From 38386c243323d1aa4737d4d82851b4fabc7c20ec Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 10 Sep 2010 17:20:04 +0200
Subject: [PATCH] add basic krb module

---
 manifests/site.pp                   |  5 +++
 modules/krb/manifests/init.pp       | 10 +++++
 modules/krb/templates/krb5.conf.erb | 68 +++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 modules/krb/manifests/init.pp
 create mode 100644 modules/krb/templates/krb5.conf.erb

diff --git a/manifests/site.pp b/manifests/site.pp
index 89527a6e..cee95a29 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -107,7 +107,12 @@ node default {
     case $portforwarder_user_exists {
         "true":    { include portforwarder }
     }
+
     include samhain
+
+    case $hostname {
+        byrd,schuetz,draghi:    { include krb }
+    }
 }
 
 # vim:set et:
diff --git a/modules/krb/manifests/init.pp b/modules/krb/manifests/init.pp
new file mode 100644
index 00000000..08e4107a
--- /dev/null
+++ b/modules/krb/manifests/init.pp
@@ -0,0 +1,10 @@
+class krb {
+    file {
+        "/etc/krb5.conf":
+            content => template("krb/krb5.conf.erb"),
+            ;
+    }
+}
+# vim:set et:
+# vim:set sts=4 ts=4:
+# vim:set shiftwidth=4:
diff --git a/modules/krb/templates/krb5.conf.erb b/modules/krb/templates/krb5.conf.erb
new file mode 100644
index 00000000..5f8a664a
--- /dev/null
+++ b/modules/krb/templates/krb5.conf.erb
@@ -0,0 +1,68 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+[libdefaults]
+	default_realm = DEBIAN.ORG
+
+# The following krb5.conf variables are only for MIT Kerberos.
+	krb4_config = /etc/krb.conf
+	krb4_realms = /etc/krb.realms
+	kdc_timesync = 1
+	ccache_type = 4
+	forwardable = true
+	proxiable = true
+
+# The following encryption type specification will be used by MIT Kerberos
+# if uncommented.  In general, the defaults in the MIT Kerberos code are
+# correct and overriding these specifications only serves to disable new
+# encryption types as they are added, creating interoperability problems.
+#
+# Thie only time when you might need to uncomment these lines and change
+# the enctypes is if you have local software that will break on ticket
+# caches containing ticket encryption types it doesn't know about (such as
+# old versions of Sun Java).
+
+#	default_tgs_enctypes = des3-hmac-sha1
+#	default_tkt_enctypes = des3-hmac-sha1
+#	permitted_enctypes = des3-hmac-sha1
+
+# The following libdefaults parameters are only for Heimdal Kerberos.
+	v4_instance_resolve = false
+	v4_name_convert = {
+		host = {
+			rcmd = host
+			ftp = ftp
+		}
+		plain = {
+			something = something-else
+		}
+	}
+	fcc-mit-ticketflags = true
+
+[realms]
+	DEBIAN.ORG = {
+		kdc = 82.195.75.92                           # byrd
+		kdc = [2001:41b8:202:deb:216:36ff:fe40:3908] # byrd
+		kdc = 206.12.19.119                           # schuetz
+		kdc = [2607:f8f0:610:4000:216:36ff:fe40:380a] # schuetz
+		master_kdc = 82.195.75.92                           # byrd
+		master_kdc = [2001:41b8:202:deb:216:36ff:fe40:3908] # byrd
+		admin_server = 82.195.75.92                           # byrd
+		admin_server = [2001:41b8:202:deb:216:36ff:fe40:3908] # byrd
+	}
+
+[domain_realm]
+	.debian.org = DEBIAN.ORG
+
+[login]
+	krb4_convert = true
+	krb4_get_tickets = false
+
+<% if fqdn == "byrd.debian.org" -%>
+[password_quality]
+	policies = builtin:minimum-length external-check
+	min_length = 8
+	external_program = /etc/heimdal-kdc/heimdal-password-quality-check
+<% end -%>
-- 
2.39.2