdefaults:
      - ldap_kerberos_container_dn: "cn=krbContainer,dc=example,dc=com"

    krb5kdc_dbmodules:
      - name: "REALM.COM"
        db_library: "kldap"
        ldap_kdc_dn: "cn=admin,dc=example,dc=com"
        ldap_kadmind_dn: "cn=admin,dc=example,dc=com"
        ldap_service_password_file: /etc/krb5kdc/service.keyfile
        ldap_servers:
          - hostname:
              - "ldaps://ldap01.example.com"
              - "ldaps://ldap02.example.com"
        ldap_conns_per_server: 5

    krb5kdc_realms:
    - name: "REALM.COM"
      database_name: "/var/lib/krb5kdc/principal"
      admin_keytab: "FILE:/etc/krb5kdc/kadm5.keytab"
      acl_file: "/etc/krb5kdc/kadm5.acl"
      key_stash_file: "/etc/krb5kdc/stash"
      kdc_ports:
          - number:
              - 88
      kdc_tcp_ports:
          - number:
              - 88
      master_key_type: "aes256-cts-hmac-sha1-96"
      restrict_anonymous_to_tgt: true

      - name: "REALM2.COM"
        database_name: "/var/lib/krb5kdc/principal"
        admin_keytab: "FILE:/etc/krb5kdc/kadm5.keytab"
        acl_file: "/etc/krb5kdc/kadm5.acl"
        key_stash_file: "/etc/krb5kdc/stash"
        kdc_ports:
            - number:
                - 88
        kdc_tcp_ports:
            - number:
                - 88
        default_principal_flags:
            - flags:
                - '-proxy'
                - "+preauth"
                - "-renewable"
                - "+postdateable"
                - "+forwardable"
                - "+tgt-based"
                - "+proxiable"
                - "+dup-skey"
                - "+allow-tickets"
                - "+service"   
        max_life: "10h 0m 0s"
        database_module: "REALM.COM"
        max_renewable_life: "7d 0h 0m 0s"
        master_key_type: "aes256-cts-hmac-sha1-96"
        restrict_anonymous_to_tgt: true
        pkinit_identity: "PKCS11:/usr/local/lib/libetpkcs11.so"
        pkinit_anchors: 
            - location:
              - "FILE:/etc/ssl/certs/ca-certificates.crt"

    krb5kdc_otp:
        - name: "DEFAULT"
          server: "10.10.10.200:1812"
          secret: /etc/krb5kdc/radius.secret
          strip_realm: true
          timeout: 5

  roles:
      - { role:  ansible-krb5-kdc, tags: ["ansible-krb5-kdc "] }

License

BSD

Author Information

Diogenes Santos de Jesus

About

This is a general Kerberos ansible role which installs and configure Kerberos KDC and Kerberos Master Server, including plugins (PKINIT, OTP, SASL and LDAP support)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published