Skip to content
Chef cookbook for Kerberos 5 authentication
Find file
Latest commit 3161d29 Jun 9, 2015 @wolf31o2 wolf31o2 Version bump to 2.0.1
Failed to load latest commit information.
attributes Install build-essential at compile time Jun 8, 2015
libraries CHANGELOG updates Jun 8, 2015
recipes Install build-essential at compile time Jun 9, 2015
resources Require principals for krb5_keytab Dec 20, 2014
spec Remove deprecated attributes in favor of long attributes Apr 28, 2015
templates/default Check for empty, not nil, attribute Jun 7, 2014
.kitchen.yml Update metadata and kitchen Jun 8, 2015
.rubocop.yml Ignore vendor-supplied gems for rubocop Jan 6, 2015
.travis.yml Switch to new container-based Travis CI infrastructure Dec 19, 2014
Berksfile Version bump to 2.0.1 Jun 9, 2015
Gemfile Relax constraint on rubocop Sep 25, 2014
Rakefile Rubocop / Update Chefspec Jul 14, 2014
Vagrantfile Switch to CentOS 6.5 in tests/Vagrant Sep 25, 2014
metadata.rb Version bump to 2.0.1 Jun 10, 2015

krb5 Cookbook

Cookbook Version Build Status


Installs and configures Kerberos version 5 authentication modules on RedHat and Debian family systems.


Requires some PAM configuration script such as pam-auth-update on Debian family systems, or authconfig on Redhat family systems. Best effort is made to use one of these two tools based on detected platform.

You can override krb5['authconfig'] with an execute command, as a string. Which should configure PAM to use Kerberos on other systems.

You really need to have time synchronized within 5 minutes of your domain controllers, or key distribution centers. Therefore the recipe depends on the Opscode NTP cookbook. If you have another method of keeping accurate clocks, change the metadata according to your needs.


This cookbook has changed the attribute format and is no longer compatible with older versions. If you wish to use the older syntax, pin your version to < 2.0 or switch to the new syntax.

The new format used for template variables consists of krb5[file][section][key] = 'value' where file is one of krb5_conf, kadm5_acl, or kdc_conf.

Client / Libs

  • krb5['client']['packages'] - Packages and libraries needed for Kerberos v5 authentication, detected for Redhat/Debian family systems.
  • krb5['client']['authconfig'] - Configuration script for PAM, detected for RedHat and Debian family systems.

Section: logging

  • krb5['krb5_conf']['logging']['default'] - Default log location. Default, 'FILE:/var/log/krb5libs.log'

Section: libdefaults

  • krb5['krb5_conf']['libdefaults']['default_realm'] - The default realm, defaults to OHAI's domain attribute.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_kdc'] - Set to true if you have SRV records for KDC discovery. Default is true.
  • krb5['krb5_conf']['libdefaults']['dns_lookup_realm'] - Set to true if you have TXT records for realm discovery. Default is false.
  • krb5['krb5_conf']['libdefaults']['forwardable'] - Set to true to make initial credentials forwardable. Default is true.
  • krb5['krb5_conf']['libdefaults']['renew_lifetime'] - Default renewable ticket lifetime. Default is 24h.
  • krb5['krb5_conf']['libdefaults']['ticket_lifetime'] - Default ticket lifetime. Default is 24h.

Section: realms

  • krb5['krb5_conf']['realms']['default_realm'] - The default realm, defaults to krb5['krb5_conf']['libdefaults']['default_realm']
  • krb5['krb5_conf']['realms']['default_realm_kdcs'] - Array of Kerberos servers for default realm. Default is empty.
  • krb5['krb5_conf']['realms']['default_realm_admin_server'] - Address of Kerberos admin server. Defaults to empty.
  • krb5['krb5_conf']['realms']['realms'] - Array of all realms, including the default. Defaults to OHAI's domain attribute.

Section: appdefaults

  • krb5['krb5_conf']['appdefaults']['pam']['debug'] = Set to true to enable PAM/Kerberos debugging. Defaults to false.
  • krb5['krb5_conf']['appdefaults']['pam']['forwardable'] - Instruct PAM to create forwardable tickets. Defaults to krb5['krb5_conf']['libdefaults']['forwardable']
  • krb5['krb5_conf']['appdefaults']['pam']['renew_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['renew_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['ticket_lifetime'] - Defaults to krb5['krb5_conf']['libdefaults']['ticket_lifetime']
  • krb5['krb5_conf']['appdefaults']['pam']['krb4_convert'] - Set to true to use the Kerberos conversion daemon to get V4 tickets. Default is false.

Kerberos Admin Server (kadmind)

  • krb5['kadmin']['packages'] - Packages for Kerberos Admin Server, detected on Redhat/Debian family systems.
  • krb5['master_password'] - Master password for Kerberos database. Default is password. (Please, change this!)
  • krb5['admin_principal'] - Principal to create for administration. Default is admin/admin.
  • krb5['admin_password'] - Password for admin principal. Default is password. (Please, change this!)

Section: logging

  • krb5['krb5_conf']['logging']['admin_server'] - Kerberos Admin Server log location. Default, 'FILE:/var/log/kadmind.log'


  • krb5['kadm5_acl'][principal] - Sets up ACLs for principal. Default is "*/admin@#{node['krb5']['krb5_conf']['libdefaults']['default_realm'].upcase}" => ['*']

KDC and kdc.conf

  • krb5['kdc']['packages'] - Packages needed for a KDC, detected for Redhat/Debian family systems.

Section: logging

  • krb5['krb5_conf']['logging']['kdc'] - KDC log location. Default, 'FILE:/var/log/krb5kdc.log'

Section: kdcdefaults

  • krb5['kdc_conf']['kdcdefaults']['kdc_ports'] - Set KDC listen ports. Default is 88.

Section: realms

  • krb5['kdc_conf']['realms'][realm]['acl_file'] - Location of kadmind ACL file for realm. Defaults to default_realm.
  • krb5['kdc_conf']['realms'][realm]['admin_keytab'] - Location of admin keytab file for realm. Defaults to default_realm.


Here are two example roles to be used with this recipe. The first, is a single realm configuration, using the OHAI domain attribute for the realm.

name "krb5_domain"
description "Configures Kerberos 5 Authentication for domain realm"
override_attributes "krb5" => {
   "krb5_conf" => {
    "realms" => {
      "default_realm_kdcs" => [
run_list "recipe[krb5]"

The second example is a role for multiple Kerberos realms.

name "krb5_multirealm"
description "Configures Kerberos 5 Authentication for and realm"
override_attributes "krb5" => {
  "krb5_conf" => {
    "libdefaults" => {
      "default_realm" => "",
      "dns_lookup_kdc" => "true"
   "realms" => {
      "realms" => [ 
      "default_realm_kdcs" => [
run_list "recipe[krb5]"

License and Authors

Author:: Eric G. Wolfe

Author:: Chris Gianelloni

Copyright:: © 2012-2014 Eric G. Wolfe

Copyright:: © 2014-2015 Cask Data, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License

Something went wrong with that request. Please try again.