Ask Your Question

How can I properly deploy keytabs to remote clients if the puppetmaster isn't the KDC?

asked 2012-12-18 09:23:25 -0600

jmslagle gravatar image

Basically I have a KDC, and many remote hosts. I need to distribute the keytabs to the remove hosts.

edit retag flag offensive close merge delete


I am not sure about the focus of your question. We are applying msktutil on our puppetserver for creating keytabs and using a file resource and a host restricted puppet ...(more)

Waldemar gravatar imageWaldemar ( 2012-12-20 08:56:07 -0600 )edit

Is there a particular module from the Puppet Forge that you're asking this question about or is this a general question on how to handle that scenario?

ryanycoleman gravatar imageryanycoleman ( 2013-01-17 19:06:02 -0600 )edit

i think it depends on your security requirements any kind of network filesystem can be used to distribute keytabs (f.e. sshfs, nfs, smb) do we talk about pre-exported kerberos ...(more)

Willi gravatar imageWilli ( 2013-08-31 17:33:47 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2014-02-04 13:51:50 -0600

Do you already have the keytab files generated? if so why can't you just push them to the machines via the puppet file...template option to push the .keytab files into /etc/krb5.keytab?

edit flag offensive delete link more

answered 2014-02-27 14:54:19 -0600

tfhartmann gravatar image

You could check this out... I haven't used it but I think it works ok for MIT Kerberos..

edit flag offensive delete link more


this module has a nice readme but that's basically it ;-) The classes are all empty.

Stefan gravatar imageStefan ( 2014-03-01 02:41:46 -0600 )edit

answered 2014-03-03 09:13:38 -0600

hakamadare gravatar image

my procedure is the following:

  1. i deploy a custom fact, krb5_kvno, which detects whether a host principal is loaded in the system keytab:

    # krb5_kvno.rb
    Facter.add("krb5_kvno") {
      confine :kernel => "Linux"
      setcode {
          require 'open3'
          stdin, stdout, stderr = Open3.popen3('klist -k 2>/dev/null')
          if $?.to_i != 0 then
            raise Puppet::ParseError, "Unable to execute '#{command}': #{$?.to_s}"
          stdout.readlines.detect {|line| %r{host/#{Facter.value("fqdn")}} =~ line}.to_s.chomp.split(' ', 2).shift
        rescue SystemCallError, NoMethodError => e
          raise Puppet::ParseError, "Unable to determine kvno: #{e.to_s}"
  2. i deploy a custom function, extract_keytab, which connects to the remote kadmin service ...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2012-12-18 09:23:25 -0600

Seen: 1,710 times

Last updated: Mar 03 '14