Received: (at 67555) by debbugs.gnu.org; 16 Dec 2023 21:35:30 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Dec 16 16:35:30 2023 Received: from localhost ([127.0.0.1]:56210 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rEcJl-0003qU-PX for submit <at> debbugs.gnu.org; Sat, 16 Dec 2023 16:35:30 -0500 Received: from smtpmciv1.myservices.hosting ([185.26.107.237]:59950) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <mirai@HIDDEN>) id 1rEcJj-0003qG-VX for 67555 <at> debbugs.gnu.org; Sat, 16 Dec 2023 16:35:28 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpmciv1.myservices.hosting (Postfix) with ESMTP id 9F46320DD5; Sat, 16 Dec 2023 22:35:25 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 03AF980095; Sat, 16 Dec 2023 22:35:19 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9m4uibydGC79; Sat, 16 Dec 2023 22:35:18 +0100 (CET) Received: from [192.168.1.116] (unknown [10.192.1.83]) (Authenticated sender: lumen@HIDDEN) by mail1.netim.hosting (Postfix) with ESMTPSA id 1F25B80067; Sat, 16 Dec 2023 22:35:18 +0100 (CET) Message-ID: <938be86c-3269-4bb1-b6f9-6e4732d6515d@HIDDEN> Date: Sat, 16 Dec 2023 21:35:16 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [bug#67555] [PATCH 2/2] services: kerberos/heimdal.scm: New file, add Heimdal Kerberos services. Content-Language: en-US To: Felix Lechner <felix.lechner@HIDDEN> References: <cover.1701390969.git.felix.lechner@HIDDEN> <b0b0e3ebe07b86a83295bce34a81a71daba2fd89.1701390970.git.felix.lechner@HIDDEN> From: Bruno Victal <mirai@HIDDEN> In-Reply-To: <b0b0e3ebe07b86a83295bce34a81a71daba2fd89.1701390970.git.felix.lechner@HIDDEN> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------umd3y0PXrmVcrk3tcAbax0EE" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 67555 Cc: 67555 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------umd3y0PXrmVcrk3tcAbax0EE Content-Type: multipart/mixed; boundary="------------KJlNQjeFLQvWxQVWZCXsgg0u"; protected-headers="v1" From: Bruno Victal <mirai@HIDDEN> To: Felix Lechner <felix.lechner@HIDDEN> Cc: 67555 <at> debbugs.gnu.org Message-ID: <938be86c-3269-4bb1-b6f9-6e4732d6515d@HIDDEN> Subject: Re: [bug#67555] [PATCH 2/2] services: kerberos/heimdal.scm: New file, add Heimdal Kerberos services. References: <cover.1701390969.git.felix.lechner@HIDDEN> <b0b0e3ebe07b86a83295bce34a81a71daba2fd89.1701390970.git.felix.lechner@HIDDEN> In-Reply-To: <b0b0e3ebe07b86a83295bce34a81a71daba2fd89.1701390970.git.felix.lechner@HIDDEN> --------------KJlNQjeFLQvWxQVWZCXsgg0u Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Felix, On 2023-12-01 00:45, Felix Lechner wrote: > + (ports > + (list-of-strings '()) > + "Ports to listen on.") I'd prefer to use a list of exact-integers. (*) Hint: you can use the procedures in (gnu services configuration) to define this predicate with (list-of exact-integer?). > + (disable-des? > + (boolean #f) > + "Disable all DES encryption types.")) I'd avoid the double negative here, i.e. by naming this enable-des?. Another note, how about defaulting to disabled DES support to discourage its use? > + (start #~(make-forkexec-constructor > + (list #$(file-append heimdal "/libexec/kdc") > + #$@(if (maybe-value-set? config-file) > + `(,(string-append "--config-file=3D" (mayb= e-value config-file))) > + '()) Simply do: `(,(string-append "--config-file=3D" config-file)) You don't need to use 'maybe-value' to extract the value if you've already tested it with 'maybe-value-set?'. > + #:log-file "/var/log/kdc-shepherd")) I'd make this configurable in <heimdal-kdc-configuration>. > + (ports > + (list-of-strings '()) > + "Ports to listen on.")) See (*). > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =C2=A9 2017 Peter Mikkelsen <petermikkelsen10@HIDDEN>= > +;;; Copyright =C2=A9 2022 Bruno Victal <mirai@HIDDEN> Copy-paste leftovers perhaps? =F0=9F=98=85 > new file mode 100644 > index 0000000000..b6424ace9e > --- /dev/null > +++ b/gnu/tests/heimdal-kdc.scm How about merging these tests under a single gnu/tests/krb-heimdal.scm instead of splitting them as gnu/tests/heimdal-kadmind.scm and gnu/tests/heimdal-kadmind.scm? If you're up for it I'd love to see one more test (might involve multiple VMs) that actually tests the kerberos integration. (i.e. performs an actual kerberos test) That way we could be at least sure that there's a working kerberos setup that we can use as a reference point for documentation/cookbooks. My 2=C2=A2! --=20 Furthermore, I consider that nonfree software must be eradicated. Cheers, Bruno. --------------KJlNQjeFLQvWxQVWZCXsgg0u-- --------------umd3y0PXrmVcrk3tcAbax0EE Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTAPCseV0HOaN0YFheobOGDL+spVQUCZX4YFQAKCRCobOGDL+sp Ve53AQDMdWlNobDOZXeKyST51kx6MVm4VGPNNtDPu32u6iB85wD9HluYuptT9gWG dsnqTrJqkps/ZBebVIT6c5LZunw5FwM= =HpSA -----END PGP SIGNATURE----- --------------umd3y0PXrmVcrk3tcAbax0EE--
guix-patches@HIDDEN:bug#67555; Package guix-patches.
Full text available.Received: (at 67555) by debbugs.gnu.org; 15 Dec 2023 17:01:11 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Dec 15 12:01:10 2023 Received: from localhost ([127.0.0.1]:53411 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rEBYk-0005m6-HB for submit <at> debbugs.gnu.org; Fri, 15 Dec 2023 12:01:10 -0500 Received: from mout.web.de ([212.227.15.4]:57219) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <jonathan.brielmaier@HIDDEN>) id 1rEBYh-0005XU-Uf for 67555 <at> debbugs.gnu.org; Fri, 15 Dec 2023 12:01:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1702659661; x=1703264461; i=jonathan.brielmaier@HIDDEN; bh=RHlea9VHKxP1Of6YZEbW7hPYeatAk62yDM2T5+H+zD0=; h=X-UI-Sender-Class:Date:To:From:Subject; b=Zp3NHdhFgwISPrFWy/05J0I7zqm3aILpAcsFpj72wjOMRj6Y8IMk228Omyl+1Kw3 jalZ1WHUaQcyBiwrsU9aS8Y2f5LrYrqV+0Qxk8Yg9/tcKPmnC9gXU7iAyhoAj5Wp/ djRyjxRVwqcCdM+c2kY/5Nx9RmrwAk05GzUomLgeFKF+VQSAaRj4hiaFZGV3FkVXX BaZNT4yvaMMRZdGmlXLjbdW2oNuC0j/sAgjoRYaVTRfhLODPvBsPCrd2H+f7WUw+x PRaplXb/TwyWe5QSAIE3amkgC+TusnaIrkWGUHqlt8TDx+AKx0L1U9mGdLyr+HWWJ OQ0V5pvcnHmvyz954w== X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6 Received: from [192.168.178.29] ([77.190.160.113]) by smtp.web.de (mrweb005 [213.165.67.108]) with ESMTPSA (Nemesis) id 1Mr7ac-1rZXgp0tOA-00oRjN for <67555 <at> debbugs.gnu.org>; Fri, 15 Dec 2023 18:01:01 +0100 Message-ID: <4fb9c9ae-5079-29f5-0e14-cecfb14c9428@HIDDEN> Date: Fri, 15 Dec 2023 18:01:00 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 To: 67555 <at> debbugs.gnu.org Content-Language: de-DE, en-US From: Jonathan Brielmaier <jonathan.brielmaier@HIDDEN> Subject: [PATCH 0/2] Add Heimdal Kerberos system services. Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:irHSXeDrYbTZukXg0eoSQurg/OgJrqLB/dR8i8UW6sskyQfJxCR CLxO9wL1VvaIq880WMNart3pBkU/wS2xQqde0pF6CCze8bazqi9q+gLhgt+0HpEFIelPPd/ 8J2T1W5qDvdO4RvNt9cgKwb1HfAHgxIw8wqZJbBtbwZY5Adlb24UixvZDOMJX5Am+cUH7JE 6klVkE83eEYC40BRamtLg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:N7UwgXNzYGk=;0EyC490yTBcjXFUzRGiGsGr82/V BS3V6bAUupAq8NfAUDteCt8LsAXXbyhjP8PnmDRmrxw+Vc+5mFAseWx++bjsRthDJfSy2ZtJQ MKSW/TtbVU9YAo7YzDUzKJTRb9z1aOPB4zpZxgHQ65ImxUzN3KHtdBTdyizkHdLc0vFrryvWC 3fZ6GziLCU4PEs1G6ycsBXSfG161ZSsOovymYKugAxdcGQ7aRj11asbifb1aslnJU6iBMHPe1 tpQ29eeQaowfVHdosE2jRWQEChnwcB7HctlUzW5WPqrapq7mn/2HltHHqyqle74JhkRPbcQqF mH1XQqp8L/9PT0rOeaNzrdoI1AF+km8s1boYzGu4ZyjxbTzwARMhDVv56oleXkFyKXMfugwEK +Oc+YZMn/xhzNUPW4V30hTey71ejoV47DdGNsc4SsGVtprMbyfb+K7UiqOSMz8CpItsQbOjmc kLeOafSX5QhwtxOWvGo+8NSkBkTjMs3hTmMXmCn+aULW208VJFsol1NvlLxAIhoJGDAqiTL90 u2I2iPPppXtN+iOGPTpisDOvxUeMzgc3eg5j087eBUQdysYRARF8Axp8feJ8MMygPMwMq8LIu swMdAIzY1S8m74lfVPjFGxBc/f0gI2GZ5/7C7yBVtWGp2NuFZoBmAcPwuqVnmHaRGR1h98MTe FVQpd9eWPOtZ/Fj1T4zDSy6QSNxoIUvsSqTwZLFM/rjhKQ+pLzKHv8jPRdnNE6nyzEEcFsFvo snaw+OSjmNr9BgCM6I1Ddlv8oK+J6aME3NnzFfcMhqOMv+oSGWsXwA+i61FgQEC/ZQL90t9ZA ITTuGiXOYBtlh2JA+UHGr4ilIPUhKr9iM+y15Tq9vZQ27ak0E01wgpw91B2o0itg8zltfWu1d kgXO48u5dDOAZTgiAgtj3SyBU5SdKtLFfPDXxg0uhAXt+yWaSkeor/hUidoBjLvPd0yngHLcU lBfMwg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 67555 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hi Felix, you could do the commit message like following. ``` [PATCH 2/2] services: Add Heimdal Kerberos services. * gnu/services/kerberos.scm: Define deprecation variables for previous krb5 configuration. * gnu/services/kerberos/heimdal.scm: New file. * gnu/tests/heimdal-kadmind.scm: New file. * gnu/tests/heimdal-kdc.scm: New file. * doc/guix.texi (Kerberos Services): Adapt documentation and add sub-sections for Heimdal key distribution service and Heimdal admin servic= e. * gnu/local.mk (GNU_SYSTEM_MODULES): register new files. ``` Thumbs-up for providing tests :) ~Jonathan
guix-patches@HIDDEN:bug#67555; Package guix-patches.
Full text available.
Received: (at 67555) by debbugs.gnu.org; 1 Dec 2023 00:45:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 30 19:45:54 2023
Received: from localhost ([127.0.0.1]:54766 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1r8rfE-0008Qz-Oj
for submit <at> debbugs.gnu.org; Thu, 30 Nov 2023 19:45:53 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:60898)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <felix.lechner@HIDDEN>) id 1r8rfB-0008QZ-Ac
for 67555 <at> debbugs.gnu.org; Thu, 30 Nov 2023 19:45:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=SkaMzPHE2H5J4MO
NA6f9dRX0SqYi8nYFRri3EogMn2g=;
h=references:in-reply-to:date:subject:
cc:to:from; d=lease-up.com; b=fwCQRG9DsXLBhyf+nboNKwq7M2pD3a2wCJG1skrQ
bwmJlBkaO2YBqs22ujjPlPZDpg85en3LEltnwlNRUsc9y2m4wC5DXjAf91G1Fot7r6FBZc
+GsbvoJosAhn7Hjuwmbrzqyfmz2FpbfL0QfDs4y7ud+em/CODvJUsbpBwsESc=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id ba5eea3d
(TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
Fri, 1 Dec 2023 00:45:40 +0000 (UTC)
Received: from localhost (localhost [local])
by localhost (OpenSMTPD) with ESMTPA id 1fae17e7;
Fri, 1 Dec 2023 00:45:39 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
To: 67555 <at> debbugs.gnu.org
Subject: [PATCH 2/2] services: kerberos/heimdal.scm: New file,
add Heimdal Kerberos services.
Date: Thu, 30 Nov 2023 16:45:12 -0800
Message-ID: <b0b0e3ebe07b86a83295bce34a81a71daba2fd89.1701390970.git.felix.lechner@HIDDEN>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1701390969.git.felix.lechner@HIDDEN>
References: <cover.1701390969.git.felix.lechner@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 67555
Cc: Felix Lechner <felix.lechner@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)
Includes detailed documentation and two system tests.
Change-Id: I7b3a9da1340b559f1db8a8156581e73b918cfb78
---
doc/guix.texi | 101 +++++++++++++++-
gnu/local.mk | 3 +
gnu/services/kerberos.scm | 120 ++++++++++++++++++-
gnu/services/kerberos/heimdal.scm | 189 ++++++++++++++++++++++++++++++
gnu/tests/heimdal-kadmind.scm | 71 +++++++++++
gnu/tests/heimdal-kdc.scm | 71 +++++++++++
6 files changed, 551 insertions(+), 4 deletions(-)
create mode 100644 gnu/services/kerberos/heimdal.scm
create mode 100644 gnu/tests/heimdal-kadmind.scm
create mode 100644 gnu/tests/heimdal-kdc.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index a5119d2058..ecb85771ad 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -29979,7 +29979,8 @@ Kerberos Services
Other implementations have not been tested.
@defvar krb5-association-service-type
-A service type for Kerberos 5 clients.
+A service type for Kerberos 5 clients. This service type was previously
+named @code{krb5-service-type}.
@end defvar
@noindent
@@ -30037,6 +30038,8 @@ Kerberos Services
@deftp {Data Type} krb5-association-configuration
+This configuration record was previously named @code{krb5-configuration}.
+
@table @asis
@item @code{allow-weak-crypto?} (default: @code{#f})
If this flag is @code{#t} then services which only offer encryption algorithms
@@ -30059,6 +30062,102 @@ Kerberos Services
@end deftp
+@subsubheading Heimdal Key Distribution (Kdc) Service
+
+The @code{(gnu services kerberos heimdal)} module provides services
+related to the @dfn{Heimdal} implementation for the authentication
+protocol @dfn{Kerberos}.
+
+This service starts the @dfn{Kerberos Key Distribution Center}
+server. The server will remain running.
+
+Kerberos client programs can obtain the location of this server from a
+configuration file at @file{/etc/krb5.conf}. You may wish to create that
+file separately via the @code{krb5-association-service-type}.
+
+@c %start of fragment
+@deftp {Data Type} heimdal-kdc-configuration
+Available @code{heimdal-kdc-configuration} fields are:
+
+@table @asis
+@item @code{heimdal} (default: @code{heimdal}) (type: file-like)
+The heimdal package to use.
+
+@item @code{config-file} (type: maybe-string)
+Configuration file for Heimdal KDC server.
+
+@item @code{require-preauth?} (default: @code{#t}) (type: boolean)
+Require pre-authentication in the initial AS-REQ for all principals.
+
+@item @code{max-request-size} (type: maybe-non-negative-integer)
+Maximum size of requests the server is willing to handle.
+
+@item @code{enable-http?} (default: @code{#f}) (type: boolean)
+Listen on port 80 and handle requests encapsulated in HTTP.
+
+@item @code{v4-realm} (type: maybe-string)
+Realm for version 4 requests.
+
+@item @code{ports} (default: @code{()}) (type: list-of-strings)
+Ports to listen on.
+
+@item @code{addresses} (default: @code{()}) (type: list-of-strings)
+Addresses to listen on.
+
+@item @code{disable-des?} (default: @code{#f}) (type: boolean)
+Disable all DES encryption types.
+
+@end table
+
+@end deftp
+@c %end of fragment
+
+
+@subsubheading Heimdal Admin (Kadmind) Service
+
+The @code{(gnu services kerberos heimdal)} module provides services
+related to the @dfn{Heimdal} implementation for the authentication
+protocol @dfn{Kerberos}.
+
+This service starts the @dfn{Kerberos Administration} server. The server
+will remain running.
+
+Kerberos client programs can obtain the location of the server from a
+configuration file at @file{/etc/krb5.conf}. You may wish to create that
+file separately via the @code{krb5-association-service-type}.
+
+@c %start of fragment
+@deftp {Data Type} heimdal-kadmind-configuration
+Available @code{heimdal-kadmind-configuration} fields are:
+
+@table @asis
+@item @code{heimdal} (default: @code{heimdal}) (type: file-like)
+The heimdal package to use.
+
+@item @code{config-file} (type: maybe-string)
+Configuration file for Heimdal Kadmind server.
+
+@item @code{key-file} (type: maybe-string)
+Location of master key file.
+
+@item @code{keytab} (type: maybe-string)
+Kerberos keytab to use.
+
+@item @code{realm} (type: maybe-string)
+Kerberos realm to serve.
+
+@item @code{debug?} (default: @code{#f}) (type: boolean)
+Enable debugging.
+
+@item @code{ports} (default: @code{()}) (type: list-of-strings)
+Ports to listen on.
+
+@end table
+
+@end deftp
+@c %end of fragment
+
+
@subsubheading PAM krb5 Service
@cindex pam-krb5
diff --git a/gnu/local.mk b/gnu/local.mk
index a82372527e..64cda5b8b6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -695,6 +695,7 @@ GNU_SYSTEM_MODULES = \
%D%/services/guix.scm \
%D%/services/hurd.scm \
%D%/services/kerberos.scm \
+ %D%/services/kerberos/heimdal.scm \
%D%/services/ldap.scm \
%D%/services/lightdm.scm \
%D%/services/linux.scm \
@@ -790,6 +791,8 @@ GNU_SYSTEM_MODULES = \
%D%/tests/ganeti.scm \
%D%/tests/gdm.scm \
%D%/tests/guix.scm \
+ %D%/tests/heimdal-kadmind.scm \
+ %D%/tests/heimdal-kdc.scm \
%D%/tests/monitoring.scm \
%D%/tests/nfs.scm \
%D%/tests/image.scm \
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index ec9b6c10b5..432f205904 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -421,9 +421,123 @@ (define krb5-association-service-type
normally expect a configuration file in @file{/etc/krb5.conf}. This service
generates such a file. It does not cause any daemon to be started.")))
-(define-deprecated krb-configuration krb5-association-configuration)
-(define-deprecated krb-configuration? krb5-association-configuration?)
-(define-deprecated krb-service-type krb5-association-service-type)
+(define-deprecated krb5-service-type krb5-association-service-type)
+
+(define-deprecated/public-alias
+ krb5-configuration
+ krb5-association-configuration)
+(define-deprecated/public-alias
+ krb5-configuration?
+ krb5-association-configuration?)
+
+(define-deprecated/public-alias
+ krb5-configuration-allow-weak-crypto?
+ krb5-association-configuration-allow-weak-crypto?)
+(define-deprecated/public-alias
+ krb5-configuration-ap-req-checksum-type
+ krb5-association-configuration-ap-req-checksum-type)
+(define-deprecated/public-alias
+ krb5-configuration-canonicalize?
+ krb5-association-configuration-canonicalize?)
+(define-deprecated/public-alias
+ krb5-configuration-ccache-type
+ krb5-association-configuration-ccache-type)
+(define-deprecated/public-alias
+ krb5-configuration-clockskew
+ krb5-association-configuration-clockskew)
+(define-deprecated/public-alias
+ krb5-configuration-default-ccache-name
+ krb5-association-configuration-default-ccache-name)
+(define-deprecated/public-alias
+ krb5-configuration-default-client-keytab-name
+ krb5-association-configuration-default-client-keytab-name)
+(define-deprecated/public-alias
+ krb5-configuration-default-keytab-name
+ krb5-association-configuration-default-keytab-name)
+(define-deprecated/public-alias
+ krb5-configuration-default-realm
+ krb5-association-configuration-default-realm)
+(define-deprecated/public-alias
+ krb5-configuration-default-tgs-enctypes
+ krb5-association-configuration-default-tgs-enctypes)
+(define-deprecated/public-alias
+ krb5-configuration-default-tkt-enctypes
+ krb5-association-configuration-default-tkt-enctypes)
+(define-deprecated/public-alias
+ krb5-configuration-dns-canonicalize-hostname?
+ krb5-association-configuration-dns-canonicalize-hostname?)
+(define-deprecated/public-alias
+ krb5-configuration-dns-lookup-kdc?
+ krb5-association-configuration-dns-lookup-kdc?)
+(define-deprecated/public-alias
+ krb5-configuration-err-fmt
+ krb5-association-configuration-err-fmt)
+(define-deprecated/public-alias
+ krb5-configuration-forwardable?
+ krb5-association-configuration-forwardable?)
+(define-deprecated/public-alias
+ krb5-configuration-ignore-acceptor-hostname?
+ krb5-association-configuration-ignore-acceptor-hostname?)
+(define-deprecated/public-alias
+ krb5-configuration-k5login-authoritative?
+ krb5-association-configuration-k5login-authoritative?)
+(define-deprecated/public-alias
+ krb5-configuration-k5login-directory
+ krb5-association-configuration-k5login-directory)
+(define-deprecated/public-alias
+ krb5-configuration-kcm-mach-service
+ krb5-association-configuration-kcm-mach-service)
+(define-deprecated/public-alias
+ krb5-configuration-kcm-socket
+ krb5-association-configuration-kcm-socket)
+(define-deprecated/public-alias
+ krb5-configuration-kdc-default-options
+ krb5-association-configuration-kdc-default-options)
+(define-deprecated/public-alias
+ krb5-configuration-kdc-timesync
+ krb5-association-configuration-kdc-timesync)
+(define-deprecated/public-alias
+ krb5-configuration-kdc-req-checksum-type
+ krb5-association-configuration-kdc-req-checksum-type)
+(define-deprecated/public-alias
+ krb5-configuration-noaddresses?
+ krb5-association-configuration-noaddresses?)
+(define-deprecated/public-alias
+ krb5-configuration-permitted-enctypes
+ krb5-association-configuration-permitted-enctypes)
+(define-deprecated/public-alias
+ krb5-configuration-plugin-base-dir
+ krb5-association-configuration-plugin-base-dir)
+(define-deprecated/public-alias
+ krb5-configuration-preferred-preauth-types
+ krb5-association-configuration-preferred-preauth-types)
+(define-deprecated/public-alias
+ krb5-configuration-proxiable?
+ krb5-association-configuration-proxiable?)
+(define-deprecated/public-alias
+ krb5-configuration-rdns?
+ krb5-association-configuration-rdns?)
+(define-deprecated/public-alias
+ krb5-configuration-realm-try-domains
+ krb5-association-configuration-realm-try-domains)
+(define-deprecated/public-alias
+ krb5-configuration-renew-lifetime
+ krb5-association-configuration-renew-lifetime)
+(define-deprecated/public-alias
+ krb5-configuration-safe-checksum-type
+ krb5-association-configuration-safe-checksum-type)
+(define-deprecated/public-alias
+ krb5-configuration-ticket-lifetime
+ krb5-association-configuration-ticket-lifetime)
+(define-deprecated/public-alias
+ krb5-configuration-udp-preference-limit
+ krb5-association-configuration-udp-preference-limit)
+(define-deprecated/public-alias
+ krb5-configuration-verify-ap-rereq-nofail?
+ krb5-association-configuration-verify-ap-rereq-nofail?)
+(define-deprecated/public-alias
+ krb5-configuration-realms
+ krb5-association-configuration-realms)
diff --git a/gnu/services/kerberos/heimdal.scm b/gnu/services/kerberos/heimdal.scm
new file mode 100644
index 0000000000..0dc17f6315
--- /dev/null
+++ b/gnu/services/kerberos/heimdal.scm
@@ -0,0 +1,189 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2023 Felix Lechner <felix.lechner@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services kerberos heimdal)
+ #:use-module (gnu packages kerberos)
+ #:use-module (gnu services)
+ #:use-module (gnu services configuration)
+ #:use-module (gnu services shepherd)
+ #:use-module (guix gexp)
+ #:use-module (guix records)
+ #:use-module (ice-9 match)
+ #:export (heimdal-kdc-configuration
+ heimdal-kdc-service-type
+ heimdal-kadmind-configuration
+ heimdal-kadmind-service-type))
+
+
+;;;
+;;; Heimdal Kdc
+;;;
+
+(define-maybe/no-serialization string)
+
+(define (non-negative-integer? val)
+ (and (exact-integer? val) (not (negative? val))))
+
+(define-maybe/no-serialization non-negative-integer)
+
+(define-configuration/no-serialization heimdal-kdc-configuration
+ (heimdal
+ (file-like heimdal)
+ "The heimdal package to use.")
+ (config-file
+ maybe-string
+ "Configuration file for Heimdal KDC server.")
+ (require-preauth?
+ (boolean #t)
+ "Require pre-authentication in the initial AS-REQ for all principals.")
+ (max-request-size
+ maybe-non-negative-integer
+ "Maximum size of requests the server is willing to handle.")
+ (enable-http?
+ (boolean #f)
+ "Listen on port 80 and handle requests encapsulated in HTTP.")
+ (v4-realm
+ maybe-string
+ "Realm for version 4 requests.")
+ (ports
+ (list-of-strings '())
+ "Ports to listen on.")
+ (addresses
+ (list-of-strings '())
+ "Addresses to listen on.")
+ (disable-des?
+ (boolean #f)
+ "Disable all DES encryption types."))
+
+(define (heimdal-kdc-shepherd-service config)
+ "Return a <shepherd-service> for Heimdal's kdc for CONFIG."
+ (match-record config
+ <heimdal-kdc-configuration> (heimdal config-file require-preauth?
+ max-request-size enable-http?
+ v4-realm ports addresses
+ disable-des?)
+ (shepherd-service
+ (documentation "Run the Heimdal Kerberos KDC daemon (heimdal-kdc).")
+ (provision '(heimdal-kdc))
+ (requirement '(networking))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append heimdal "/libexec/kdc")
+ #$@(if (maybe-value-set? config-file)
+ `(,(string-append "--config-file=" (maybe-value config-file)))
+ '())
+ #$@(if require-preauth? '() '("--no-require-preauth"))
+ #$@(if (maybe-value-set? max-request-size)
+ `(,(string-append
+ "--max-request-size="
+ (number->string (maybe-value max-request-size))))
+ '())
+ #$@(if enable-http? '("--enable-http") '())
+ #$@(if (maybe-value-set? v4-realm)
+ `(,(string-append "--v4-realm=" (maybe-value v4-realm)))
+ '())
+ ;; ports parameter is white-space separated
+ #$@(if (null? ports)
+ '()
+ `(,(string-append "--ports=" (string-join ports))))
+ ;; addresses parameter is white-space separated
+ #$@(if (null? addresses)
+ '()
+ `(,(string-append "--addresses=" (string-join addresses))))
+ #$@(if disable-des? '("--disable-des") '()))
+ #:log-file "/var/log/kdc-shepherd"))
+ (stop #~(make-kill-destructor)))))
+
+(define heimdal-kdc-service-type
+ (service-type
+ (name 'heimdal-kdc)
+ (description
+ "Run the Heimdal @command{kdc} daemon.")
+ (extensions
+ (list
+ (service-extension shepherd-root-service-type
+ (compose list heimdal-kdc-shepherd-service))))
+ (default-value (heimdal-kdc-configuration))))
+
+
+;;;
+;;; Heimdal Kadmind
+;;;
+
+(define-configuration/no-serialization heimdal-kadmind-configuration
+ (heimdal
+ (file-like heimdal)
+ "The heimdal package to use.")
+ (config-file
+ maybe-string
+ "Configuration file for Heimdal Kadmind server.")
+ (key-file
+ maybe-string
+ "Location of master key file.")
+ (keytab
+ maybe-string
+ "Kerberos keytab to use.")
+ (realm
+ maybe-string
+ "Kerberos realm to serve.")
+ (debug?
+ (boolean #f)
+ "Enable debugging.")
+ (ports
+ (list-of-strings '())
+ "Ports to listen on."))
+
+(define (heimdal-kadmind-shepherd-service config)
+ "Return a <shepherd-service> for Heimdal's kadmind for CONFIG."
+ (match-record config
+ <heimdal-kadmind-configuration> (heimdal config-file key-file keytab
+ realm debug? ports)
+ (shepherd-service
+ (documentation "Run the Heimdal Kerberos admin daemon (heimdal-kadmind).")
+ (provision '(heimdal-kadmind))
+ (requirement '(networking))
+ (start #~(make-forkexec-constructor
+ (list #$(file-append heimdal "/libexec/kadmind")
+ #$@(if (maybe-value-set? config-file)
+ `(,(string-append "--config-file=" (maybe-value config-file)))
+ '())
+ #$@(if (maybe-value-set? key-file)
+ `(,(string-append "--key-file=" (maybe-value key-file)))
+ '())
+ #$@(if (maybe-value-set? keytab)
+ `(,(string-append "--keytab=" (maybe-value keytab)))
+ '())
+ #$@(if (maybe-value-set? realm)
+ `(,(string-append "--realm=" (maybe-value realm)))
+ '())
+ #$@(if debug? '("--debug") '())
+ ;; ports parameter is white-space separated
+ #$@(if (null? ports)
+ '()
+ `(,(string-append "--ports=" (string-join ports)))))))
+ (stop #~(make-kill-destructor)))))
+
+(define heimdal-kadmind-service-type
+ (service-type
+ (name 'heimdal-kadmind)
+ (description
+ "Run the Heimdal @command{kadmind} daemon.")
+ (extensions
+ (list
+ (service-extension shepherd-root-service-type
+ (compose list heimdal-kadmind-shepherd-service))))
+ (default-value (heimdal-kadmind-configuration))))
diff --git a/gnu/tests/heimdal-kadmind.scm b/gnu/tests/heimdal-kadmind.scm
new file mode 100644
index 0000000000..b340017c69
--- /dev/null
+++ b/gnu/tests/heimdal-kadmind.scm
@@ -0,0 +1,71 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Peter Mikkelsen <petermikkelsen10@HIDDEN>
+;;; Copyright © 2022 Bruno Victal <mirai@HIDDEN>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests heimdal-kadmind)
+ #:use-module (gnu tests)
+ #:use-module (gnu system)
+ #:use-module (gnu system vm)
+ #:use-module (gnu services)
+ #:use-module (gnu services kerberos heimdal)
+ #:use-module (gnu services networking)
+ #:use-module (guix gexp)
+ #:export (%test-heimdal-kadmind))
+
+(define %heimdal-kadmind-os
+ (simple-operating-system
+ (service dhcp-client-service-type)
+ (service heimdal-kadmind-service-type)))
+
+(define (run-heimdal-kadmind-test)
+ "Run tests in %heimdal-kadmind-os, which has heimdal-kadmind running."
+ (define os
+ (marionette-operating-system
+ %heimdal-kadmind-os
+ #:imported-modules '((gnu services herd))))
+
+ (define vm
+ (virtual-machine os))
+
+ (define test
+ (with-imported-modules '((gnu build marionette))
+ #~(begin
+ (use-modules (srfi srfi-64)
+ (gnu build marionette))
+ (define marionette
+ (make-marionette (list #$vm)))
+
+ (test-runner-current (system-test-runner #$output))
+ (test-begin "heimdal-kadmind")
+
+ (test-assert "service is running"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'heimdal-kadmind))
+ marionette))
+
+ (test-end))))
+ (gexp->derivation "heimdal-kadmind-test" test))
+
+(define %test-heimdal-kadmind
+ (system-test
+ (name "heimdal-kadmind")
+ (description "Test that the heimdal-kadmind runs when started.")
+ (value (run-heimdal-kadmind-test))))
diff --git a/gnu/tests/heimdal-kdc.scm b/gnu/tests/heimdal-kdc.scm
new file mode 100644
index 0000000000..b6424ace9e
--- /dev/null
+++ b/gnu/tests/heimdal-kdc.scm
@@ -0,0 +1,71 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Peter Mikkelsen <petermikkelsen10@HIDDEN>
+;;; Copyright © 2022 Bruno Victal <mirai@HIDDEN>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests heimdal-kdc)
+ #:use-module (gnu tests)
+ #:use-module (gnu system)
+ #:use-module (gnu system vm)
+ #:use-module (gnu services)
+ #:use-module (gnu services kerberos heimdal)
+ #:use-module (gnu services networking)
+ #:use-module (guix gexp)
+ #:export (%test-heimdal-kdc))
+
+(define %heimdal-kdc-os
+ (simple-operating-system
+ (service dhcp-client-service-type)
+ (service heimdal-kdc-service-type)))
+
+(define (run-heimdal-kdc-test)
+ "Run tests in %heimdal-kdc-os, which has heimdal-kdc running."
+ (define os
+ (marionette-operating-system
+ %heimdal-kdc-os
+ #:imported-modules '((gnu services herd))))
+
+ (define vm
+ (virtual-machine os))
+
+ (define test
+ (with-imported-modules '((gnu build marionette))
+ #~(begin
+ (use-modules (srfi srfi-64)
+ (gnu build marionette))
+ (define marionette
+ (make-marionette (list #$vm)))
+
+ (test-runner-current (system-test-runner #$output))
+ (test-begin "heimdal-kdc")
+
+ (test-assert "service is running"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'heimdal-kdc))
+ marionette))
+
+ (test-end))))
+ (gexp->derivation "heimdal-kdc-test" test))
+
+(define %test-heimdal-kdc
+ (system-test
+ (name "heimdal-kdc")
+ (description "Test that the heimdal-kdc runs when started.")
+ (value (run-heimdal-kdc-test))))
--
2.41.0
guix-patches@HIDDEN:bug#67555; Package guix-patches.
Full text available.
Received: (at 67555) by debbugs.gnu.org; 1 Dec 2023 00:45:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 30 19:45:48 2023
Received: from localhost ([127.0.0.1]:54763 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1r8rfA-0008Qh-9Z
for submit <at> debbugs.gnu.org; Thu, 30 Nov 2023 19:45:48 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:60898)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <felix.lechner@HIDDEN>) id 1r8rf8-0008QZ-A7
for 67555 <at> debbugs.gnu.org; Thu, 30 Nov 2023 19:45:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=5Ay5GIgtBpEOjs3
0ZAwBJLf93Kk+UFpi2OEqz7wER9M=;
h=references:in-reply-to:date:subject:
cc:to:from; d=lease-up.com; b=P/OQnjJ34APwSk0YRdkhJO3Q1T09xNJmKoeecKHp
cU0zQeKV4romXn1zc9BxGXgtS/DembtjIkJheXAEBZ9qxP7RHLP/np/hOHJ2Y+YZT/uDCn
wbR9DRKIYsxBQiBJM+0vgI/HxFtHL2WEKzDyp8N8kVgbN0bzJmM07JWzwzY7c=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 8cdcaadf
(TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
Fri, 1 Dec 2023 00:45:36 +0000 (UTC)
Received: from localhost (localhost [local])
by localhost (OpenSMTPD) with ESMTPA id 9dcd47a8;
Fri, 1 Dec 2023 00:45:36 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
To: 67555 <at> debbugs.gnu.org
Subject: [PATCH 1/2] services: kerberos.scm: Rename krb5-service-type and
krb5-configuration.
Date: Thu, 30 Nov 2023 16:45:11 -0800
Message-ID: <7f5ebe249e930c046dafdfc3fb31985d5b820b07.1701390969.git.felix.lechner@HIDDEN>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1701390969.git.felix.lechner@HIDDEN>
References: <cover.1701390969.git.felix.lechner@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 67555
Cc: Felix Lechner <felix.lechner@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)
In preparation for a nearby commit that will add actual Kerberos services to
Guix, the older names were made more specific. The original names were
misleading and too generic. The krb5-service-type provided no service at all
but merely created a file at /etc/krb5.conf that is needed to associate
equipment with a Kerberos realm.
The original names further suggested that at least some of the needed servers
might be started, making it necessary to clarify otherwise in the
documentation.
Change-Id: I951c16aedcf1141d7d947f984cf89c22d3cc96ce
---
doc/guix.texi | 16 ++++++++--------
gnu/services/kerberos.scm | 19 ++++++++++++++-----
2 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1fd2e21608..a5119d2058 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -29963,10 +29963,10 @@ Kerberos Services
@subsection Kerberos Services
@cindex Kerberos
-The @code{(gnu services kerberos)} module provides services relating to
-the authentication protocol @dfn{Kerberos}.
+@subsubheading Krb5 Association Service
-@subsubheading Krb5 Service
+The @code{(gnu services kerberos)} module provides miscellaneous
+services relating to the authentication protocol @dfn{Kerberos}.
Programs using a Kerberos client library normally
expect a configuration file in @file{/etc/krb5.conf}.
@@ -29978,15 +29978,15 @@ Kerberos Services
This service is known to work with the MIT client library, @code{mit-krb5}.
Other implementations have not been tested.
-@defvar krb5-service-type
+@defvar krb5-association-service-type
A service type for Kerberos 5 clients.
@end defvar
@noindent
Here is an example of its use:
@lisp
-(service krb5-service-type
- (krb5-configuration
+(service krb5-association-service-type
+ (krb5-association-configuration
(default-realm "EXAMPLE.COM")
(allow-weak-crypto? #t)
(realms (list
@@ -30010,7 +30010,7 @@ Kerberos Services
@item Accepts services which only support encryption types known to be weak.
@end itemize
-The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
+The @code{krb5-realm} and @code{krb5-association-configuration} types have many fields.
Only the most commonly used ones are described here.
For a full list, and more detailed explanation of each, see the MIT
@uref{https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
@@ -30035,7 +30035,7 @@ Kerberos Services
@end table
@end deftp
-@deftp {Data Type} krb5-configuration
+@deftp {Data Type} krb5-association-configuration
@table @asis
@item @code{allow-weak-crypto?} (default: @code{#f})
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6..ec9b6c10b5 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -20,6 +20,7 @@ (define-module (gnu services kerberos)
#:use-module (gnu services)
#:use-module (gnu services configuration)
#:use-module (gnu system pam)
+ #:use-module (guix deprecation)
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (srfi srfi-1)
@@ -33,6 +34,10 @@ (define-module (gnu services kerberos)
krb5-realm
krb5-realm?
+ krb5-association-configuration
+ krb5-association-configuration?
+ krb5-association-service-type
+
krb5-configuration
krb5-configuration?
krb5-service-type))
@@ -228,7 +233,7 @@ (define-configuration krb5-realm
;; For a more detailed explanation of these fields see man 5 krb5.conf
-(define-configuration krb5-configuration
+(define-configuration krb5-association-configuration
(allow-weak-crypto?
(boolean/unset unset-field)
"If true, permits access to services which only offer weak encryption.")
@@ -394,20 +399,20 @@ (define-configuration krb5-configuration
"The list of realms which clients may access."))
-(define (krb5-configuration-file config)
+(define (krb5-association-configuration-file config)
"Create a Kerberos 5 configuration file based on CONFIG"
(mixed-text-file "krb5.conf"
"[libdefaults]\n\n"
(with-output-to-string
(lambda ()
(serialize-configuration config
- krb5-configuration-fields)))))
+ krb5-association-configuration-fields)))))
(define (krb5-etc-service config)
- (list `("krb5.conf" ,(krb5-configuration-file config))))
+ (list `("krb5.conf" ,(krb5-association-configuration-file config))))
-(define krb5-service-type
+(define krb5-association-service-type
(service-type (name 'krb5)
(extensions
(list (service-extension etc-service-type
@@ -416,6 +421,10 @@ (define krb5-service-type
normally expect a configuration file in @file{/etc/krb5.conf}. This service
generates such a file. It does not cause any daemon to be started.")))
+(define-deprecated krb-configuration krb5-association-configuration)
+(define-deprecated krb-configuration? krb5-association-configuration?)
+(define-deprecated krb-service-type krb5-association-service-type)
+
(define-record-type* <pam-krb5-configuration>
--
2.41.0
guix-patches@HIDDEN:bug#67555; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 1 Dec 2023 00:43:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 30 19:43:25 2023
Received: from localhost ([127.0.0.1]:54758 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1r8rcq-0008Mh-M2
for submit <at> debbugs.gnu.org; Thu, 30 Nov 2023 19:43:25 -0500
Received: from lists.gnu.org ([2001:470:142::17]:38244)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <felix.lechner@HIDDEN>) id 1r8rco-0008MU-7Z
for submit <at> debbugs.gnu.org; Thu, 30 Nov 2023 19:43:23 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <felix.lechner@HIDDEN>)
id 1r8rcZ-0007Ag-Vt
for guix-patches@HIDDEN; Thu, 30 Nov 2023 19:43:08 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
(Exim 4.90_1) (envelope-from <felix.lechner@HIDDEN>)
id 1r8rcX-0002Bj-Ik
for guix-patches@HIDDEN; Thu, 30 Nov 2023 19:43:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=nu1g8/1P2J+bB+H
+EGQTkLwrCWagKIA39M3sEHWh/44=; h=date:subject:cc:to:from;
d=lease-up.com; b=bAkDyPYufLT6D9FAE2hUtviMRizAw6QaBJau8XABNQOIEtnBmigm
jXU90jgiR6++Z1iw89cMkha9kFX8bnIZH+edVSnvSWLBY7ZWf+sJ1C3UOKvUaC2LwSKbUN
g22odagq+kofeXY/t08Tvi77uF9RR//o9GF/FqJmkjdmwger8=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 0924f0bf
(TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
Fri, 1 Dec 2023 00:43:01 +0000 (UTC)
Received: from localhost (localhost [local])
by localhost (OpenSMTPD) with ESMTPA id c216a145;
Fri, 1 Dec 2023 00:43:01 +0000 (UTC)
From: Felix Lechner <felix.lechner@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH 0/2] Add Heimdal Kerberos system services.
Date: Thu, 30 Nov 2023 16:42:20 -0800
Message-ID: <cover.1701390969.git.felix.lechner@HIDDEN>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=208.82.101.137;
envelope-from=felix.lechner@HIDDEN; helo=sail-ipv4.us-core.com
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi,
This patch series offers system services for Heimdal Kerberos.
I have been using them in production. The patch includes the documentation
and system tests for each service. As always, I struggled with the commit
messages in the official GNU ChangeLog format. Please take what you like
and adjust as needed.
Content analysis details: (1.2 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;
id=felix.lechner%40us-core.com; ip=2001%3A470%3A142%3A%3A17;
r=debbugs.gnu.org]
0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
-0.0 T_SCC_BODY_TEXT_LINE No description available.
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
X-Debbugs-Envelope-To: submit
Cc: Felix Lechner <felix.lechner@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.2 (/)
Hi,
This patch series offers system services for Heimdal Kerberos. I have been
using them in production. The patch includes the documentation and system
tests for each service.
As always, I struggled with the commit messages in the official GNU ChangeLog
format. Please take what you like and adjust as needed.
Kind regards
Felix
Felix Lechner (2):
services: kerberos.scm: Rename krb5-service-type and
krb5-configuration.
services: kerberos/heimdal.scm: New file, add Heimdal Kerberos
services.
doc/guix.texi | 117 ++++++++++++++++--
gnu/local.mk | 3 +
gnu/services/kerberos.scm | 133 ++++++++++++++++++++-
gnu/services/kerberos/heimdal.scm | 189 ++++++++++++++++++++++++++++++
gnu/tests/heimdal-kadmind.scm | 71 +++++++++++
gnu/tests/heimdal-kdc.scm | 71 +++++++++++
6 files changed, 570 insertions(+), 14 deletions(-)
create mode 100644 gnu/services/kerberos/heimdal.scm
create mode 100644 gnu/tests/heimdal-kadmind.scm
create mode 100644 gnu/tests/heimdal-kdc.scm
base-commit: 2b782f67266b42bb40015bd23ce2443be2f9b01f
--
2.41.0
Felix Lechner <felix.lechner@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#67555; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.