community.general.krb_ticket module – Kerberos utils for managing tickets

Note

This module is part of the community.general collection (version 10.0.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.general.krb_ticket.

New in community.general 10.0.0

Synopsis

Requirements

The below requirements are needed on the host that executes this module.

  • krb5-user and krb5-config packages

Parameters

Parameter

Comments

address_restricted

boolean

Request tickets restricted to the host’s local address or non-restricted.

Choices:

  • false

  • true

anonymous

boolean

Requests anonymous processing.

Choices:

  • false

  • true

cache_name

string

Use cache_name as the ticket cache name and location.

If this option is not used, the default cache name and location are used.

The default credentials cache may vary between systems.

If not set the the value of KRB5CCNAME environment variable will be used instead, its value is used to name the default ticket cache.

canonicalization

boolean

Requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested.

Choices:

  • false

  • true

enterprise

boolean

Treats the principal name as an enterprise name (implies the canonicalization option).

Choices:

  • false

  • true

forwardable

boolean

Request forwardable or non-forwardable tickets.

Choices:

  • false

  • true

kdestroy_all

boolean

When state=absent destroys all credential caches in collection.

Equivalent of running kdestroy -A.

Choices:

  • false

  • true

keytab

boolean

Requests a ticket, obtained from a key in the local host’s keytab.

If keytab_path is not specified will try to use default client keytab path (-i option).

Choices:

  • false

  • true

keytab_path

path

Use when keytab=true to specify path to a keytab file.

It is required to specify password or keytab_path.

lifetime

string

Requests a ticket with the lifetime, if the lifetime is not specified, the default ticket lifetime is used.

Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime.

The value for lifetime must be followed by one of the following suffixes: s - seconds, m - minutes, h - hours, d - days.

You cannot mix units; a value of 3h30m will result in an error.

See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html for reference.

password

string

Principal password.

It is required to specify password or keytab_path.

principal

string

The principal name.

If not set, the user running this module will be used.

proxiable

boolean

Request proxiable or non-proxiable tickets.

Choices:

  • false

  • true

renewable

string

Requests renewable tickets, with a total lifetime equal to renewable.

The value for renewable must be followed by one of the following delimiters: s - seconds, m - minutes, h - hours, d - days.

You cannot mix units; a value of 3h30m will result in an error.

See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html for reference.

renewal

boolean

Requests renewal of the ticket-granting ticket.

Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.

Choices:

  • false

  • true

start_time

string

Requests a postdated ticket.

Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use.

start_time specifies the duration of the delay before the ticket can become valid.

You can use absolute time formats, for example July 27, 2012 at 20:30 you would neet to set start_time=20120727203000.

You can also use time duration format similar to lifetime or renewable.

See https://web.mit.edu/kerberos/krb5-1.12/doc/basic/date_format.html for reference.

state

string

The state of the Kerberos ticket.

present is equivalent of kinit command.

absent is equivalent of kdestroy command.

Choices:

  • "present" ← (default)

  • "absent"

validate

boolean

Requests that the ticket-granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation.

If the ticket is within its requested time range, the cache is replaced with the validated ticket.

Choices:

  • false

  • true

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Get Kerberos ticket using default principal
  community.general.krb_ticket:
    password: some_password

- name: Get Kerberos ticket using keytab
  community.general.krb_ticket:
    keytab: true
    keytab_path: /etc/ipa/file.keytab

- name: Get Kerberos ticket with a lifetime of 7 days
  community.general.krb_ticket:
    password: some_password
    lifetime: 7d

- name: Get Kerberos ticket with a starting time of July 2, 2024, 1:35:30 p.m.
  community.general.krb_ticket:
    password: some_password
    start_time: "240702133530"

- name: Get Kerberos ticket using principal name
  community.general.krb_ticket:
    password: some_password
    principal: admin

- name: Get Kerberos ticket using principal with realm
  community.general.krb_ticket:
    password: some_password
    principal: admin@IPA.TEST

- name: Check for existence by ticket cache
  community.general.krb_ticket:
    cache_name: KEYRING:persistent:0:0

- name: Make sure default ticket is destroyed
  community.general.krb_ticket:
    state: absent

- name: Make sure specific ticket destroyed by principal
  community.general.krb_ticket:
    state: absent
    principal: admin@IPA.TEST

- name: Make sure specific ticket destroyed by cache_name
  community.general.krb_ticket:
    state: absent
    cache_name: KEYRING:persistent:0:0

- name: Make sure all tickets are destroyed
  community.general.krb_ticket:
    state: absent
    kdestroy_all: true

Authors

  • Alexander Bakanovskii (@abakanovskii)