From 672583bd109f31f5e9c4257813aa45fe60b17819 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 21 Feb 2019 17:55:53 -0800
Subject: [PATCH] Workaround broken ubuntu packaging

Since ubuntu 16.04 or so the krb5-admin-server package is broken in the
postinst scripts. What happens is they try to set a debconf value if the
defaults file for this service sets RUN_KADMIND to false. Unfortunately
the key/question debconf is setting has no associated templates entry so
package install fails.

We work around this by not setting this value in the defaults file on
newer ubuntu and instead rely on our init system to manage that state.

Change-Id: I0ffe2a2acbe76acb0069df18253367ed2528241f
---
 manifests/server.pp                          | 28 +++++++++++++-------
 templates/krb5-admin-server.defaults.new.erb | 10 +++++++
 2 files changed, 29 insertions(+), 9 deletions(-)
 create mode 100644 templates/krb5-admin-server.defaults.new.erb

diff --git a/manifests/server.pp b/manifests/server.pp
index 795e35c..9a46400 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -63,15 +63,6 @@ class kerberos::server (
     $kprop_cron = present
   }
 
-  # krb5-admin-server generates this, so make sure this runs after we do
-  # things with krb5-admin-server
-  file { '/etc/default/krb5-admin-server':
-    ensure  => present,
-    replace => true,
-    content => template('kerberos/krb5-admin-server.defaults.erb'),
-    require => Package['krb5-admin-server'],
-  }
-
   cron { 'kprop':
     ensure      => $kprop_cron,
     user        => 'root',
@@ -81,6 +72,15 @@ class kerberos::server (
   }
 
   if ($::operatingsystem == 'Ubuntu') and ($::operatingsystemrelease >= '16.04') {
+    # krb5-admin-server generates this, so make sure this runs after we do
+    # things with krb5-admin-server
+    file { '/etc/default/krb5-admin-server':
+      ensure  => present,
+      replace => true,
+      content => template('kerberos/krb5-admin-server.defaults.new.erb'),
+      require => Package['krb5-admin-server'],
+    }
+
     file { '/etc/systemd/system/krb5-kpropd.service':
       ensure  => present,
       replace => true,
@@ -102,6 +102,15 @@ class kerberos::server (
       refreshonly => true,
     }
   } else {
+    # krb5-admin-server generates this, so make sure this runs after we do
+    # things with krb5-admin-server
+    file { '/etc/default/krb5-admin-server':
+      ensure  => present,
+      replace => true,
+      content => template('kerberos/krb5-admin-server.defaults.erb'),
+      require => Package['krb5-admin-server'],
+    }
+
     file { '/etc/init.d/krb5-kpropd':
       ensure  => present,
       replace => true,
@@ -119,6 +128,7 @@ class kerberos::server (
 
   service { 'krb5-admin-server':
     ensure    => $run_admin_server,
+    enable    => $run_kadmind,
     subscribe => File['/etc/krb5kdc/kadm5.acl'],
     require   => [
       File['/etc/krb5kdc/kadm5.acl'],
diff --git a/templates/krb5-admin-server.defaults.new.erb b/templates/krb5-admin-server.defaults.new.erb
new file mode 100644
index 0000000..db7ba3b
--- /dev/null
+++ b/templates/krb5-admin-server.defaults.new.erb
@@ -0,0 +1,10 @@
+# Managed by puppet
+# Don't set anything here.
+# We don't set RUN_KADMIND because newer debuntu packaging
+# postinst scripts are broken if RUN_KADMIND is set to false.
+# Long story short they try to set a debconf value based on
+# that value and there is no associated template with that
+# key/question so things break.
+#
+# Instead we manage whether or not slave nodes run kadmind
+# via the init system (via the puppet service resource).