admin_user.pp 2.88 KB
Newer Older
1
#
2 3 4 5
# @summary Configures admin user
#
# @example
#   include freeipa::config::admin_user
6
class freeipa::config::admin_user {
7

8
  $uid_number = $freeipa::idstart
9 10 11 12 13 14 15 16 17 18
  $home_dir_path = '/home/admin'

  # Ensure admin homedir and keytab files.
  file { $home_dir_path:
    ensure  => directory,
    mode    => '0700',
    owner   => $uid_number,
    group   => $uid_number,
    recurse => true,
    notify  => Exec['configure_admin_keytab'],
19
    require => Exec["server_install_${freeipa::ipa_server_fqdn}"],
20 21 22
  }

  file { "${home_dir_path}/.k5login":
23 24 25 26 27 28 29
    owner    => $uid_number,
    group    => $uid_number,
    require  => File[$home_dir_path],
    seluser  => 'user_u',
    selrole  => 'object_r',
    seltype  => 'krb5_home_t',
    selrange => 's0',
30 31 32 33 34 35 36 37 38 39 40 41
  }

  file { "${home_dir_path}/admin.keytab":
    owner   => $uid_number,
    group   => $uid_number,
    mode    => '0600',
    require => File[$home_dir_path],
    notify  => Exec['configure_admin_keytab'],
  }

  # Gives admin user the host/fqdn principal.
  k5login { "${home_dir_path}/.k5login":
42
    principals => $freeipa::master_principals,
43 44 45 46 47 48 49 50 51
    notify     => File["${home_dir_path}/.k5login"],
    require    => File[$home_dir_path]
  }

  # Set keytab for admin user.
  $configure_admin_keytab_cmd = "/usr/sbin/kadmin.local -q \"ktadd -norandkey -k ${home_dir_path}/admin.keytab admin\" "
  exec { 'configure_admin_keytab':
    command     => $configure_admin_keytab_cmd,
    cwd         => $home_dir_path,
52
    unless      => shellquote('/usr/bin/kvno','-k',"${home_dir_path}/admin.keytab","admin@${freeipa::realm}"),
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67
    notify      => Exec['chown_admin_keytab'],
    refreshonly => true,
    require     => Cron['k5start_admin'],
  }

  $chown_admin_keytab_cmd = "chown ${uid_number}:${uid_number} ${home_dir_path}/admin.keytab"
  $chown_admin_keytab_cmd_unless = "ls -lan ${home_dir_path}/admin.keytab | grep ${uid_number}\\ ${uid_number} "
  exec { 'chown_admin_keytab':
    command  => $chown_admin_keytab_cmd,
    cwd      => $home_dir_path,
    unless   => $chown_admin_keytab_cmd_unless,
    provider => shell,
  }

  $k5start_admin_keytab_cmd = "/sbin/runuser -l admin -c \"/usr/bin/k5start -f ${home_dir_path}/admin.keytab -U\""
68
  $k5start_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c /usr/bin/klist | grep -i krbtgt\\/${freeipa::realm}\\@"
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
  exec { 'k5start_admin_keytab':
    command => $k5start_admin_keytab_cmd,
    cwd     => $home_dir_path,
    unless  => $k5start_admin_keytab_cmd_unless,
    require => [
      Cron['k5start_admin'],
      Exec['chown_admin_keytab'],
    ]
  }

  # Automatically refreshes admin keytab.
  cron { 'k5start_admin':
    command => "/usr/bin/k5start -f ${home_dir_path}/admin.keytab -U > /dev/null 2>&1",
    user    => 'admin',
    minute  => '*/1',
    notify  => Exec['chown_admin_keytab'],
    require => [
86
      Package[$freeipa::kstart_package_name],
87 88 89 90 91 92
      K5login["${home_dir_path}/.k5login"],
      File[$home_dir_path]
    ],
  }

}