search

walkamongus / realmd

Puppet module for setting up realmd, SSSD, and a Kerberos client config
Apache License 2.0
12 stars 47 forks source link

realmd::krb_config unable to set multiple kdc + nesting does not work correctly... #54

Open kratan opened 5 years ago

kratan commented 5 years ago

Hi,

realmd::krb_config:
  logging:
    default: FILE:/var/log/krb5libs.log
  libdefaults:
    dns_lookup_realm: true
    dns_lookup_kdc: true
    kdc_timesync: 1
    rdns: false
    ccache_type: 4
    ticket_lifetime: '24h'
    forwardable: 'true'
    proxiable: 'true'
    default_realm: "%{lookup('domain::krbname')}"
    #default_ccache_name: 'FILE:/tmp/krb5cc_%{euid}'
    default_ccache_name: "KEYRING:persistent:%{literal('%')}{uid}"
  domain_realm:
    .%{lookup('domain::krbname')}: "%{lookup('domain::krbname')}"
    "%{lookup('domain::name')}": "%{lookup('domain::krbname')}"
    .%{lookup('domain::name_at')}: "%{lookup('domain::krbname')}"
    "%{lookup('domain::name_at')}": "%{lookup('domain::krbname')}"
  realms:
    "%{lookup('domain::krbname')}":
      kdc: "%{lookup('domain::controllers.0')}"
      kdc: "%{lookup('domain::controllers.1')}"
      admin_server: "%{lookup('domain::controllers.0')}"
  appdefaults:
    pam:
      "%{lookup('domain::krbname')}":
        cache: "KEYRING:persistent:%{literal('%')}{uid}"
        ignore_k5login: true

renders to:

[appdefaults] pam = { EXAMPLE.LOCALDOMAIN = {"cache"=>"KEYRING:persistent:%{uid}", "ignore_k5login"=>true} } ----> see here, nesting is not render correctly [domain_realm] .EXAMPLE.LOCALDOMAIN = EXAMPLE.LOCALDOMAIN .localdomain = EXAMPLE.LOCALDOMAIN example.localdomain = EXAMPLE.LOCALDOMAIN localdomain = EXAMPLE.LOCALDOMAIN [libdefaults] ccache_type = 4 default_ccache_name = KEYRING:persistent:%{uid} default_realm = EXAMPLE.LOCALDOMAIN dns_lookup_kdc = true dns_lookup_realm = true forwardable = true kdc_timesync = 1 proxiable = true rdns = false ticket_lifetime = 24h [logging] default = FILE:/var/log/krb5libs.log [realms] EXAMPLE.LOCALDOMAIN = { admin_server = dc1.example.localdomain kdc = dc2.example.localdomain } ----> second kdc entry is missing

greets