-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keytab join runs on every Puppet refresh #36
Comments
Bump - Is this just semantics? Most modules I've seen simply apply and then are good unless they have to fix something. This module applies and refreshes this on every Puppet run. If this is acceptable behavior, please let me know but it seems to me like @Socob pointed out, a necessary check in place could forego this repetitive action. |
@carceneaux @Socob I think you are both correct and will revert this check to the previous version. |
fix pushed up |
2.2.0 pushed to forge |
Awesome! Thanks! |
The two Execs
run_kinit_with_keytab
andrealm_join_with_keytab
have anunless
clause specifying that they should only run if the commandkinit -k host/$(hostname -f)
does not run successfully. However, this test doesn’t work on our setup (Ubuntu 17.04 machine in an Active Directory domain):Consequently, the keytab join to the domain is executed every time Puppet runs, which is not desirable.
This test was added in fd73597. Before, the
unless
clause wasunless => "klist -k /etc/krb5.keytab | grep -i '${::hostname[0,15]}@${_domain}'"
, which worked for us (see the output ofklist -k /etc/krb5.keytab
below). Unfortunately, I don’t know enough about Kerberos to understand why this change was made or what the pros and cons of each version are, but the way it is right now isn’t working for us.This is the output of
klist -k /etc/krb5.keytab
, in case it helps:The text was updated successfully, but these errors were encountered: