Puppet Class: centrify::adjoin::keytab

Defined in:
manifests/adjoin/keytab.pp

Overview

Class centrify::adjoin::keytab

This class is called from centrify for performing a passwordless AD join with a Kerberos keytab

Parameters:

  • join_user (Any)
  • krb_keytab (Any)
  • krb_config (Any)
  • domain (Any)
  • server (Any)
  • container (Any)
  • zone (Any)
  • extra_args (Any)
  • precreate (Any)
  • initialize_krb_config (Any)
  • krb_config_file (Any) 


6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
# File 'manifests/adjoin/keytab.pp', line 6

class centrify::adjoin::keytab (
  $join_user,
  $krb_keytab,
  $krb_config,
  $domain,
  $server,
  $container,
  $zone,
  $extra_args,
  $precreate,
  $initialize_krb_config,
  $krb_config_file,
){

  file { 'krb_keytab':
    path   => $krb_keytab,
    owner  => 'root',
    group  => 'root',
    mode   => '0400',
    before => Exec['run_kinit_with_keytab'],
  }

  if $initialize_krb_config {
    exec {'remove_default_krb_config_file':
      path    => '/usr/bin:/usr/sbin:/bin',
      command => "rm -f ${krb_config_file}",
      onlyif  => "grep EXAMPLE.COM ${krb_config_file}",
    }->
    file { 'krb_configuration':
      ensure  => file,
      replace => false,
      path    => $krb_config_file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => template('centrify/krb5.conf.erb'),
      before  => Exec['run_kinit_with_keytab'],
    }
  }

  $_container_opt = $container ? {
    undef   => '',
    default => "-c '${container}'",
  }

  $_server_opt = $server ? {
    undef   => '',
    default => "-s '${server}'",
  }

  $_zone_opt = $zone ? {
    undef   => '-w',
    default => "-z '${zone}'",
  }

  $_opts = [
    '-V',
    '--force',
    $_zone_opt,
    $_container_opt,
    $_server_opt,
  ]

  $_join_opts = delete(concat($_opts, $extra_args), '')
  $_options   = join($_join_opts, ' ')
  $_command   = "adjoin ${_options} '${domain}'"

  exec { 'run_kinit_with_keytab':
    path    => '/usr/share/centrifydc/kerberos/bin:/usr/bin:/usr/sbin:/bin',
    command => "kinit -kt ${krb_keytab} ${join_user}",
    unless  => "adinfo -d | grep ${domain}",
  }

  if $precreate {
    exec { 'run_adjoin_precreate_with_keytab':
      path    => '/usr/bin:/usr/sbin:/bin',
      command => "${_command} -P",
      unless  => "adinfo -d | grep ${domain}",
      require => Exec['run_kinit_with_keytab'],
      before  => Exec['run_adjoin_with_keytab'],
    }
  }

  exec { 'run_adjoin_with_keytab':
    path    => '/usr/bin:/usr/sbin:/bin',
    command => $_command,
    unless  => "adinfo -d | grep ${domain}",
    require => Exec['run_kinit_with_keytab'],
    notify  => Exec['run_adflush_and_adreload'],
  }

  exec { 'run_adflush_and_adreload':
    path        => '/usr/bin:/usr/sbin:/bin',
    command     => 'adflush && adreload',
    refreshonly => true,
  }

}