openafs-krbserver - Kerberos Server Role ======================================== Description ----------- Install and configure the MIT or Heimdal Kerberos master KDC on single host, create the Kerberos database, the first administrator principal, and a keytab for the first administrator. Variables --------- afs_realm The Kerberos realm name. Default: EXAMPLE.COM afs_realm_files Path to realm related files on the controller. It is recommended to use ``ansible-vault`` to encrypt the files in this directory. Default: ``$HOME/.ansible-openafs/realm/{{ afs_realm }}`` afs_krb_master_password The secret Kerberos database master password. If this host variable is not present, the password is read from the ``afs_krb_master_password`` file located in the ``{{ afs_realm_files }}`` directory on the controller. If this file does not exist, a random password is generated and written to the file. Note: It is recommended to use ``ansible-vault`` to encrypt this secret. Default: afs_krb_admin_principal An administrator principal to be created by this role. A keytab is always created for this principal with a random key. The keytab is downloaded to ``{{ afs_realm_files }}/{{ afs_krb_admin_principlal }}.keytab`` file on the controller. Default: root/admin afs_kdc_servers A comma separated list of kdc host names to be set in the krb5.conf file. If this variable is not defined, the hostname of the hosts in the ``afs_kdcs`` inventory group are used. If that group is not defined, the kdcs are not defined for the realm in the krb5.conf file and it is assumed they are defined as SRV records in DNS. Default: hosts in the ``afs_kdcs`` group afs_kadmin_server The host name of the kadmin server to be set in the krb5.conf file. If this variable is not defined, the first host name in the ``afs_kdcs`` inventory group is used. If that group is not defined, the kadmin server hostname is not set in the krb5.conf file and it is assumed to be defined as SRV records in DNS. Default: undefined afs_krb_dns_lookup_kdc Define if dns_lookup_kdc mode is enabled/disabled via true/false. If this variable is not defined, no entry will be set which is the same like dns_lookup_kdc = true. Default: undefined afs_krb_max_life KDC max ticket life. Default: 10h 0m 0s afs_krb_max_renewable_life KDC max renewable life. Default: 7d 0h 0m 0s afs_krb_supported_enctypes KDC supported enctypes. Specify as a list of enctype:salt values. Default: ['aes256-cts-hmac-sha1-96:normal', 'aes128-cts-hmac-sha1-96:normal'] afs_krb_default_principal_flags KDC default principal flags. Default: +preauth