salt.modules.kerberos

Manage Kerberos KDC

configuration

In order to manage your KDC you will need to generate a keytab that can authenticate without requiring a password.

For MIT Kerberos:

# ktadd -k /root/secure.keytab kadmin/admin kadmin/changepw

For Heimdal Kerberos: .. code-block:: bash

# ext_keytab -k /root/secure.keytab kadmin/admin

On the KDC minion you will need to add the following to the minion configuration file so Salt knows what keytab to use and what principal to authenticate as. Optionally you can specify which kerberos flavor to use, the default is MIT Kerberos if left unspecified.

auth_keytab: /root/auth.keytab
auth_principal: kadmin/admin
krb_flavor: heimdal
salt.modules.kerberos.create_keytab(name, keytab, enctypes=None)

Create keytab

CLI Example:

salt 'kdc.example.com' kerberos.create_keytab host/host1.example.com host1.example.com.keytab
salt.modules.kerberos.create_principal(name, enctypes=None)

Create Principal

CLI Example:

salt 'kdc.example.com' kerberos.create_principal host/example.com
salt.modules.kerberos.delete_principal(name)

Delete Principal

CLI Example:

salt 'kdc.example.com' kerberos.delete_principal host/example.com@EXAMPLE.COM
salt.modules.kerberos.get_policy(name)

Get policy details. Not supported by Heimdal backend.

CLI Example:

salt 'kdc.example.com' kerberos.get_policy my_policy
salt.modules.kerberos.get_principal(name)

Get princial details

CLI Example:

salt 'kdc.example.com' kerberos.get_principal root/admin
salt.modules.kerberos.get_privs()

Current privileges

CLI Example:

salt 'kdc.example.com' kerberos.get_privs
salt.modules.kerberos.list_policies()

List policies. Not supported by Heimdal backend.

CLI Example:

salt 'kdc.example.com' kerberos.list_policies
salt.modules.kerberos.list_principals()

Get all principals

CLI Example:

salt 'kde.example.com' kerberos.list_principals