From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: [PATCH] gnu: Add kerberos service. Date: Mon, 21 Nov 2016 09:59:03 +0100 Message-ID: <87ziktyzs8.fsf@gnu.org> References: <1478721522-312-1-git-send-email-jmd@gnu.org> <87a8cw5rmj.fsf@gnu.org> <20161119065728.GA13099@jocasta.intra> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52278) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c8kRT-0006rk-71 for guix-devel@gnu.org; Mon, 21 Nov 2016 03:59:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c8kRO-0006Ez-Ij for guix-devel@gnu.org; Mon, 21 Nov 2016 03:59:11 -0500 In-Reply-To: <20161119065728.GA13099@jocasta.intra> (John Darrington's message of "Sat, 19 Nov 2016 07:57:28 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: John Darrington Cc: guix-devel@gnu.org, John Darrington Hi! John Darrington skribis: > On Fri, Nov 18, 2016 at 11:51:16PM +0100, Ludovic Court??s wrote: > Hello! >=20=20=20=20=20=20 > John Darrington skribis: >=20=20=20=20=20=20 > > * gnu/services/kerberos.scm (krb5-realm, krb5-configuration, > > krb5-service-type): New variables. >=20=20=20=20=20=20 > Could you add documentation in guix.texi, along with an example of h= ow > to use it? > > I can make an attempt to do that. Kerberos however is a complicated thi= ng > with a large number of options - not all of which I pretend to understand. > I think it is better to have something undocumented rather than documented > wrong. - and I can give an example of how *I* use it - but that should > not be regarded as a canonical example of how everyone should use it. Maybe just give a rough overview in a couple of sentences, then an example that makes sense to you, and then cross-references to the upstream manual or documentation. BTW, is this config file honored by any Kerberos implementation, or just mit-krb5? > I very strongly encourage you to write a system test for this as wel= l. > Essentially, it???s just about writing down in a file a test that yo= u???ve > already run anyway. I???m happy to help if needed. The main ideas = are > described in > . >=20=20=20=20=20=20 > You are right. Tests for things like this are needed. But we have a chi= cken > and egg situation. We can't really write a test for the client without a= server. > And we can't write a test for the server without a client. ... something = has > to come first. Of course I could, wait until I have absolutely everythi= ng > done before I commit, but then I a) run the risk of losing everything, if= I > have a disk crash; and b) rule out all possibility of getting any contrib= ution > from others. No you=E2=80=99re right, we can=E2=80=99t delay the contribution endlessly,= so we have to be flexible. What I want to avoid is simply having big chunks of code that we don=E2=80=99t really how to use and can=E2=80=99t tell if it w= orks. > > +(define-record-type* > > + krb5-realm make-krb5-realm > > + krb5-realm? > > + (name krb5-realm-name) > > + > > + (admin-server krb5-realm-admin-server) > > + (kdc krb5-realm-kdc) > > + (auth-to-local krb5-realm-auth-to-local (default '())) > > + (auth-to-local-names krb5-realm-auth-to-local-names (default '(= ))) > > + (http-anchors krb5-realm-http-anchors (default '())) > > + (default-domain krb5-realm-default-domain (default #f)) > > + (kpasswd-server krb5-realm-kpasswd-server (default #f)) > > + (master-kdc krb5-realm-master-kdc (default #f)) > > + (v4-instance-convert krb5-realm-v4-instance-convert (default '(= ))) > > + (v4-realm krb5-realm-v4-realm (default #f))) >=20=20=20=20=20=20 > I find it helpful to add a one- or two-line comment above stating wh= at > this is, and margin comments next to the fields to give an idea of w= hat > their type is. >=20=20=20=20=20=20 > Could you try something along these lines? > > Again most of the info would be copied from the manpage krb5.conf(5). I = can=20 > do that if you think it would be useful. Just one or two lines, whatever makes sense. > > +(define (krb5-etc-service config) > > + (list `("krb5.conf" ,(krb5-configuration-file config)))) > > + > > + > > +(define krb5-service-type > > + (service-type (name 'krb5) > > + (extensions > > + (list (service-extension etc-service-type > > + krb5-etc-service))))) >=20=20=20=20=20=20 > So this service doesn???t do anything by itself. Perhaps it should = also > create a Shepherd service for the Kerberos daemon, or something like > that? > > Kerberos is three headed dog. There is the client, the "key distribution= center", > the admin server, the ticket granting server, and the application server. > Ooops! that's 5 heads. > > But this service is sufficient to get a client machine up and running and= ready to > make requests and receive services from an external KDC and application s= erver. > > As you say, once we have a KDC and some simple kerberos enabled service i= n Guix, then > we can write some end to end tests. It would be really great if someone = can help with > those things. In the meantime, this is a start. Heh, OK. So client libraries of Kerberos implementations read that file? IOW, is it useful on its own already? If the answer is =E2=80=9Cyes=E2=80=9D, then it=E2=80=99s obviously OK to c= ommit, and if it=E2=80=99s client functionality, we cannot write tests yet, so that=E2=80=99s fine. Thank you, Ludo=E2=80=99.