guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnu: Add kerberos service.


From: John Darrington
Subject: Re: [PATCH] gnu: Add kerberos service.
Date: Sat, 19 Nov 2016 07:57:28 +0100
User-agent: Mutt/1.5.23 (2014-03-12)

On Fri, Nov 18, 2016 at 11:51:16PM +0100, Ludovic Court??s wrote:
     Hello!
     
     John Darrington <address@hidden> skribis:
     
     > * gnu/services/kerberos.scm (krb5-realm, krb5-configuration,
     > krb5-service-type): New variables.
     
     Could you add documentation in guix.texi, along with an example of how
     to use it?

I can make an attempt to do that.   Kerberos however is a complicated thing
with a large number of options - not all of which I pretend to understand.
I think it is better to have something undocumented rather than documented
wrong.   - and I can give an example of how *I* use it - but that should
not be regarded as a canonical example of how everyone should use it.
     
     I very strongly encourage you to write a system test for this as well.
     Essentially, it???s just about writing down in a file a test that you???ve
     already run anyway.  I???m happy to help if needed.  The main ideas are
     described in
     <https://www.gnu.org/software/guix/news/guixsd-system-tests.html>.
     
You are right.  Tests for things like this are needed.  But we have a chicken
and egg situation.  We can't really write a test for the client without a 
server.
And we can't write a test for the server without a client. ... something has
to come first.   Of course I could, wait until I have absolutely everything
done before I commit, but then I a) run the risk of losing everything, if  I
have a disk crash; and b) rule out all possibility of getting any contribution
from others.

     > +(define-record-type* <krb5-realm>
     > +  krb5-realm      make-krb5-realm
     > +  krb5-realm?
     > +  (name                krb5-realm-name)
     > +
     > +  (admin-server        krb5-realm-admin-server)
     > +  (kdc                 krb5-realm-kdc)
     > +  (auth-to-local       krb5-realm-auth-to-local (default '()))
     > +  (auth-to-local-names krb5-realm-auth-to-local-names (default '()))
     > +  (http-anchors        krb5-realm-http-anchors (default '()))
     > +  (default-domain      krb5-realm-default-domain (default #f))
     > +  (kpasswd-server      krb5-realm-kpasswd-server (default #f))
     > +  (master-kdc          krb5-realm-master-kdc (default #f))
     > +  (v4-instance-convert krb5-realm-v4-instance-convert (default '()))
     > +  (v4-realm            krb5-realm-v4-realm (default #f)))
     
     I find it helpful to add a one- or two-line comment above stating what
     this is, and margin comments next to the fields to give an idea of what
     their type is.
     
     Could you try something along these lines?

Again most of the info would be copied from the manpage krb5.conf(5).  I can 
do that if you think it would be useful.
     
     > +(define-syntax  guile->krb-cfg
     > +  (syntax-rules ()
     > +    ((guile->krb-cfg accessor what)
     > +     (string-map
     > +      (lambda (c) (if (eq? c #\-) #\_ c))
     > +      (string-drop (symbol->string accessor)
     > +                   (string-length what))))))
     > +
     > +(define-syntax cfg-opt-string
     > +  (syntax-rules ()
     > +    ((cfg-opt-string accessor realm)
     > +     (if (accessor realm)
     > +         (format #f "\n\t~a = ~a"
     > +                        (guile->krb-cfg 'accessor "krb5-realm-")
     > +                        (accessor realm))
     > +         ""))))
     > +
     > +
     > +;; Generates one line of text per list item
     > +(define-syntax cfg-opt-list
     > +  (syntax-rules ()
     > +    ((cfg-opt-list accessor realm)
     > +     (if (not (null? (accessor realm)))
     > +         (string-concatenate
     > +          (map (lambda (item)
     > +                 (format #f "\n\t~a = ~a"
     > +                         (guile->krb-cfg 'accessor "krb5-realm-")
     > +                         item))
     > +              (accessor realm)))
     > +     ""))))
     
     Would Andy???s ???define-configuration??? (in mail.scm and cups.scm) be 
usable
     here, possibly with some adjustments?  It has the advantage that
     configuration fields, their types, and their docstring all appear at the
     same place.  I think we should consolidate it into a single API.

I will have a look to see if I can a) understand it; and b) use it in any way.
     
     
     > +;; For explanation of these fields see man 5 krb5.conf
     > +(define-record-type* <krb5-configuration>
     > +  krb5-configuration    make-krb5-configuration
     > +  krb5-configuration?
     > +
     > +  ;; [libdefaults]
     > +  (allow-weak-crypto          krb5-configuration-allow-weak-crypto 
(default #f))
     > +  (ap-req-checksum-type       krb5-configuration-ap-req-checksum-type 
(default #f))
     > +  (canonicalize               krb5-configuration-canonicalize (default 
#f))
     > +  (ccache-type                krb5-configuration-ccache-type (default 
#f))
     > +  (clockskew                  krb5-configuration-clockskew (default #f))
     > +  (default-ccache-name        krb5-configuration-default-ccache-name 
(default #f))
     > +  (default-client-keytab-name 
krb5-configuration-default-client-keytab-name
     > +                                                                     
(default #f))
     > +  (default-keytab-name        krb5-configuration-default-keytab-name 
(default #f))
     > +  (default-realm              krb5-configuration-default-realm (default 
#f))
     > +  (default-tgs-enctypes       krb5-configuration-default-tgs-enctypes 
(default #f))
     > +  (default-tkt-enctypes       krb5-configuration-default-tkt-enctypes 
(default #f))
     > +  (dns-canonicalize-hostname  
krb5-configuration-dns-canonicalize-hostname
     > +                              (default #t))
     > +  (dns-lookup-kdc             krb5-configuration-dns-lookup-kdc
     > +                              (default #f))
     > +  (err-fmt                    krb5-configuration-err-fmt (default #f))
     > +  (extra-addresses            krb5-configuration-extra-addresses
     > +                              (default #f))
     > +  (forwardable                krb5-configuration-forwardable (default 
#t))
     > +  (ignore-acceptor-hostname   
krb5-configuration-ignore-acceptor-hostname
     > +                              (default #f))
     > +  (k5login-authoritative      krb5-configuration-k5login-authoritative 
(default #t))
     > +  (k5login-directory          krb5-configuration-k5login-directory 
(default #f))
     > +  (kcm-mach-service           krb5-configuration-kcm-mach-service
     > +                                (default "org.h5l.kcm"))
     > +  (kcm-socket                 krb5-configuration-kcm-socket
     > +                                (default 
"/var/run/.heim_org.h5l.kcm-socket"))
     > +  (kdc-default-options        krb5-configuration-kdc-default-options
     > +                                (default #f))
     > +  (kdc-timesync               krb5-configuration-kdc-timesync (default 
#t))
     > +  (kdc-req-checksum-type      krb5-configuration-kdc-req-checksum-type 
(default #f))
     > +  (noaddresses                krb5-configuration-noaddresses
     > +                               (default #f))
     > +  (permitted-enctypes         krb5-configuration-permitted-enctypes
     > +                              (default #f))
     > +  (plugin-base-dir            krb5-configuration-plugin-base-dir
     > +                                (default #f))
     > +  (preferred-preauth-types    krb5-configuration-preferred-preauth-types
     > +                              (default #f))
     > +  (proxiable                  krb5-configuration-proxiable (default #f))
     > +  (rdns                       krb5-configuration-rdns (default #t))
     > +  (realm-try-domains          krb5-configuration-realm-try-domains
     > +                               (default #f))
     > +  (renew-lifetime             krb5-configuration-renew-lifetime
     > +                              (default #f))
     > +  (safe-checksum-type         krb5-configuration-safe-checksum-type
     > +                              (default #f))
     > +  (ticket-lifetime            krb5-configuration-ticket-lifetime
     > +                              (default #f))
     > +  (udp-preference-limit       krb5-configuration-udp-preference-limit
     > +                              (default #f))
     > +  (verify-ap-req-nofail       krb5-configuration-verify-ap-req-nofail
     > +                              (default #f))
     > +
     > +  ;;[realms]
     > +  (realms                     krb5-configuration-realms)
     > +
     > +  ;;[domain_realm]
     > +  (domain-realm-map           krb5-configuration-domain-realm-map 
(default '())))
     
     Woow!  :-)  Please use full separate words; use question marks for
     Boolean fields.
ok.
     
     > +(define (krb5-etc-service config)
     > +  (list `("krb5.conf" ,(krb5-configuration-file config))))
     > +
     > +
     > +(define krb5-service-type
     > +  (service-type (name 'krb5)
     > +                (extensions
     > +                 (list (service-extension etc-service-type
     > +                                          krb5-etc-service)))))
     
     So this service doesn???t do anything by itself.  Perhaps it should also
     create a Shepherd service for the Kerberos daemon, or something like
     that?

Kerberos is three headed dog.  There is the client, the "key distribution 
center",
the admin server, the ticket granting server, and the application server.
Ooops! that's 5 heads.

But this service is sufficient to get a client machine up and running and ready 
to
make requests and receive services from an external KDC and application server.

As you say, once we have a KDC and some simple kerberos enabled service in 
Guix, then
we can write some end to end tests.  It would be really great if someone can 
help with
those things.  In the meantime, this is a start.

J'


-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]