From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Darrington Subject: Re: [PATCH] gnu: Add kerberos service. Date: Sat, 19 Nov 2016 07:57:28 +0100 Message-ID: <20161119065728.GA13099@jocasta.intra> References: <1478721522-312-1-git-send-email-jmd@gnu.org> <87a8cw5rmj.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56454) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c7zat-0004zY-Hx for guix-devel@gnu.org; Sat, 19 Nov 2016 01:57:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c7zas-0002cy-4d for guix-devel@gnu.org; Sat, 19 Nov 2016 01:57:47 -0500 Content-Disposition: inline In-Reply-To: <87a8cw5rmj.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic Court??s Cc: guix-devel@gnu.org, John Darrington --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 18, 2016 at 11:51:16PM +0100, Ludovic Court??s wrote: Hello! =20 John Darrington skribis: =20 > * gnu/services/kerberos.scm (krb5-realm, krb5-configuration, > krb5-service-type): New variables. =20 Could you add documentation in guix.texi, along with an example of how to use it? I can make an attempt to do that. Kerberos however is a complicated thing with a large number of options - not all of which I pretend to understand. I think it is better to have something undocumented rather than documented wrong. - and I can give an example of how *I* use it - but that should not be regarded as a canonical example of how everyone should use it. =20 I very strongly encourage you to write a system test for this as well. Essentially, it???s just about writing down in a file a test that you?= ??ve already run anyway. I???m happy to help if needed. The main ideas are described in . =20 You are right. Tests for things like this are needed. But we have a chick= en and egg situation. We can't really write a test for the client without a s= erver. And we can't write a test for the server without a client. ... something has to come first. Of course I could, wait until I have absolutely everything done before I commit, but then I a) run the risk of losing everything, if I have a disk crash; and b) rule out all possibility of getting any contribut= ion =66rom others. > +(define-record-type* > + krb5-realm make-krb5-realm > + krb5-realm? > + (name krb5-realm-name) > + > + (admin-server krb5-realm-admin-server) > + (kdc krb5-realm-kdc) > + (auth-to-local krb5-realm-auth-to-local (default '())) > + (auth-to-local-names krb5-realm-auth-to-local-names (default '())) > + (http-anchors krb5-realm-http-anchors (default '())) > + (default-domain krb5-realm-default-domain (default #f)) > + (kpasswd-server krb5-realm-kpasswd-server (default #f)) > + (master-kdc krb5-realm-master-kdc (default #f)) > + (v4-instance-convert krb5-realm-v4-instance-convert (default '())) > + (v4-realm krb5-realm-v4-realm (default #f))) =20 I find it helpful to add a one- or two-line comment above stating what this is, and margin comments next to the fields to give an idea of what their type is. =20 Could you try something along these lines? Again most of the info would be copied from the manpage krb5.conf(5). I ca= n=20 do that if you think it would be useful. =20 > +(define-syntax guile->krb-cfg > + (syntax-rules () > + ((guile->krb-cfg accessor what) > + (string-map > + (lambda (c) (if (eq? c #\-) #\_ c)) > + (string-drop (symbol->string accessor) > + (string-length what)))))) > + > +(define-syntax cfg-opt-string > + (syntax-rules () > + ((cfg-opt-string accessor realm) > + (if (accessor realm) > + (format #f "\n\t~a =3D ~a" > + (guile->krb-cfg 'accessor "krb5-realm-") > + (accessor realm)) > + "")))) > + > + > +;; Generates one line of text per list item > +(define-syntax cfg-opt-list > + (syntax-rules () > + ((cfg-opt-list accessor realm) > + (if (not (null? (accessor realm))) > + (string-concatenate > + (map (lambda (item) > + (format #f "\n\t~a =3D ~a" > + (guile->krb-cfg 'accessor "krb5-realm-") > + item)) > + (accessor realm))) > + "")))) =20 Would Andy???s ???define-configuration??? (in mail.scm and cups.scm) b= e usable here, possibly with some adjustments? It has the advantage that configuration fields, their types, and their docstring all appear at t= he same place. I think we should consolidate it into a single API. I will have a look to see if I can a) understand it; and b) use it in any w= ay. =20 =20 > +;; For explanation of these fields see man 5 krb5.conf > +(define-record-type* > + krb5-configuration make-krb5-configuration > + krb5-configuration? > + > + ;; [libdefaults] > + (allow-weak-crypto krb5-configuration-allow-weak-crypto = (default #f)) > + (ap-req-checksum-type krb5-configuration-ap-req-checksum-ty= pe (default #f)) > + (canonicalize krb5-configuration-canonicalize (defa= ult #f)) > + (ccache-type krb5-configuration-ccache-type (defau= lt #f)) > + (clockskew krb5-configuration-clockskew (default= #f)) > + (default-ccache-name krb5-configuration-default-ccache-nam= e (default #f)) > + (default-client-keytab-name krb5-configuration-default-client-key= tab-name > + = (default #f)) > + (default-keytab-name krb5-configuration-default-keytab-nam= e (default #f)) > + (default-realm krb5-configuration-default-realm (def= ault #f)) > + (default-tgs-enctypes krb5-configuration-default-tgs-enctyp= es (default #f)) > + (default-tkt-enctypes krb5-configuration-default-tkt-enctyp= es (default #f)) > + (dns-canonicalize-hostname krb5-configuration-dns-canonicalize-h= ostname > + (default #t)) > + (dns-lookup-kdc krb5-configuration-dns-lookup-kdc > + (default #f)) > + (err-fmt krb5-configuration-err-fmt (default #= f)) > + (extra-addresses krb5-configuration-extra-addresses > + (default #f)) > + (forwardable krb5-configuration-forwardable (defau= lt #t)) > + (ignore-acceptor-hostname krb5-configuration-ignore-acceptor-ho= stname > + (default #f)) > + (k5login-authoritative krb5-configuration-k5login-authoritat= ive (default #t)) > + (k5login-directory krb5-configuration-k5login-directory = (default #f)) > + (kcm-mach-service krb5-configuration-kcm-mach-service > + (default "org.h5l.kcm")) > + (kcm-socket krb5-configuration-kcm-socket > + (default "/var/run/.heim_org.h5l.kc= m-socket")) > + (kdc-default-options krb5-configuration-kdc-default-options > + (default #f)) > + (kdc-timesync krb5-configuration-kdc-timesync (defa= ult #t)) > + (kdc-req-checksum-type krb5-configuration-kdc-req-checksum-t= ype (default #f)) > + (noaddresses krb5-configuration-noaddresses > + (default #f)) > + (permitted-enctypes krb5-configuration-permitted-enctypes > + (default #f)) > + (plugin-base-dir krb5-configuration-plugin-base-dir > + (default #f)) > + (preferred-preauth-types krb5-configuration-preferred-preauth-= types > + (default #f)) > + (proxiable krb5-configuration-proxiable (default= #f)) > + (rdns krb5-configuration-rdns (default #t)) > + (realm-try-domains krb5-configuration-realm-try-domains > + (default #f)) > + (renew-lifetime krb5-configuration-renew-lifetime > + (default #f)) > + (safe-checksum-type krb5-configuration-safe-checksum-type > + (default #f)) > + (ticket-lifetime krb5-configuration-ticket-lifetime > + (default #f)) > + (udp-preference-limit krb5-configuration-udp-preference-lim= it > + (default #f)) > + (verify-ap-req-nofail krb5-configuration-verify-ap-req-nofa= il > + (default #f)) > + > + ;;[realms] > + (realms krb5-configuration-realms) > + > + ;;[domain_realm] > + (domain-realm-map krb5-configuration-domain-realm-map (= default '()))) =20 Woow! :-) Please use full separate words; use question marks for Boolean fields. ok. =20 > +(define (krb5-etc-service config) > + (list `("krb5.conf" ,(krb5-configuration-file config)))) > + > + > +(define krb5-service-type > + (service-type (name 'krb5) > + (extensions > + (list (service-extension etc-service-type > + krb5-etc-service))))) =20 So this service doesn???t do anything by itself. Perhaps it should al= so create a Shepherd service for the Kerberos daemon, or something like that? Kerberos is three headed dog. There is the client, the "key distribution c= enter", the admin server, the ticket granting server, and the application server. Ooops! that's 5 heads. But this service is sufficient to get a client machine up and running and r= eady to make requests and receive services from an external KDC and application ser= ver. As you say, once we have a KDC and some simple kerberos enabled service in = Guix, then we can write some end to end tests. It would be really great if someone ca= n help with those things. In the meantime, this is a start. J' --=20 Avoid eavesdropping. Send strong encrypted email. PGP Public key ID: 1024D/2DE827B3=20 fingerprint =3D 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgv99gACgkQimdxnC3oJ7OkowCgicoITmXdKzHR/7fwQ3NC3Z7P oLkAninTup/43YZ9NX44gvx/TLDeHgjl =5J+C -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD--