From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Darrington Subject: Re: [PATCH] gnu: Add kerberos service. Date: Fri, 18 Nov 2016 16:23:12 +0100 Message-ID: <20161118152312.GA31249@jocasta.intra> References: <1478721522-312-1-git-send-email-jmd@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53379) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c7l0a-0003ES-Dp for guix-devel@gnu.org; Fri, 18 Nov 2016 10:23:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c7l0Y-0003Rm-Pg for guix-devel@gnu.org; Fri, 18 Nov 2016 10:23:20 -0500 Content-Disposition: inline In-Reply-To: <1478721522-312-1-git-send-email-jmd@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: John Darrington Cc: guix-devel@gnu.org --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Any comments on this before I push it?? On Wed, Nov 09, 2016 at 08:58:42PM +0100, John Darrington wrote: * gnu/services/kerberos.scm (krb5-realm, krb5-configuration, krb5-service-type): New variables. --- gnu/services/kerberos.scm | 230 +++++++++++++++++++++++++++++++++++++= ++++++++- 1 file changed, 229 insertions(+), 1 deletion(-) =20 diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm index 144c71b..2147dd8 100644 --- a/gnu/services/kerberos.scm +++ b/gnu/services/kerberos.scm @@ -22,9 +22,237 @@ #:use-module (gnu system pam) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (srfi srfi-1) #:export (pam-krb5-configuration pam-krb5-configuration? - pam-krb5-service-type)) + pam-krb5-service-type + + krb5-realm + krb5-realm? + + krb5-configuration + krb5-configuration? + krb5-service-type)) + +(define-record-type* + krb5-realm make-krb5-realm + krb5-realm? + (name krb5-realm-name) + + (admin-server krb5-realm-admin-server) + (kdc krb5-realm-kdc) + (auth-to-local krb5-realm-auth-to-local (default '())) + (auth-to-local-names krb5-realm-auth-to-local-names (default '())) + (http-anchors krb5-realm-http-anchors (default '())) + (default-domain krb5-realm-default-domain (default #f)) + (kpasswd-server krb5-realm-kpasswd-server (default #f)) + (master-kdc krb5-realm-master-kdc (default #f)) + (v4-instance-convert krb5-realm-v4-instance-convert (default '())) + (v4-realm krb5-realm-v4-realm (default #f))) + + +(define-syntax guile->krb-cfg + (syntax-rules () + ((guile->krb-cfg accessor what) + (string-map + (lambda (c) (if (eq? c #\-) #\_ c)) + (string-drop (symbol->string accessor) + (string-length what)))))) + +(define-syntax cfg-opt-string + (syntax-rules () + ((cfg-opt-string accessor realm) + (if (accessor realm) + (format #f "\n\t~a =3D ~a" + (guile->krb-cfg 'accessor "krb5-realm-") + (accessor realm)) + "")))) + + +;; Generates one line of text per list item +(define-syntax cfg-opt-list + (syntax-rules () + ((cfg-opt-list accessor realm) + (if (not (null? (accessor realm))) + (string-concatenate + (map (lambda (item) + (format #f "\n\t~a =3D ~a" + (guile->krb-cfg 'accessor "krb5-realm-") + item)) + (accessor realm))) + "")))) + +(define (krb5-realm->string realm) + "Return a string suitable for a krb5.conf fragment representing REA= LM" + (string-append "\n" (krb5-realm-name realm) " =3D {" + (cfg-opt-string krb5-realm-kdc realm) + (cfg-opt-string krb5-realm-admin-server realm) + (cfg-opt-string krb5-realm-default-domain realm) + (cfg-opt-list krb5-realm-auth-to-local realm) + (cfg-opt-list krb5-realm-http-anchors realm) + (cfg-opt-string krb5-realm-kpasswd-server realm) + (cfg-opt-string krb5-realm-master-kdc realm) + (cfg-opt-string krb5-realm-v4-realm realm) + "\n}")) + + +;; For explanation of these fields see man 5 krb5.conf +(define-record-type* + krb5-configuration make-krb5-configuration + krb5-configuration? + + ;; [libdefaults] + (allow-weak-crypto krb5-configuration-allow-weak-crypto (d= efault #f)) + (ap-req-checksum-type krb5-configuration-ap-req-checksum-type= (default #f)) + (canonicalize krb5-configuration-canonicalize (defaul= t #f)) + (ccache-type krb5-configuration-ccache-type (default= #f)) + (clockskew krb5-configuration-clockskew (default #= f)) + (default-ccache-name krb5-configuration-default-ccache-name = (default #f)) + (default-client-keytab-name krb5-configuration-default-client-keyta= b-name + = (default #f)) + (default-keytab-name krb5-configuration-default-keytab-name = (default #f)) + (default-realm krb5-configuration-default-realm (defau= lt #f)) + (default-tgs-enctypes krb5-configuration-default-tgs-enctypes= (default #f)) + (default-tkt-enctypes krb5-configuration-default-tkt-enctypes= (default #f)) + (dns-canonicalize-hostname krb5-configuration-dns-canonicalize-hos= tname + (default #t)) + (dns-lookup-kdc krb5-configuration-dns-lookup-kdc + (default #f)) + (err-fmt krb5-configuration-err-fmt (default #f)) + (extra-addresses krb5-configuration-extra-addresses + (default #f)) + (forwardable krb5-configuration-forwardable (default= #t)) + (ignore-acceptor-hostname krb5-configuration-ignore-acceptor-host= name + (default #f)) + (k5login-authoritative krb5-configuration-k5login-authoritativ= e (default #t)) + (k5login-directory krb5-configuration-k5login-directory (d= efault #f)) + (kcm-mach-service krb5-configuration-kcm-mach-service + (default "org.h5l.kcm")) + (kcm-socket krb5-configuration-kcm-socket + (default "/var/run/.heim_org.h5l.kcm-= socket")) + (kdc-default-options krb5-configuration-kdc-default-options + (default #f)) + (kdc-timesync krb5-configuration-kdc-timesync (defaul= t #t)) + (kdc-req-checksum-type krb5-configuration-kdc-req-checksum-typ= e (default #f)) + (noaddresses krb5-configuration-noaddresses + (default #f)) + (permitted-enctypes krb5-configuration-permitted-enctypes + (default #f)) + (plugin-base-dir krb5-configuration-plugin-base-dir + (default #f)) + (preferred-preauth-types krb5-configuration-preferred-preauth-ty= pes + (default #f)) + (proxiable krb5-configuration-proxiable (default #= f)) + (rdns krb5-configuration-rdns (default #t)) + (realm-try-domains krb5-configuration-realm-try-domains + (default #f)) + (renew-lifetime krb5-configuration-renew-lifetime + (default #f)) + (safe-checksum-type krb5-configuration-safe-checksum-type + (default #f)) + (ticket-lifetime krb5-configuration-ticket-lifetime + (default #f)) + (udp-preference-limit krb5-configuration-udp-preference-limit + (default #f)) + (verify-ap-req-nofail krb5-configuration-verify-ap-req-nofail + (default #f)) + + ;;[realms] + (realms krb5-configuration-realms) + + ;;[domain_realm] + (domain-realm-map krb5-configuration-domain-realm-map (de= fault '()))) + + +(define-syntax cfg-string + (syntax-rules () + ((cfg-string accessor config) + (if (accessor config) + (format #f "\n\t~a =3D ~a" + (guile->krb-cfg 'accessor "krb5-configuration-") + (accessor config)) + "")))) + +(define-syntax cfg-boolean + (syntax-rules () + ((cfg-string accessor config) + (format #f "\n\t~a =3D ~a" + (guile->krb-cfg 'accessor "krb5-configuration-") + (if (accessor config) "true" "false"))))) + +;; Generates a comma separated list +(define-syntax cfg-list + (syntax-rules () + ((cfg-string accessor config) + (if (accessor config) + (format #f "\n\t~a =3D ~a" + (guile->krb-cfg 'accessor "krb5-configuration-") + (fold (lambda (i prev) + (string-append prev + (if (zero? (string-length pre= v)) + "" ", ") i)) "" + (accessor config))) "")))) + +(define (krb5-configuration-file config) + "Create a Kerberos 5 configuration file based on CONFIG" + (mixed-text-file "krb5.conf" + +"[libdefaults]" +(cfg-string krb5-configuration-default-realm config) +(cfg-boolean krb5-configuration-allow-weak-crypto config) +(cfg-string krb5-configuration-ap-req-checksum-type config) +(cfg-boolean krb5-configuration-canonicalize config) +(cfg-string krb5-configuration-ccache-type config) +(cfg-string krb5-configuration-clockskew config) +(cfg-string krb5-configuration-default-ccache-name config) +(cfg-string krb5-configuration-default-client-keytab-name config) +(cfg-string krb5-configuration-default-keytab-name config) +(cfg-string krb5-configuration-default-tgs-enctypes config) +(cfg-string krb5-configuration-default-tkt-enctypes config) +(cfg-boolean krb5-configuration-dns-canonicalize-hostname config) +(cfg-boolean krb5-configuration-dns-lookup-kdc config) +(cfg-string krb5-configuration-err-fmt config) +(cfg-list krb5-configuration-extra-addresses config) +(cfg-boolean krb5-configuration-ignore-acceptor-hostname config) +(cfg-boolean krb5-configuration-k5login-authoritative config) +(cfg-string krb5-configuration-k5login-directory config) +(cfg-boolean krb5-configuration-forwardable config) +(cfg-string krb5-configuration-kcm-mach-service config) +(cfg-string krb5-configuration-kcm-socket config) +(cfg-string krb5-configuration-kdc-default-options config) +(cfg-boolean krb5-configuration-kdc-timesync config) +(cfg-boolean krb5-configuration-proxiable config) +(cfg-string krb5-configuration-kdc-req-checksum-type config) +(cfg-boolean krb5-configuration-noaddresses config) +(cfg-list krb5-configuration-permitted-enctypes config) +(cfg-string krb5-configuration-plugin-base-dir config) +(cfg-list krb5-configuration-preferred-preauth-types config) +(cfg-boolean krb5-configuration-rdns config) +(cfg-string krb5-configuration-realm-try-domains config) +(cfg-string krb5-configuration-renew-lifetime config) +(cfg-string krb5-configuration-safe-checksum-type config) +(cfg-string krb5-configuration-ticket-lifetime config) +(cfg-string krb5-configuration-udp-preference-limit config) +(cfg-boolean krb5-configuration-verify-ap-req-nofail config) + +"\n\n[realms]" +(string-concatenate (map krb5-realm->string (krb5-configuration-realm= s config))) + +"\n")) + + +(define (krb5-etc-service config) + (list `("krb5.conf" ,(krb5-configuration-file config)))) + + +(define krb5-service-type + (service-type (name 'krb5) + (extensions + (list (service-extension etc-service-type + krb5-etc-service))))) + + +=0C =20 (define-record-type* pam-krb5-configuration make-pam-krb5-configuration --=20 2.1.4 =20 --=20 Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3=20 fingerprint =3D 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgvHOAACgkQimdxnC3oJ7PJHgCePWW/5mnsjTjg/pFznoP5gDte 3X0AnjDaI7tZsXuhtWBpkwqzDcntjQNC =8bkT -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO--