kerberos keytab #4

Supports: xenial bionic
Add to new model

Description

Given a flat tarball of keytab files keyed by $(hostname).keytab this charm
will extract the keytab and using kinit generate a credentials cache for
authentication against a remote KDC or Kerberos enabled AD server.


Overview

Provides basic functionality to join an ubuntu server to a Kerberos domain using
a pregenerated keytab file.

Usage

From an existing KDC or Kerberos-enabled AD server create one or more principals
for the units you wish to add to your domain.

  • For each host create $HOSTNAME.keytab
  • Tar the resulting files into keytab.tar

It is important to have this file created before deploying the charm. This file
can then be used during application deployment:

  • juju deploy kerberos-keytab --resource keytab_bundle=.tar
  • juju add-relation kerberos-keytab

Configuration

This charm assumes the Kerberos domain and realm to be EXAMPLE.COM, which is
likely incorrect for your environment. This should be changed before relating
it to any other units.

Contact Information

Michael Skalka
michael.skalka@canonical.com


Configuration

admin-server-address
(string) IP Address or hostname of the remote admin server.
domain
(string) Kerberos domain. Currently only supports a single entry.
EXAMPLE.COM
kdc-address
(string) IP Address or hostname of the remote KDC or Kerberos enabled AD server.
principal
(string) principal to use when adding the server, e.g. "host/HOSTNAME.example.com" This variable is templated. You can use the following variable substitutions {hostname} - the output of 'hostname -f' with no additional casing {fqdn} - lower-cased FQDN of the node {FQDN} - upper-cased FQDN of the node {short} - lower-cased short name of the node {SHORT} - upper-cased short name of the node
host/{hostname}
realm
(string) Kerberos Realm. Currently only supports a single entry.
EXAMPLE.COM
user
(string) Local user to perform domain join under, defaults to ubuntu.
ubuntu