[PATCH 0/8] Improve Kerberos support

  • Open
  • quality assurance status badge
Details
2 participants
  • Maxim Cournoyer
  • Tomas Volf
Owner
unassigned
Submitted by
Tomas Volf
Severity
normal

Debbugs page

T
T
Tomas Volf wrote on 13 Mar 15:17 -0700
(address . guix-patches@gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
cover.1741904210.git.~@wolfsden.cz
Couple of style fixes and feature additions for krb5-service-type.

Tomas Volf (8):
services: krb5-realm: Delete trailing whitespace.
services: krb5-realm: Unify style of documentation strings.
services: krb5-realm: Add default-principal-flags field.
services: krb5-configuration: Fix indentation.
services: krb5-configuration: Unify style of documentation strings.
services: krb5-configuration: Add dns-lookup-realm? field.
services: kerberos: Fix order of definitions.
services: krb5-service-type: Support launching KDC daemon.

doc/guix.texi | 12 +--
gnu/services/kerberos.scm | 168 ++++++++++++++++++++++++++------------
2 files changed, 122 insertions(+), 58 deletions(-)

--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 3/8] services: krb5-realm: Add default-principal-flags field.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
1c2db6ae3e19e1be60e3f6b3dcc5a460aeee9166.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Add default-principal-flags field.
(serialize-comma-separated-string-list/unset, comma-separated-string-list?)
(comma-separated-string-list/unset?): New procedures.

Change-Id: Ie5f787ca0745dd6234ea4577b39a58d71e4fa6d2
---
gnu/services/kerberos.scm | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)

Toggle diff (40 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index d3ac7ca8b9..61d3a323fb 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -106,6 +106,19 @@ (define (space-separated-string-list? val)
(define space-separated-string-list/unset?
(predicate/unset space-separated-string-list?))
+(define (serialize-comma-separated-string-list/unset field-name val)
+ (unless (eq? val unset-field)
+ (serialize-field* field-name (string-join val ","))))
+
+(define (comma-separated-string-list? val)
+ (and (list? val)
+ (and-map (lambda (x)
+ (and (string? x) (not (string-index x #\,))))
+ val)))
+
+(define comma-separated-string-list/unset?
+ (predicate/unset comma-separated-string-list?))
+
(define comma-separated-integer-list/unset?
(predicate/unset (lambda (val)
(and (list? val)
@@ -198,6 +211,13 @@ (define-configuration krb5-realm
(string/unset unset-field)
"The server where password changes are performed.")
+ (default-principal-flags
+ (comma-separated-string-list/unset unset-field)
+ "Specifies the default attributes of principals created in this realm. The
+format for this string is a list of strings, with '+' before each flag that
+should be enabled and '-' before each flag that should be disabled. See the
+manual page for details on available flags.")
+
(auth-to-local
(free-form-fields '())
"Rules to map between principals and local users.")
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 1/8] services: krb5-realm: Delete trailing whitespace.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
eb10d6b54c3d9035e44a4775b3827476e386fceb.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Delete trailing whitespace.

Change-Id: I3e92d53b0910660aeed318015841ec0ca8892430
---
gnu/services/kerberos.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6..fd12b518e6 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -191,7 +191,7 @@ (define-configuration krb5-realm
(master-kdc
(string/unset unset-field)
- "If an attempt to get credentials fails because of an invalid password,
+ "If an attempt to get credentials fails because of an invalid password,
the client software will attempt to contact the master KDC.")
(kpasswd-server
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 2/8] services: krb5-realm: Unify style of documentation strings.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
552ab3e529a9c560bba7760e6a7e933c42eefc1f.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Add trailing periods where missing.
Remove double space.

Change-Id: I5dc47326c598548075f13a5ec48c24a0886a9a69
---
gnu/services/kerberos.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index fd12b518e6..d3ac7ca8b9 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -214,7 +214,7 @@ (define-configuration krb5-realm
(default-domain
(string/unset unset-field)
"The domain used to expand host names when translating Kerberos 4 service
-principals to Kerberos 5 principals")
+principals to Kerberos 5 principals.")
(v4-instance-convert
(free-form-fields '())
@@ -222,8 +222,8 @@ (define-configuration krb5-realm
(v4-realm
(string/unset unset-field)
- "Used when the V4 realm name and the V5 realm name are not the same, but
-still share the same principal names and passwords"))
+ "Used when the V4 realm name and the V5 realm name are not the same, but
+still share the same principal names and passwords."))
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 5/8] services: krb5-configuration: Unify style of documentation strings.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
33ae228456c08bffcd4e224332fab5d530b6247d.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add trailing periods where
missing. Add double space. Add @file.

Change-Id: Id2d985df1e55566cb62f7355c2e4f0ca7d9924f2
---
gnu/services/kerberos.scm | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

Toggle diff (40 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 8d08a27365..f2f2adda88 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -301,11 +301,11 @@ (define-configuration krb5-configuration
(dns-lookup-kdc?
(boolean/unset unset-field)
"Should DNS SRV records should be used to locate the KDCs and other servers
-not appearing in the realm specification")
+not appearing in the realm specification.")
(err-fmt
(string/unset unset-field)
- "Custom error message formatting. If not #f error messages will be
+ "Custom error message formatting. If not #f error messages will be
formatted by substituting a normal error message for %M and an error code for
%C in the value.")
@@ -323,7 +323,7 @@ (define-configuration krb5-configuration
(k5login-authoritative?
(boolean/unset unset-field)
"If this flag is true, principals must be listed in a local user's k5login
-file to be granted login access, if a ~/.k5login file exists.")
+file to be granted login access, if a @file{~/.k5login} file exists.")
(k5login-directory
(string/unset unset-field)
@@ -352,8 +352,8 @@ (define-configuration krb5-configuration
(kdc-req-checksum-type
(non-negative-integer/unset unset-field)
- "The type of checksum to use for the KDC requests. Relevant only for DES
-keys")
+ "The type of checksum to use for the KDC requests. Relevant only for DES
+keys.")
(noaddresses?
(boolean/unset unset-field)
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 6/8] services: krb5-configuration: Add dns-lookup-realm? field.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
cbd528ac3479d744305e7c13c4303b5b0bde4cb6.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add dns-lookup-realm? field.

Change-Id: Ibb92da1d4330b62225bdd9fd2a8573035f15f590
---
gnu/services/kerberos.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (17 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index f2f2adda88..b423534ec2 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -298,6 +298,10 @@ (define-configuration krb5-configuration
"Whether name lookups will be used to canonicalize host names for use in
service principal names.")
+ (dns-lookup-realm?
+ (boolean/unset unset-field)
+ "Should the Kerberos realm of a host be determined by DNS TXT records?")
+
(dns-lookup-kdc?
(boolean/unset unset-field)
"Should DNS SRV records should be used to locate the KDCs and other servers
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 7/8] services: kerberos: Fix order of definitions.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
90601b4b93e99be93b8ba0dde7fcb99c5ad10add.1741904210.git.~@wolfsden.cz
Generating the configuration file would error out with error stating:

Wrong type to apply: #<syntax-transformer krb5-realm?>

Moving the procedures below the respective define-configuration fixes that.

* gnu/services/kerberos.scm (realm-list?, serialize-realm-list): Move below
define-configuration for krb5-realm.

Change-Id: I6a520a92cdc3c42d3916cdf33d427dadc531e7d1
---
gnu/services/kerberos.scm | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)

Toggle diff (54 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index b423534ec2..1e826a1455 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -169,23 +169,6 @@ (define (serialize-free-form-fields field-name val)
(define non-negative-integer/unset? (predicate/unset non-negative-integer?))
-(define (realm-list? val)
- (and (list? val)
- (and-map (lambda (x) (krb5-realm? x)) val)))
-
-(define (serialize-realm-list field-name val)
- (format #t "\n[~a]\n" field-name)
- (for-each (lambda (realm)
- (format #t "\n~a = {\n" (krb5-realm-name realm))
- (for-each (lambda (field)
- (unless (eq? 'name (configuration-field-name field))
- ((configuration-field-serializer field)
- (configuration-field-name field)
- ((configuration-field-getter field)
- realm)))) krb5-realm-fields)
-
- (format #t "}\n")) val))
-
;; For a more detailed explanation of these fields see man 5 krb5.conf
@@ -245,6 +228,23 @@ (define-configuration krb5-realm
"Used when the V4 realm name and the V5 realm name are not the same, but
still share the same principal names and passwords."))
+(define (realm-list? val)
+ (and (list? val)
+ (and-map (lambda (x) (krb5-realm? x)) val)))
+
+(define (serialize-realm-list field-name val)
+ (format #t "\n[~a]\n" field-name)
+ (for-each (lambda (realm)
+ (format #t "\n~a = {\n" (krb5-realm-name realm))
+ (for-each (lambda (field)
+ (unless (eq? 'name (configuration-field-name field))
+ ((configuration-field-serializer field)
+ (configuration-field-name field)
+ ((configuration-field-getter field)
+ realm)))) krb5-realm-fields)
+
+ (format #t "}\n")) val))
+
;; For a more detailed explanation of these fields see man 5 krb5.conf
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 4/8] services: krb5-configuration: Fix indentation.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
8ffc6bb37a477651fdd7011a69ad7cd90a50fb73.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Adjust indentation and word
wrapping.

Change-Id: I629c106867e1d4d935b4bc33ae3489f4b0ee0bf5
---
gnu/services/kerberos.scm | 53 ++++++++++++++++++++-------------------
1 file changed, 27 insertions(+), 26 deletions(-)

Toggle diff (141 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 61d3a323fb..8d08a27365 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -295,19 +295,19 @@ (define-configuration krb5-configuration
(dns-canonicalize-hostname?
(boolean/unset unset-field)
- "Whether name lookups will be used to canonicalize host names for use in
+ "Whether name lookups will be used to canonicalize host names for use in
service principal names.")
(dns-lookup-kdc?
(boolean/unset unset-field)
- "Should DNS SRV records should be used to locate the KDCs and other servers
+ "Should DNS SRV records should be used to locate the KDCs and other servers
not appearing in the realm specification")
(err-fmt
(string/unset unset-field)
- "Custom error message formatting. If not #f error messages will be formatted
-by substituting a normal error message for %M and an error code for %C in the
-value.")
+ "Custom error message formatting. If not #f error messages will be
+formatted by substituting a normal error message for %M and an error code for
+%C in the value.")
(forwardable?
(boolean/unset unset-field)
@@ -315,9 +315,9 @@ (define-configuration krb5-configuration
(ignore-acceptor-hostname?
(boolean/unset unset-field)
- "When accepting GSSAPI or krb5 security contexts for host-based service
-principals, ignore any hostname passed by the calling application, and allow
-clients to authenticate to any service principal in the keytab matching the
+ "When accepting GSSAPI or krb5 security contexts for host-based service
+principals, ignore any hostname passed by the calling application, and allow
+clients to authenticate to any service principal in the keytab matching the
service name and realm name.")
(k5login-authoritative?
@@ -327,23 +327,23 @@ (define-configuration krb5-configuration
(k5login-directory
(string/unset unset-field)
- "If not #f, the library will look for a local user's @file{k5login} file
-within the named directory (instead of the user's home directory), with a
-file name corresponding to the local user name.")
+ "If not #f, the library will look for a local user's @file{k5login} file
+within the named directory (instead of the user's home directory), with a file
+name corresponding to the local user name.")
(kcm-mach-service
(string/unset unset-field)
- "The name of the bootstrap service used to contact the KCM daemon for the
+ "The name of the bootstrap service used to contact the KCM daemon for the
KCM credential cache type.")
(kcm-socket
(file-name unset-field)
- "Path to the Unix domain socket used to access the KCM daemon for the KCM
+ "Path to the Unix domain socket used to access the KCM daemon for the KCM
credential cache type.")
(kdc-default-options
(non-negative-integer/unset unset-field)
- "Default KDC options (logored for multiple values) when requesting initial
+ "Default KDC options (logored for multiple values) when requesting initial
tickets.")
(kdc-timesync
@@ -352,17 +352,18 @@ (define-configuration krb5-configuration
(kdc-req-checksum-type
(non-negative-integer/unset unset-field)
- "The type of checksum to use for the KDC requests. Relevant only for DES
+ "The type of checksum to use for the KDC requests. Relevant only for DES
keys")
(noaddresses?
(boolean/unset unset-field)
- "If true, initial ticket requests will not be made with address restrictions.
-This enables their use across NATs.")
+ "If true, initial ticket requests will not be made with address
+restrictions. This enables their use across NATs.")
(permitted-enctypes
(space-separated-string-list/unset unset-field)
- "All encryption types that are permitted for use in session key encryption.")
+ "All encryption types that are permitted for use in session key
+encryption.")
(plugin-base-dir
(file-name unset-field)
@@ -370,8 +371,8 @@ (define-configuration krb5-configuration
(preferred-preauth-types
(comma-separated-integer-list/unset unset-field)
- "The preferred pre-authentication types which the client will attempt before
-others.")
+ "The preferred pre-authentication types which the client will attempt
+before others.")
(proxiable?
(boolean/unset unset-field)
@@ -379,12 +380,12 @@ (define-configuration krb5-configuration
(rdns?
(boolean/unset unset-field)
- "Should reverse DNS lookup be used in addition to forward name lookup to
+ "Should reverse DNS lookup be used in addition to forward name lookup to
canonicalize host names for use in service principal names.")
(realm-try-domains
(integer/unset unset-field)
- "Should a host's domain components should be used to determine the Kerberos
+ "Should a host's domain components should be used to determine the Kerberos
realm of the host.")
(renew-lifetime
@@ -401,13 +402,13 @@ (define-configuration krb5-configuration
(udp-preference-limit
(non-negative-integer/unset unset-field)
- "When sending messages to the KDC, the library will try using TCP
-before UDP if the size of the message greater than this limit.")
+ "When sending messages to the KDC, the library will try using TCP before
+UDP if the size of the message greater than this limit.")
(verify-ap-rereq-nofail?
(boolean/unset unset-field)
- "If true, then attempts to verify initial credentials will fail if the client
-machine does not have a keytab.")
+ "If true, then attempts to verify initial credentials will fail if the
+client machine does not have a keytab.")
(realms
(realm-list '())
--
2.48.1
T
T
Tomas Volf wrote on 13 Mar 15:19 -0700
[PATCH 8/8] services: krb5-service-type: Support launching KDC daemon.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
152c7158621d0b623dfa36365a80370f69b2e06a.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add krb5,
kdc-shepherd-service? fields.
(krb5-activation, krb5-shepherd-services): New procedures.
(krb5-service-type): Use them.

Change-Id: I091ae2a6ef25f5ce95123c29588749483954c2ac
---
doc/guix.texi | 12 ++++++-----
gnu/services/kerberos.scm | 43 ++++++++++++++++++++++++++++++++++++---
2 files changed, 47 insertions(+), 8 deletions(-)

Toggle diff (104 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 05c855c5ea..a58cf40b63 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32125,11 +32125,13 @@ Kerberos Services
@subsubheading Krb5 Service
-Programs using a Kerberos client library normally
-expect a configuration file in @file{/etc/krb5.conf}.
-This service generates such a file from a definition provided in the
-operating system declaration.
-It does not cause any daemon to be started.
+Programs using a Kerberos client library normally expect a configuration
+file in @file{/etc/krb5.conf}. This service generates such a file from
+a definition provided in the operating system declaration.
+
+When @code{kdc-shepherd-service?} is set to @code{#t}, a shepherd
+service for @acronym{KDC, Key Distribution Center} is created.
+Otherwise no daemons are started.
No ``keytab'' files are provided by this service---you must explicitly create them.
This service is known to work with the MIT client library, @code{mit-krb5}.
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 1e826a1455..3d1ab01cb8 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -17,10 +17,13 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services kerberos)
+ #:use-module (gnu packages kerberos)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (guix gexp)
+ #:use-module (guix packages)
#:use-module (guix records)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-34)
@@ -416,7 +419,16 @@ (define-configuration krb5-configuration
(realms
(realm-list '())
- "The list of realms which clients may access."))
+ "The list of realms which clients may access.")
+
+ (krb5
+ (package mit-krb5)
+ "The package to use for @command{krb5kdc}.")
+
+ (kdc-shepherd-service?
+ (boolean #f)
+ "Whether to generate a shepherd service for the @acronym{KDC, Key
+Distribution Center} daemon." empty-serializer))
(define (krb5-configuration-file config)
@@ -431,15 +443,40 @@ (define (krb5-configuration-file config)
(define (krb5-etc-service config)
(list `("krb5.conf" ,(krb5-configuration-file config))))
+(define (krb5-activation config)
+ (if (krb5-configuration-kdc-shepherd-service? config)
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/krb5kdc"))
+ #~#t))
+
+(define (krb5-shepherd-services config)
+ (match-record config <krb5-configuration>
+ (krb5 kdc-shepherd-service?)
+ (if kdc-shepherd-service?
+ (list
+ (shepherd-service
+ (documentation "Run a krb5kdc daemon.")
+ (provision '(krb5kdc))
+ (requirement '(user-processes))
+ (start #~(make-forkexec-constructor
+ '(#$(file-append krb5 "/sbin/krb5kdc") "-n")))
+ (stop #~(make-kill-destructor))))
+ '())))
+
(define krb5-service-type
(service-type (name 'krb5)
(extensions
(list (service-extension etc-service-type
- krb5-etc-service)))
+ krb5-etc-service)
+ (service-extension activation-service-type
+ krb5-activation)
+ (service-extension shepherd-root-service-type
+ krb5-shepherd-services)))
(description "Programs using a Kerberos client library
normally expect a configuration file in @file{/etc/krb5.conf}. This service
-generates such a file. It does not cause any daemon to be started.")))
+generates such a file and (optionally) a shepherd service to run a daemon.")))
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 2/8] services: krb5-realm: Unify style of documentation strings.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
485a3d103e71d81c4502053bbe393042a91d4f02.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Add trailing periods where missing.
Remove double space.

Change-Id: I5dc47326c598548075f13a5ec48c24a0886a9a69
---
gnu/services/kerberos.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index e93f4bc648..ee0deec2e4 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -215,7 +215,7 @@ (define-configuration krb5-realm
(default-domain
(string/unset unset-field)
"The domain used to expand host names when translating Kerberos 4 service
-principals to Kerberos 5 principals")
+principals to Kerberos 5 principals.")
(v4-instance-convert
(free-form-fields '())
@@ -223,8 +223,8 @@ (define-configuration krb5-realm
(v4-realm
(string/unset unset-field)
- "Used when the V4 realm name and the V5 realm name are not the same, but
-still share the same principal names and passwords"))
+ "Used when the V4 realm name and the V5 realm name are not the same, but
+still share the same principal names and passwords."))
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 3/8] services: krb5-realm: Add default-principal-flags field.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
369678163bb94b49a39ca88319e3292dd5498626.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Add default-principal-flags field.
(serialize-comma-separated-string-list/unset, comma-separated-string-list?)
(comma-separated-string-list/unset?): New procedures.

Change-Id: Ie5f787ca0745dd6234ea4577b39a58d71e4fa6d2
---
gnu/services/kerberos.scm | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)

Toggle diff (40 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index ee0deec2e4..1a7cc5774a 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -107,6 +107,19 @@ (define (space-separated-string-list? val)
(define space-separated-string-list/unset?
(predicate/unset space-separated-string-list?))
+(define (serialize-comma-separated-string-list/unset field-name val)
+ (unless (eq? val unset-field)
+ (serialize-field* field-name (string-join val ","))))
+
+(define (comma-separated-string-list? val)
+ (and (list? val)
+ (and-map (lambda (x)
+ (and (string? x) (not (string-index x #\,))))
+ val)))
+
+(define comma-separated-string-list/unset?
+ (predicate/unset comma-separated-string-list?))
+
(define comma-separated-integer-list/unset?
(predicate/unset (lambda (val)
(and (list? val)
@@ -199,6 +212,13 @@ (define-configuration krb5-realm
(string/unset unset-field)
"The server where password changes are performed.")
+ (default-principal-flags
+ (comma-separated-string-list/unset unset-field)
+ "Specifies the default attributes of principals created in this realm. The
+format for this string is a list of strings, with '+' before each flag that
+should be enabled and '-' before each flag that should be disabled. See the
+manual page for details on available flags.")
+
(auth-to-local
(free-form-fields '())
"Rules to map between principals and local users.")
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 5/8] services: krb5-configuration: Unify style of documentation strings.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
61be58313ebc960e5aa3f87963668473fa4f1c52.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add trailing periods where
missing. Add double space. Add @file.

Change-Id: Id2d985df1e55566cb62f7355c2e4f0ca7d9924f2
---
gnu/services/kerberos.scm | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

Toggle diff (40 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 8ebcec3291..5ac3cd1830 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -302,11 +302,11 @@ (define-configuration krb5-configuration
(dns-lookup-kdc?
(boolean/unset unset-field)
"Should DNS SRV records should be used to locate the KDCs and other servers
-not appearing in the realm specification")
+not appearing in the realm specification.")
(err-fmt
(string/unset unset-field)
- "Custom error message formatting. If not #f error messages will be
+ "Custom error message formatting. If not #f error messages will be
formatted by substituting a normal error message for %M and an error code for
%C in the value.")
@@ -324,7 +324,7 @@ (define-configuration krb5-configuration
(k5login-authoritative?
(boolean/unset unset-field)
"If this flag is true, principals must be listed in a local user's k5login
-file to be granted login access, if a ~/.k5login file exists.")
+file to be granted login access, if a @file{~/.k5login} file exists.")
(k5login-directory
(string/unset unset-field)
@@ -353,8 +353,8 @@ (define-configuration krb5-configuration
(kdc-req-checksum-type
(non-negative-integer/unset unset-field)
- "The type of checksum to use for the KDC requests. Relevant only for DES
-keys")
+ "The type of checksum to use for the KDC requests. Relevant only for DES
+keys.")
(noaddresses?
(boolean/unset unset-field)
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 1/8] services: krb5-realm: Delete trailing whitespace.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
43cc10a6e9e4f8359465adcd73ba59e9404012ba.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Delete trailing whitespace.

Change-Id: I3e92d53b0910660aeed318015841ec0ca8892430
---
v2: Add copyright.

gnu/services/kerberos.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

Toggle diff (20 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6..e93f4bc648 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;; Copyright © 2025 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -191,7 +192,7 @@ (define-configuration krb5-realm

(master-kdc
(string/unset unset-field)
- "If an attempt to get credentials fails because of an invalid password,
+ "If an attempt to get credentials fails because of an invalid password,
the client software will attempt to contact the master KDC.")

(kpasswd-server
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 6/8] services: krb5-configuration: Add dns-lookup-realm? field.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
eb5277c29df1aea4e5f5930452720dcfc7006210.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add dns-lookup-realm? field.

Change-Id: Ibb92da1d4330b62225bdd9fd2a8573035f15f590
---
gnu/services/kerberos.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (17 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 5ac3cd1830..de85b43223 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -299,6 +299,10 @@ (define-configuration krb5-configuration
"Whether name lookups will be used to canonicalize host names for use in
service principal names.")
+ (dns-lookup-realm?
+ (boolean/unset unset-field)
+ "Should the Kerberos realm of a host be determined by DNS TXT records?")
+
(dns-lookup-kdc?
(boolean/unset unset-field)
"Should DNS SRV records should be used to locate the KDCs and other servers
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 7/8] services: kerberos: Fix order of definitions.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
0933aa1105d60f052915f78a2b5ae5e50966de41.1742401473.git.~@wolfsden.cz
Generating the configuration file would error out with error stating:

Wrong type to apply: #<syntax-transformer krb5-realm?>

Moving the procedures below the respective define-configuration fixes that.

* gnu/services/kerberos.scm (realm-list?, serialize-realm-list): Move below
define-configuration for krb5-realm.

Change-Id: I6a520a92cdc3c42d3916cdf33d427dadc531e7d1
---
gnu/services/kerberos.scm | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)

Toggle diff (54 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index de85b43223..fcb0ac1ab4 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -170,23 +170,6 @@ (define (serialize-free-form-fields field-name val)
(define non-negative-integer/unset? (predicate/unset non-negative-integer?))
-(define (realm-list? val)
- (and (list? val)
- (and-map (lambda (x) (krb5-realm? x)) val)))
-
-(define (serialize-realm-list field-name val)
- (format #t "\n[~a]\n" field-name)
- (for-each (lambda (realm)
- (format #t "\n~a = {\n" (krb5-realm-name realm))
- (for-each (lambda (field)
- (unless (eq? 'name (configuration-field-name field))
- ((configuration-field-serializer field)
- (configuration-field-name field)
- ((configuration-field-getter field)
- realm)))) krb5-realm-fields)
-
- (format #t "}\n")) val))
-
;; For a more detailed explanation of these fields see man 5 krb5.conf
@@ -246,6 +229,23 @@ (define-configuration krb5-realm
"Used when the V4 realm name and the V5 realm name are not the same, but
still share the same principal names and passwords."))
+(define (realm-list? val)
+ (and (list? val)
+ (and-map (lambda (x) (krb5-realm? x)) val)))
+
+(define (serialize-realm-list field-name val)
+ (format #t "\n[~a]\n" field-name)
+ (for-each (lambda (realm)
+ (format #t "\n~a = {\n" (krb5-realm-name realm))
+ (for-each (lambda (field)
+ (unless (eq? 'name (configuration-field-name field))
+ ((configuration-field-serializer field)
+ (configuration-field-name field)
+ ((configuration-field-getter field)
+ realm)))) krb5-realm-fields)
+
+ (format #t "}\n")) val))
+
;; For a more detailed explanation of these fields see man 5 krb5.conf
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 4/8] services: krb5-configuration: Fix indentation.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
efea69894030077810410ceb39a4eb65113ba603.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Adjust indentation and word
wrapping.

Change-Id: I629c106867e1d4d935b4bc33ae3489f4b0ee0bf5
---
gnu/services/kerberos.scm | 53 ++++++++++++++++++++-------------------
1 file changed, 27 insertions(+), 26 deletions(-)

Toggle diff (141 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 1a7cc5774a..8ebcec3291 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -296,19 +296,19 @@ (define-configuration krb5-configuration
(dns-canonicalize-hostname?
(boolean/unset unset-field)
- "Whether name lookups will be used to canonicalize host names for use in
+ "Whether name lookups will be used to canonicalize host names for use in
service principal names.")
(dns-lookup-kdc?
(boolean/unset unset-field)
- "Should DNS SRV records should be used to locate the KDCs and other servers
+ "Should DNS SRV records should be used to locate the KDCs and other servers
not appearing in the realm specification")
(err-fmt
(string/unset unset-field)
- "Custom error message formatting. If not #f error messages will be formatted
-by substituting a normal error message for %M and an error code for %C in the
-value.")
+ "Custom error message formatting. If not #f error messages will be
+formatted by substituting a normal error message for %M and an error code for
+%C in the value.")
(forwardable?
(boolean/unset unset-field)
@@ -316,9 +316,9 @@ (define-configuration krb5-configuration
(ignore-acceptor-hostname?
(boolean/unset unset-field)
- "When accepting GSSAPI or krb5 security contexts for host-based service
-principals, ignore any hostname passed by the calling application, and allow
-clients to authenticate to any service principal in the keytab matching the
+ "When accepting GSSAPI or krb5 security contexts for host-based service
+principals, ignore any hostname passed by the calling application, and allow
+clients to authenticate to any service principal in the keytab matching the
service name and realm name.")
(k5login-authoritative?
@@ -328,23 +328,23 @@ (define-configuration krb5-configuration
(k5login-directory
(string/unset unset-field)
- "If not #f, the library will look for a local user's @file{k5login} file
-within the named directory (instead of the user's home directory), with a
-file name corresponding to the local user name.")
+ "If not #f, the library will look for a local user's @file{k5login} file
+within the named directory (instead of the user's home directory), with a file
+name corresponding to the local user name.")
(kcm-mach-service
(string/unset unset-field)
- "The name of the bootstrap service used to contact the KCM daemon for the
+ "The name of the bootstrap service used to contact the KCM daemon for the
KCM credential cache type.")
(kcm-socket
(file-name unset-field)
- "Path to the Unix domain socket used to access the KCM daemon for the KCM
+ "Path to the Unix domain socket used to access the KCM daemon for the KCM
credential cache type.")
(kdc-default-options
(non-negative-integer/unset unset-field)
- "Default KDC options (logored for multiple values) when requesting initial
+ "Default KDC options (logored for multiple values) when requesting initial
tickets.")
(kdc-timesync
@@ -353,17 +353,18 @@ (define-configuration krb5-configuration
(kdc-req-checksum-type
(non-negative-integer/unset unset-field)
- "The type of checksum to use for the KDC requests. Relevant only for DES
+ "The type of checksum to use for the KDC requests. Relevant only for DES
keys")
(noaddresses?
(boolean/unset unset-field)
- "If true, initial ticket requests will not be made with address restrictions.
-This enables their use across NATs.")
+ "If true, initial ticket requests will not be made with address
+restrictions. This enables their use across NATs.")
(permitted-enctypes
(space-separated-string-list/unset unset-field)
- "All encryption types that are permitted for use in session key encryption.")
+ "All encryption types that are permitted for use in session key
+encryption.")
(plugin-base-dir
(file-name unset-field)
@@ -371,8 +372,8 @@ (define-configuration krb5-configuration
(preferred-preauth-types
(comma-separated-integer-list/unset unset-field)
- "The preferred pre-authentication types which the client will attempt before
-others.")
+ "The preferred pre-authentication types which the client will attempt
+before others.")
(proxiable?
(boolean/unset unset-field)
@@ -380,12 +381,12 @@ (define-configuration krb5-configuration
(rdns?
(boolean/unset unset-field)
- "Should reverse DNS lookup be used in addition to forward name lookup to
+ "Should reverse DNS lookup be used in addition to forward name lookup to
canonicalize host names for use in service principal names.")
(realm-try-domains
(integer/unset unset-field)
- "Should a host's domain components should be used to determine the Kerberos
+ "Should a host's domain components should be used to determine the Kerberos
realm of the host.")
(renew-lifetime
@@ -402,13 +403,13 @@ (define-configuration krb5-configuration
(udp-preference-limit
(non-negative-integer/unset unset-field)
- "When sending messages to the KDC, the library will try using TCP
-before UDP if the size of the message greater than this limit.")
+ "When sending messages to the KDC, the library will try using TCP before
+UDP if the size of the message greater than this limit.")
(verify-ap-rereq-nofail?
(boolean/unset unset-field)
- "If true, then attempts to verify initial credentials will fail if the client
-machine does not have a keytab.")
+ "If true, then attempts to verify initial credentials will fail if the
+client machine does not have a keytab.")
(realms
(realm-list '())
--
2.48.1
T
T
Tomas Volf wrote on 19 Mar 09:24 -0700
[PATCH v2 8/8] services: krb5-service-type: Support launching KDC daemon.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
518d2488c89ccaf12e0cb1d491b6d66c1bdde925.1742401473.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add krb5,
kdc-shepherd-service? fields.
(krb5-activation, krb5-shepherd-services): New procedures.
(krb5-service-type): Use them.

Change-Id: I091ae2a6ef25f5ce95123c29588749483954c2ac
---
doc/guix.texi | 12 ++++++-----
gnu/services/kerberos.scm | 43 ++++++++++++++++++++++++++++++++++++---
2 files changed, 47 insertions(+), 8 deletions(-)

Toggle diff (104 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index fe43ed2504..939683277b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32135,11 +32135,13 @@ Kerberos Services
@subsubheading Krb5 Service
-Programs using a Kerberos client library normally
-expect a configuration file in @file{/etc/krb5.conf}.
-This service generates such a file from a definition provided in the
-operating system declaration.
-It does not cause any daemon to be started.
+Programs using a Kerberos client library normally expect a configuration
+file in @file{/etc/krb5.conf}. This service generates such a file from
+a definition provided in the operating system declaration.
+
+When @code{kdc-shepherd-service?} is set to @code{#t}, a shepherd
+service for @acronym{KDC, Key Distribution Center} is created.
+Otherwise no daemons are started.
No ``keytab'' files are provided by this service---you must explicitly create them.
This service is known to work with the MIT client library, @code{mit-krb5}.
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index fcb0ac1ab4..a721cf3be5 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -18,10 +18,13 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services kerberos)
+ #:use-module (gnu packages kerberos)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (guix gexp)
+ #:use-module (guix packages)
#:use-module (guix records)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-34)
@@ -417,7 +420,16 @@ (define-configuration krb5-configuration
(realms
(realm-list '())
- "The list of realms which clients may access."))
+ "The list of realms which clients may access.")
+
+ (krb5
+ (package mit-krb5)
+ "The package to use for @command{krb5kdc}.")
+
+ (kdc-shepherd-service?
+ (boolean #f)
+ "Whether to generate a shepherd service for the @acronym{KDC, Key
+Distribution Center} daemon." empty-serializer))
(define (krb5-configuration-file config)
@@ -432,15 +444,40 @@ (define (krb5-configuration-file config)
(define (krb5-etc-service config)
(list `("krb5.conf" ,(krb5-configuration-file config))))
+(define (krb5-activation config)
+ (if (krb5-configuration-kdc-shepherd-service? config)
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/krb5kdc"))
+ #~#t))
+
+(define (krb5-shepherd-services config)
+ (match-record config <krb5-configuration>
+ (krb5 kdc-shepherd-service?)
+ (if kdc-shepherd-service?
+ (list
+ (shepherd-service
+ (documentation "Run a krb5kdc daemon.")
+ (provision '(krb5kdc))
+ (requirement '(user-processes))
+ (start #~(make-forkexec-constructor
+ '(#$(file-append krb5 "/sbin/krb5kdc") "-n")))
+ (stop #~(make-kill-destructor))))
+ '())))
+
(define krb5-service-type
(service-type (name 'krb5)
(extensions
(list (service-extension etc-service-type
- krb5-etc-service)))
+ krb5-etc-service)
+ (service-extension activation-service-type
+ krb5-activation)
+ (service-extension shepherd-root-service-type
+ krb5-shepherd-services)))
(description "Programs using a Kerberos client library
normally expect a configuration file in @file{/etc/krb5.conf}. This service
-generates such a file. It does not cause any daemon to be started.")))
+generates such a file and (optionally) a shepherd service to run a daemon.")))
--
2.48.1
M
M
Maxim Cournoyer wrote on 19 Mar 23:27 -0700
(name . Tomas Volf)(address . ~@wolfsden.cz)
877c4kp68b.fsf@gmail.com
Hi,

I'm reviewing mostly just the doc part, which is the team I'm subscribed
to.

Tomas Volf <~@wolfsden.cz> writes:

[...]

Toggle quote (18 lines)
> +++ b/doc/guix.texi
> @@ -32135,11 +32135,13 @@ Kerberos Services
>
> @subsubheading Krb5 Service
>
> -Programs using a Kerberos client library normally
> -expect a configuration file in @file{/etc/krb5.conf}.
> -This service generates such a file from a definition provided in the
> -operating system declaration.
> -It does not cause any daemon to be started.
> +Programs using a Kerberos client library normally expect a configuration
> +file in @file{/etc/krb5.conf}. This service generates such a file from
> +a definition provided in the operating system declaration.
> +
> +When @code{kdc-shepherd-service?} is set to @code{#t}, a shepherd
> +service for @acronym{KDC, Key Distribution Center} is created.
> +Otherwise no daemons are started.

I'd reword to more simply: "Whether a Shepherd service for @acronym{KDC,
Key Distribution Center} should be created." I'd find it also more
useful if the option was named: 'key-distribution-center?'. That it is
implemented as a service is an abstraction detail that is less important
for the user than the feature provided, in my opinion.

Toggle quote (31 lines)
> No ``keytab'' files are provided by this service---you must explicitly create them.
> This service is known to work with the MIT client library, @code{mit-krb5}.
> diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
> index fcb0ac1ab4..a721cf3be5 100644
> --- a/gnu/services/kerberos.scm
> +++ b/gnu/services/kerberos.scm
> @@ -18,10 +18,13 @@
> ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
>
> (define-module (gnu services kerberos)
> + #:use-module (gnu packages kerberos)
> #:use-module (gnu services)
> #:use-module (gnu services configuration)
> + #:use-module (gnu services shepherd)
> #:use-module (gnu system pam)
> #:use-module (guix gexp)
> + #:use-module (guix packages)
> #:use-module (guix records)
> #:use-module (srfi srfi-1)
> #:use-module (srfi srfi-34)
> @@ -417,7 +420,16 @@ (define-configuration krb5-configuration
>
> (realms
> (realm-list '())
> - "The list of realms which clients may access."))
> + "The list of realms which clients may access.")
> +
> + (krb5
> + (package mit-krb5)
> + "The package to use for @command{krb5kdc}.")

Maybe, "The package providing the @command{krb5kdc} command."

Toggle quote (49 lines)
> +
> + (kdc-shepherd-service?
> + (boolean #f)
> + "Whether to generate a shepherd service for the @acronym{KDC, Key
> +Distribution Center} daemon." empty-serializer))
>
>
> (define (krb5-configuration-file config)
> @@ -432,15 +444,40 @@ (define (krb5-configuration-file config)
> (define (krb5-etc-service config)
> (list `("krb5.conf" ,(krb5-configuration-file config))))
>
> +(define (krb5-activation config)
> + (if (krb5-configuration-kdc-shepherd-service? config)
> + #~(begin
> + (use-modules (guix build utils))
> + (mkdir-p "/var/krb5kdc"))
> + #~#t))
> +
> +(define (krb5-shepherd-services config)
> + (match-record config <krb5-configuration>
> + (krb5 kdc-shepherd-service?)
> + (if kdc-shepherd-service?
> + (list
> + (shepherd-service
> + (documentation "Run a krb5kdc daemon.")
> + (provision '(krb5kdc))
> + (requirement '(user-processes))
> + (start #~(make-forkexec-constructor
> + '(#$(file-append krb5 "/sbin/krb5kdc") "-n")))
> + (stop #~(make-kill-destructor))))
> + '())))
> +
>
> (define krb5-service-type
> (service-type (name 'krb5)
> (extensions
> (list (service-extension etc-service-type
> - krb5-etc-service)))
> + krb5-etc-service)
> + (service-extension activation-service-type
> + krb5-activation)
> + (service-extension shepherd-root-service-type
> + krb5-shepherd-services)))
> (description "Programs using a Kerberos client library
> normally expect a configuration file in @file{/etc/krb5.conf}. This service
> -generates such a file. It does not cause any daemon to be started.")))
> +generates such a file and (optionally) a shepherd service to run a daemon.")))

s/shepherd/Shepherd/

Otherwise, LGTM for this 8/8 commit only.

Reviewed-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>

--
Thanks,
Maxim
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 77001@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 77001
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch