[PATCH 0/8] Improve Kerberos support

  • Open
  • quality assurance status badge
Details
One participant
  • Tomas Volf
Owner
unassigned
Submitted by
Tomas Volf
Severity
normal

Debbugs page

Tomas Volf wrote 15 hours ago
(address . guix-patches@gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
cover.1741904210.git.~@wolfsden.cz
Couple of style fixes and feature additions for krb5-service-type.

Tomas Volf (8):
services: krb5-realm: Delete trailing whitespace.
services: krb5-realm: Unify style of documentation strings.
services: krb5-realm: Add default-principal-flags field.
services: krb5-configuration: Fix indentation.
services: krb5-configuration: Unify style of documentation strings.
services: krb5-configuration: Add dns-lookup-realm? field.
services: kerberos: Fix order of definitions.
services: krb5-service-type: Support launching KDC daemon.

doc/guix.texi | 12 +--
gnu/services/kerberos.scm | 168 ++++++++++++++++++++++++++------------
2 files changed, 122 insertions(+), 58 deletions(-)

--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 3/8] services: krb5-realm: Add default-principal-flags field.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
1c2db6ae3e19e1be60e3f6b3dcc5a460aeee9166.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Add default-principal-flags field.
(serialize-comma-separated-string-list/unset, comma-separated-string-list?)
(comma-separated-string-list/unset?): New procedures.

Change-Id: Ie5f787ca0745dd6234ea4577b39a58d71e4fa6d2
---
gnu/services/kerberos.scm | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)

Toggle diff (40 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index d3ac7ca8b9..61d3a323fb 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -106,6 +106,19 @@ (define (space-separated-string-list? val)
(define space-separated-string-list/unset?
(predicate/unset space-separated-string-list?))
+(define (serialize-comma-separated-string-list/unset field-name val)
+ (unless (eq? val unset-field)
+ (serialize-field* field-name (string-join val ","))))
+
+(define (comma-separated-string-list? val)
+ (and (list? val)
+ (and-map (lambda (x)
+ (and (string? x) (not (string-index x #\,))))
+ val)))
+
+(define comma-separated-string-list/unset?
+ (predicate/unset comma-separated-string-list?))
+
(define comma-separated-integer-list/unset?
(predicate/unset (lambda (val)
(and (list? val)
@@ -198,6 +211,13 @@ (define-configuration krb5-realm
(string/unset unset-field)
"The server where password changes are performed.")
+ (default-principal-flags
+ (comma-separated-string-list/unset unset-field)
+ "Specifies the default attributes of principals created in this realm. The
+format for this string is a list of strings, with '+' before each flag that
+should be enabled and '-' before each flag that should be disabled. See the
+manual page for details on available flags.")
+
(auth-to-local
(free-form-fields '())
"Rules to map between principals and local users.")
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 1/8] services: krb5-realm: Delete trailing whitespace.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
eb10d6b54c3d9035e44a4775b3827476e386fceb.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Delete trailing whitespace.

Change-Id: I3e92d53b0910660aeed318015841ec0ca8892430
---
gnu/services/kerberos.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6..fd12b518e6 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -191,7 +191,7 @@ (define-configuration krb5-realm
(master-kdc
(string/unset unset-field)
- "If an attempt to get credentials fails because of an invalid password,
+ "If an attempt to get credentials fails because of an invalid password,
the client software will attempt to contact the master KDC.")
(kpasswd-server
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 2/8] services: krb5-realm: Unify style of documentation strings.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
552ab3e529a9c560bba7760e6a7e933c42eefc1f.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-realm): Add trailing periods where missing.
Remove double space.

Change-Id: I5dc47326c598548075f13a5ec48c24a0886a9a69
---
gnu/services/kerberos.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (26 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index fd12b518e6..d3ac7ca8b9 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -214,7 +214,7 @@ (define-configuration krb5-realm
(default-domain
(string/unset unset-field)
"The domain used to expand host names when translating Kerberos 4 service
-principals to Kerberos 5 principals")
+principals to Kerberos 5 principals.")
(v4-instance-convert
(free-form-fields '())
@@ -222,8 +222,8 @@ (define-configuration krb5-realm
(v4-realm
(string/unset unset-field)
- "Used when the V4 realm name and the V5 realm name are not the same, but
-still share the same principal names and passwords"))
+ "Used when the V4 realm name and the V5 realm name are not the same, but
+still share the same principal names and passwords."))
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 5/8] services: krb5-configuration: Unify style of documentation strings.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
33ae228456c08bffcd4e224332fab5d530b6247d.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add trailing periods where
missing. Add double space. Add @file.

Change-Id: Id2d985df1e55566cb62f7355c2e4f0ca7d9924f2
---
gnu/services/kerberos.scm | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

Toggle diff (40 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 8d08a27365..f2f2adda88 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -301,11 +301,11 @@ (define-configuration krb5-configuration
(dns-lookup-kdc?
(boolean/unset unset-field)
"Should DNS SRV records should be used to locate the KDCs and other servers
-not appearing in the realm specification")
+not appearing in the realm specification.")
(err-fmt
(string/unset unset-field)
- "Custom error message formatting. If not #f error messages will be
+ "Custom error message formatting. If not #f error messages will be
formatted by substituting a normal error message for %M and an error code for
%C in the value.")
@@ -323,7 +323,7 @@ (define-configuration krb5-configuration
(k5login-authoritative?
(boolean/unset unset-field)
"If this flag is true, principals must be listed in a local user's k5login
-file to be granted login access, if a ~/.k5login file exists.")
+file to be granted login access, if a @file{~/.k5login} file exists.")
(k5login-directory
(string/unset unset-field)
@@ -352,8 +352,8 @@ (define-configuration krb5-configuration
(kdc-req-checksum-type
(non-negative-integer/unset unset-field)
- "The type of checksum to use for the KDC requests. Relevant only for DES
-keys")
+ "The type of checksum to use for the KDC requests. Relevant only for DES
+keys.")
(noaddresses?
(boolean/unset unset-field)
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 6/8] services: krb5-configuration: Add dns-lookup-realm? field.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
cbd528ac3479d744305e7c13c4303b5b0bde4cb6.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add dns-lookup-realm? field.

Change-Id: Ibb92da1d4330b62225bdd9fd2a8573035f15f590
---
gnu/services/kerberos.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (17 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index f2f2adda88..b423534ec2 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -298,6 +298,10 @@ (define-configuration krb5-configuration
"Whether name lookups will be used to canonicalize host names for use in
service principal names.")
+ (dns-lookup-realm?
+ (boolean/unset unset-field)
+ "Should the Kerberos realm of a host be determined by DNS TXT records?")
+
(dns-lookup-kdc?
(boolean/unset unset-field)
"Should DNS SRV records should be used to locate the KDCs and other servers
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 7/8] services: kerberos: Fix order of definitions.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
90601b4b93e99be93b8ba0dde7fcb99c5ad10add.1741904210.git.~@wolfsden.cz
Generating the configuration file would error out with error stating:

Wrong type to apply: #<syntax-transformer krb5-realm?>

Moving the procedures below the respective define-configuration fixes that.

* gnu/services/kerberos.scm (realm-list?, serialize-realm-list): Move below
define-configuration for krb5-realm.

Change-Id: I6a520a92cdc3c42d3916cdf33d427dadc531e7d1
---
gnu/services/kerberos.scm | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)

Toggle diff (54 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index b423534ec2..1e826a1455 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -169,23 +169,6 @@ (define (serialize-free-form-fields field-name val)
(define non-negative-integer/unset? (predicate/unset non-negative-integer?))
-(define (realm-list? val)
- (and (list? val)
- (and-map (lambda (x) (krb5-realm? x)) val)))
-
-(define (serialize-realm-list field-name val)
- (format #t "\n[~a]\n" field-name)
- (for-each (lambda (realm)
- (format #t "\n~a = {\n" (krb5-realm-name realm))
- (for-each (lambda (field)
- (unless (eq? 'name (configuration-field-name field))
- ((configuration-field-serializer field)
- (configuration-field-name field)
- ((configuration-field-getter field)
- realm)))) krb5-realm-fields)
-
- (format #t "}\n")) val))
-
;; For a more detailed explanation of these fields see man 5 krb5.conf
@@ -245,6 +228,23 @@ (define-configuration krb5-realm
"Used when the V4 realm name and the V5 realm name are not the same, but
still share the same principal names and passwords."))
+(define (realm-list? val)
+ (and (list? val)
+ (and-map (lambda (x) (krb5-realm? x)) val)))
+
+(define (serialize-realm-list field-name val)
+ (format #t "\n[~a]\n" field-name)
+ (for-each (lambda (realm)
+ (format #t "\n~a = {\n" (krb5-realm-name realm))
+ (for-each (lambda (field)
+ (unless (eq? 'name (configuration-field-name field))
+ ((configuration-field-serializer field)
+ (configuration-field-name field)
+ ((configuration-field-getter field)
+ realm)))) krb5-realm-fields)
+
+ (format #t "}\n")) val))
+
;; For a more detailed explanation of these fields see man 5 krb5.conf
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 4/8] services: krb5-configuration: Fix indentation.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
8ffc6bb37a477651fdd7011a69ad7cd90a50fb73.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Adjust indentation and word
wrapping.

Change-Id: I629c106867e1d4d935b4bc33ae3489f4b0ee0bf5
---
gnu/services/kerberos.scm | 53 ++++++++++++++++++++-------------------
1 file changed, 27 insertions(+), 26 deletions(-)

Toggle diff (141 lines)
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 61d3a323fb..8d08a27365 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -295,19 +295,19 @@ (define-configuration krb5-configuration
(dns-canonicalize-hostname?
(boolean/unset unset-field)
- "Whether name lookups will be used to canonicalize host names for use in
+ "Whether name lookups will be used to canonicalize host names for use in
service principal names.")
(dns-lookup-kdc?
(boolean/unset unset-field)
- "Should DNS SRV records should be used to locate the KDCs and other servers
+ "Should DNS SRV records should be used to locate the KDCs and other servers
not appearing in the realm specification")
(err-fmt
(string/unset unset-field)
- "Custom error message formatting. If not #f error messages will be formatted
-by substituting a normal error message for %M and an error code for %C in the
-value.")
+ "Custom error message formatting. If not #f error messages will be
+formatted by substituting a normal error message for %M and an error code for
+%C in the value.")
(forwardable?
(boolean/unset unset-field)
@@ -315,9 +315,9 @@ (define-configuration krb5-configuration
(ignore-acceptor-hostname?
(boolean/unset unset-field)
- "When accepting GSSAPI or krb5 security contexts for host-based service
-principals, ignore any hostname passed by the calling application, and allow
-clients to authenticate to any service principal in the keytab matching the
+ "When accepting GSSAPI or krb5 security contexts for host-based service
+principals, ignore any hostname passed by the calling application, and allow
+clients to authenticate to any service principal in the keytab matching the
service name and realm name.")
(k5login-authoritative?
@@ -327,23 +327,23 @@ (define-configuration krb5-configuration
(k5login-directory
(string/unset unset-field)
- "If not #f, the library will look for a local user's @file{k5login} file
-within the named directory (instead of the user's home directory), with a
-file name corresponding to the local user name.")
+ "If not #f, the library will look for a local user's @file{k5login} file
+within the named directory (instead of the user's home directory), with a file
+name corresponding to the local user name.")
(kcm-mach-service
(string/unset unset-field)
- "The name of the bootstrap service used to contact the KCM daemon for the
+ "The name of the bootstrap service used to contact the KCM daemon for the
KCM credential cache type.")
(kcm-socket
(file-name unset-field)
- "Path to the Unix domain socket used to access the KCM daemon for the KCM
+ "Path to the Unix domain socket used to access the KCM daemon for the KCM
credential cache type.")
(kdc-default-options
(non-negative-integer/unset unset-field)
- "Default KDC options (logored for multiple values) when requesting initial
+ "Default KDC options (logored for multiple values) when requesting initial
tickets.")
(kdc-timesync
@@ -352,17 +352,18 @@ (define-configuration krb5-configuration
(kdc-req-checksum-type
(non-negative-integer/unset unset-field)
- "The type of checksum to use for the KDC requests. Relevant only for DES
+ "The type of checksum to use for the KDC requests. Relevant only for DES
keys")
(noaddresses?
(boolean/unset unset-field)
- "If true, initial ticket requests will not be made with address restrictions.
-This enables their use across NATs.")
+ "If true, initial ticket requests will not be made with address
+restrictions. This enables their use across NATs.")
(permitted-enctypes
(space-separated-string-list/unset unset-field)
- "All encryption types that are permitted for use in session key encryption.")
+ "All encryption types that are permitted for use in session key
+encryption.")
(plugin-base-dir
(file-name unset-field)
@@ -370,8 +371,8 @@ (define-configuration krb5-configuration
(preferred-preauth-types
(comma-separated-integer-list/unset unset-field)
- "The preferred pre-authentication types which the client will attempt before
-others.")
+ "The preferred pre-authentication types which the client will attempt
+before others.")
(proxiable?
(boolean/unset unset-field)
@@ -379,12 +380,12 @@ (define-configuration krb5-configuration
(rdns?
(boolean/unset unset-field)
- "Should reverse DNS lookup be used in addition to forward name lookup to
+ "Should reverse DNS lookup be used in addition to forward name lookup to
canonicalize host names for use in service principal names.")
(realm-try-domains
(integer/unset unset-field)
- "Should a host's domain components should be used to determine the Kerberos
+ "Should a host's domain components should be used to determine the Kerberos
realm of the host.")
(renew-lifetime
@@ -401,13 +402,13 @@ (define-configuration krb5-configuration
(udp-preference-limit
(non-negative-integer/unset unset-field)
- "When sending messages to the KDC, the library will try using TCP
-before UDP if the size of the message greater than this limit.")
+ "When sending messages to the KDC, the library will try using TCP before
+UDP if the size of the message greater than this limit.")
(verify-ap-rereq-nofail?
(boolean/unset unset-field)
- "If true, then attempts to verify initial credentials will fail if the client
-machine does not have a keytab.")
+ "If true, then attempts to verify initial credentials will fail if the
+client machine does not have a keytab.")
(realms
(realm-list '())
--
2.48.1
Tomas Volf wrote 15 hours ago
[PATCH 8/8] services: krb5-service-type: Support launching KDC daemon.
(address . 77001@debbugs.gnu.org)(name . Tomas Volf)(address . ~@wolfsden.cz)
152c7158621d0b623dfa36365a80370f69b2e06a.1741904210.git.~@wolfsden.cz
* gnu/services/kerberos.scm (krb5-configuration): Add krb5,
kdc-shepherd-service? fields.
(krb5-activation, krb5-shepherd-services): New procedures.
(krb5-service-type): Use them.

Change-Id: I091ae2a6ef25f5ce95123c29588749483954c2ac
---
doc/guix.texi | 12 ++++++-----
gnu/services/kerberos.scm | 43 ++++++++++++++++++++++++++++++++++++---
2 files changed, 47 insertions(+), 8 deletions(-)

Toggle diff (104 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 05c855c5ea..a58cf40b63 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32125,11 +32125,13 @@ Kerberos Services
@subsubheading Krb5 Service
-Programs using a Kerberos client library normally
-expect a configuration file in @file{/etc/krb5.conf}.
-This service generates such a file from a definition provided in the
-operating system declaration.
-It does not cause any daemon to be started.
+Programs using a Kerberos client library normally expect a configuration
+file in @file{/etc/krb5.conf}. This service generates such a file from
+a definition provided in the operating system declaration.
+
+When @code{kdc-shepherd-service?} is set to @code{#t}, a shepherd
+service for @acronym{KDC, Key Distribution Center} is created.
+Otherwise no daemons are started.
No ``keytab'' files are provided by this service---you must explicitly create them.
This service is known to work with the MIT client library, @code{mit-krb5}.
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index 1e826a1455..3d1ab01cb8 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -17,10 +17,13 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services kerberos)
+ #:use-module (gnu packages kerberos)
#:use-module (gnu services)
#:use-module (gnu services configuration)
+ #:use-module (gnu services shepherd)
#:use-module (gnu system pam)
#:use-module (guix gexp)
+ #:use-module (guix packages)
#:use-module (guix records)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-34)
@@ -416,7 +419,16 @@ (define-configuration krb5-configuration
(realms
(realm-list '())
- "The list of realms which clients may access."))
+ "The list of realms which clients may access.")
+
+ (krb5
+ (package mit-krb5)
+ "The package to use for @command{krb5kdc}.")
+
+ (kdc-shepherd-service?
+ (boolean #f)
+ "Whether to generate a shepherd service for the @acronym{KDC, Key
+Distribution Center} daemon." empty-serializer))
(define (krb5-configuration-file config)
@@ -431,15 +443,40 @@ (define (krb5-configuration-file config)
(define (krb5-etc-service config)
(list `("krb5.conf" ,(krb5-configuration-file config))))
+(define (krb5-activation config)
+ (if (krb5-configuration-kdc-shepherd-service? config)
+ #~(begin
+ (use-modules (guix build utils))
+ (mkdir-p "/var/krb5kdc"))
+ #~#t))
+
+(define (krb5-shepherd-services config)
+ (match-record config <krb5-configuration>
+ (krb5 kdc-shepherd-service?)
+ (if kdc-shepherd-service?
+ (list
+ (shepherd-service
+ (documentation "Run a krb5kdc daemon.")
+ (provision '(krb5kdc))
+ (requirement '(user-processes))
+ (start #~(make-forkexec-constructor
+ '(#$(file-append krb5 "/sbin/krb5kdc") "-n")))
+ (stop #~(make-kill-destructor))))
+ '())))
+
(define krb5-service-type
(service-type (name 'krb5)
(extensions
(list (service-extension etc-service-type
- krb5-etc-service)))
+ krb5-etc-service)
+ (service-extension activation-service-type
+ krb5-activation)
+ (service-extension shepherd-root-service-type
+ krb5-shepherd-services)))
(description "Programs using a Kerberos client library
normally expect a configuration file in @file{/etc/krb5.conf}. This service
-generates such a file. It does not cause any daemon to be started.")))
+generates such a file and (optionally) a shepherd service to run a daemon.")))
--
2.48.1
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 77001@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 77001
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help