From: John Darrington <john@darrington.wattle.id.au>
To: Ludovic Court??s <ludo@gnu.org>
Cc: guix-devel@gnu.org, John Darrington <jmd@gnu.org>
Subject: Re: [PATCH] gnu: Add kerberos service.
Date: Sat, 19 Nov 2016 07:57:28 +0100 [thread overview]
Message-ID: <20161119065728.GA13099@jocasta.intra> (raw)
In-Reply-To: <87a8cw5rmj.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 10337 bytes --]
On Fri, Nov 18, 2016 at 11:51:16PM +0100, Ludovic Court??s wrote:
Hello!
John Darrington <jmd@gnu.org> skribis:
> * gnu/services/kerberos.scm (krb5-realm, krb5-configuration,
> krb5-service-type): New variables.
Could you add documentation in guix.texi, along with an example of how
to use it?
I can make an attempt to do that. Kerberos however is a complicated thing
with a large number of options - not all of which I pretend to understand.
I think it is better to have something undocumented rather than documented
wrong. - and I can give an example of how *I* use it - but that should
not be regarded as a canonical example of how everyone should use it.
I very strongly encourage you to write a system test for this as well.
Essentially, it???s just about writing down in a file a test that you???ve
already run anyway. I???m happy to help if needed. The main ideas are
described in
<https://www.gnu.org/software/guix/news/guixsd-system-tests.html>.
You are right. Tests for things like this are needed. But we have a chicken
and egg situation. We can't really write a test for the client without a server.
And we can't write a test for the server without a client. ... something has
to come first. Of course I could, wait until I have absolutely everything
done before I commit, but then I a) run the risk of losing everything, if I
have a disk crash; and b) rule out all possibility of getting any contribution
from others.
> +(define-record-type* <krb5-realm>
> + krb5-realm make-krb5-realm
> + krb5-realm?
> + (name krb5-realm-name)
> +
> + (admin-server krb5-realm-admin-server)
> + (kdc krb5-realm-kdc)
> + (auth-to-local krb5-realm-auth-to-local (default '()))
> + (auth-to-local-names krb5-realm-auth-to-local-names (default '()))
> + (http-anchors krb5-realm-http-anchors (default '()))
> + (default-domain krb5-realm-default-domain (default #f))
> + (kpasswd-server krb5-realm-kpasswd-server (default #f))
> + (master-kdc krb5-realm-master-kdc (default #f))
> + (v4-instance-convert krb5-realm-v4-instance-convert (default '()))
> + (v4-realm krb5-realm-v4-realm (default #f)))
I find it helpful to add a one- or two-line comment above stating what
this is, and margin comments next to the fields to give an idea of what
their type is.
Could you try something along these lines?
Again most of the info would be copied from the manpage krb5.conf(5). I can
do that if you think it would be useful.
> +(define-syntax guile->krb-cfg
> + (syntax-rules ()
> + ((guile->krb-cfg accessor what)
> + (string-map
> + (lambda (c) (if (eq? c #\-) #\_ c))
> + (string-drop (symbol->string accessor)
> + (string-length what))))))
> +
> +(define-syntax cfg-opt-string
> + (syntax-rules ()
> + ((cfg-opt-string accessor realm)
> + (if (accessor realm)
> + (format #f "\n\t~a = ~a"
> + (guile->krb-cfg 'accessor "krb5-realm-")
> + (accessor realm))
> + ""))))
> +
> +
> +;; Generates one line of text per list item
> +(define-syntax cfg-opt-list
> + (syntax-rules ()
> + ((cfg-opt-list accessor realm)
> + (if (not (null? (accessor realm)))
> + (string-concatenate
> + (map (lambda (item)
> + (format #f "\n\t~a = ~a"
> + (guile->krb-cfg 'accessor "krb5-realm-")
> + item))
> + (accessor realm)))
> + ""))))
Would Andy???s ???define-configuration??? (in mail.scm and cups.scm) be usable
here, possibly with some adjustments? It has the advantage that
configuration fields, their types, and their docstring all appear at the
same place. I think we should consolidate it into a single API.
I will have a look to see if I can a) understand it; and b) use it in any way.
> +;; For explanation of these fields see man 5 krb5.conf
> +(define-record-type* <krb5-configuration>
> + krb5-configuration make-krb5-configuration
> + krb5-configuration?
> +
> + ;; [libdefaults]
> + (allow-weak-crypto krb5-configuration-allow-weak-crypto (default #f))
> + (ap-req-checksum-type krb5-configuration-ap-req-checksum-type (default #f))
> + (canonicalize krb5-configuration-canonicalize (default #f))
> + (ccache-type krb5-configuration-ccache-type (default #f))
> + (clockskew krb5-configuration-clockskew (default #f))
> + (default-ccache-name krb5-configuration-default-ccache-name (default #f))
> + (default-client-keytab-name krb5-configuration-default-client-keytab-name
> + (default #f))
> + (default-keytab-name krb5-configuration-default-keytab-name (default #f))
> + (default-realm krb5-configuration-default-realm (default #f))
> + (default-tgs-enctypes krb5-configuration-default-tgs-enctypes (default #f))
> + (default-tkt-enctypes krb5-configuration-default-tkt-enctypes (default #f))
> + (dns-canonicalize-hostname krb5-configuration-dns-canonicalize-hostname
> + (default #t))
> + (dns-lookup-kdc krb5-configuration-dns-lookup-kdc
> + (default #f))
> + (err-fmt krb5-configuration-err-fmt (default #f))
> + (extra-addresses krb5-configuration-extra-addresses
> + (default #f))
> + (forwardable krb5-configuration-forwardable (default #t))
> + (ignore-acceptor-hostname krb5-configuration-ignore-acceptor-hostname
> + (default #f))
> + (k5login-authoritative krb5-configuration-k5login-authoritative (default #t))
> + (k5login-directory krb5-configuration-k5login-directory (default #f))
> + (kcm-mach-service krb5-configuration-kcm-mach-service
> + (default "org.h5l.kcm"))
> + (kcm-socket krb5-configuration-kcm-socket
> + (default "/var/run/.heim_org.h5l.kcm-socket"))
> + (kdc-default-options krb5-configuration-kdc-default-options
> + (default #f))
> + (kdc-timesync krb5-configuration-kdc-timesync (default #t))
> + (kdc-req-checksum-type krb5-configuration-kdc-req-checksum-type (default #f))
> + (noaddresses krb5-configuration-noaddresses
> + (default #f))
> + (permitted-enctypes krb5-configuration-permitted-enctypes
> + (default #f))
> + (plugin-base-dir krb5-configuration-plugin-base-dir
> + (default #f))
> + (preferred-preauth-types krb5-configuration-preferred-preauth-types
> + (default #f))
> + (proxiable krb5-configuration-proxiable (default #f))
> + (rdns krb5-configuration-rdns (default #t))
> + (realm-try-domains krb5-configuration-realm-try-domains
> + (default #f))
> + (renew-lifetime krb5-configuration-renew-lifetime
> + (default #f))
> + (safe-checksum-type krb5-configuration-safe-checksum-type
> + (default #f))
> + (ticket-lifetime krb5-configuration-ticket-lifetime
> + (default #f))
> + (udp-preference-limit krb5-configuration-udp-preference-limit
> + (default #f))
> + (verify-ap-req-nofail krb5-configuration-verify-ap-req-nofail
> + (default #f))
> +
> + ;;[realms]
> + (realms krb5-configuration-realms)
> +
> + ;;[domain_realm]
> + (domain-realm-map krb5-configuration-domain-realm-map (default '())))
Woow! :-) Please use full separate words; use question marks for
Boolean fields.
ok.
> +(define (krb5-etc-service config)
> + (list `("krb5.conf" ,(krb5-configuration-file config))))
> +
> +
> +(define krb5-service-type
> + (service-type (name 'krb5)
> + (extensions
> + (list (service-extension etc-service-type
> + krb5-etc-service)))))
So this service doesn???t do anything by itself. Perhaps it should also
create a Shepherd service for the Kerberos daemon, or something like
that?
Kerberos is three headed dog. There is the client, the "key distribution center",
the admin server, the ticket granting server, and the application server.
Ooops! that's 5 heads.
But this service is sufficient to get a client machine up and running and ready to
make requests and receive services from an external KDC and application server.
As you say, once we have a KDC and some simple kerberos enabled service in Guix, then
we can write some end to end tests. It would be really great if someone can help with
those things. In the meantime, this is a start.
J'
--
Avoid eavesdropping. Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3
fingerprint = 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2016-11-19 6:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-09 19:58 [PATCH] gnu: Add kerberos service John Darrington
2016-11-18 15:23 ` John Darrington
2016-11-18 22:51 ` Ludovic Courtès
2016-11-19 6:57 ` John Darrington [this message]
2016-11-21 8:59 ` Ludovic Courtès
2016-11-22 17:52 ` [PATCH] gnu: Add Kerberos client service John Darrington
2016-11-23 22:01 ` Ludovic Courtès
2016-11-29 18:39 ` John Darrington
2016-11-29 18:39 ` John Darrington
2016-11-30 13:09 ` Ludovic Courtès
2016-11-30 13:44 ` John Darrington
2016-11-30 13:52 ` Andy Wingo
2016-12-03 12:27 ` John Darrington
2016-12-03 15:13 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161119065728.GA13099@jocasta.intra \
--to=john@darrington.wattle.id.au \
--cc=guix-devel@gnu.org \
--cc=jmd@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.