openafs-krbserver - Kerberos Server Role

Description

Install and configure the MIT or Heimdal Kerberos master KDC on single host, create the Kerberos database, the first administrator principal, and a keytab for the first administrator.

Variables

afs_realm

The Kerberos realm name.

Default: EXAMPLE.COM

afs_realm_files

Path to realm related files on the controller. It is recommended to use ansible-vault to encrypt the files in this directory.

Default: $HOME/.ansible-openafs/realm/{{ afs_realm }}

afs_krb_master_password

The secret Kerberos database master password. If this host variable is not present, the password is read from the afs_krb_master_password file located in the {{ afs_realm_files }} directory on the controller. If this file does not exist, a random password is generated and written to the file.

Note: It is recommended to use ansible-vault to encrypt this secret.

Default: <random>

afs_krb_admin_principal

An administrator principal to be created by this role. A keytab is always created for this principal with a random key. The keytab is downloaded to {{ afs_realm_files }}/{{ afs_krb_admin_principlal }}.keytab file on the controller.

Default: root/admin

afs_kdc_servers

A comma separated list of kdc host names to be set in the krb5.conf file. If this variable is not defined, the hostname of the hosts in the afs_kdcs inventory group are used. If that group is not defined, the kdcs are not defined for the realm in the krb5.conf file and it is assumed they are defined as SRV records in DNS.

Default: hosts in the afs_kdcs group

afs_kadmin_server

The host name of the kadmin server to be set in the krb5.conf file. If this variable is not defined, the first host name in the afs_kdcs inventory group is used. If that group is not defined, the kadmin server hostname is not set in the krb5.conf file and it is assumed to be defined as SRV records in DNS.

Default: undefined

afs_krb_dns_lookup_kdc

Define if dns_lookup_kdc mode is enabled/disabled via true/false. If this variable is not defined, no entry will be set which is the same like dns_lookup_kdc = true.

Default: undefined

afs_krb_max_life

KDC max ticket life.

Default: 10h 0m 0s

afs_krb_max_renewable_life

KDC max renewable life.

Default: 7d 0h 0m 0s

afs_krb_supported_enctypes

KDC supported enctypes. Specify as a list of enctype:salt values.

Default: [‘aes256-cts-hmac-sha1-96:normal’, ‘aes128-cts-hmac-sha1-96:normal’]

afs_krb_default_principal_flags

KDC default principal flags.

Default: +preauth