pyrox.dev
Merge pull request #30014 from eqyiel/krb5-fixes
nixos/krb5: complete rewrite
authored by
Jörg Thalheim
and committed by
GitHub
0b18fa4f
5562181d
-206
nixos/modules/config/krb5.nix
-206
nixos/modules/config/krb5.nix
···
1
-
{ config, lib, pkgs, ... }:
2
-
3
-
with lib;
4
-
5
-
let
6
-
7
-
cfg = config.krb5;
8
-
9
-
in
10
-
11
-
{
12
-
###### interface
13
-
14
-
options = {
15
-
16
-
krb5 = {
17
-
18
-
enable = mkOption {
19
-
default = false;
20
-
description = "Whether to enable Kerberos V.";
21
-
};
22
-
23
-
defaultRealm = mkOption {
24
-
default = "ATENA.MIT.EDU";
25
-
description = "Default realm.";
26
-
};
27
-
28
-
domainRealm = mkOption {
29
-
default = "atena.mit.edu";
30
-
description = "Default domain realm.";
31
-
};
32
-
33
-
kdc = mkOption {
34
-
default = "kerberos.mit.edu";
35
-
description = "Key Distribution Center";
36
-
};
37
-
38
-
kerberosAdminServer = mkOption {
39
-
default = "kerberos.mit.edu";
40
-
description = "Kerberos Admin Server.";
41
-
};
42
-
43
-
};
44
-
45
-
};
46
-
47
-
###### implementation
48
-
49
-
config = mkIf config.krb5.enable {
50
-
51
-
environment.systemPackages = [ pkgs.krb5Full ];
52
-
53
-
environment.etc."krb5.conf".text =
54
-
''
55
-
[libdefaults]
56
-
default_realm = ${cfg.defaultRealm}
57
-
encrypt = true
58
-
59
-
# The following krb5.conf variables are only for MIT Kerberos.
60
-
krb4_config = /etc/krb.conf
61
-
krb4_realms = /etc/krb.realms
62
-
kdc_timesync = 1
63
-
ccache_type = 4
64
-
forwardable = true
65
-
proxiable = true
66
-
67
-
# The following encryption type specification will be used by MIT Kerberos
68
-
# if uncommented. In general, the defaults in the MIT Kerberos code are
69
-
# correct and overriding these specifications only serves to disable new
70
-
# encryption types as they are added, creating interoperability problems.
71
-
72
-
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
73
-
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
74
-
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
75
-
76
-
# The following libdefaults parameters are only for Heimdal Kerberos.
77
-
v4_instance_resolve = false
78
-
v4_name_convert = {
79
-
host = {
80
-
rcmd = host
81
-
ftp = ftp
82
-
}
83
-
plain = {
84
-
something = something-else
85
-
}
86
-
}
87
-
fcc-mit-ticketflags = true
88
-
89
-
[realms]
90
-
${cfg.defaultRealm} = {
91
-
kdc = ${cfg.kdc}
92
-
admin_server = ${cfg.kerberosAdminServer}
93
-
#kpasswd_server = ${cfg.kerberosAdminServer}
94
-
}
95
-
ATHENA.MIT.EDU = {
96
-
kdc = kerberos.mit.edu:88
97
-
kdc = kerberos-1.mit.edu:88
98
-
kdc = kerberos-2.mit.edu:88
99
-
admin_server = kerberos.mit.edu
100
-
default_domain = mit.edu
101
-
}
102
-
MEDIA-LAB.MIT.EDU = {
103
-
kdc = kerberos.media.mit.edu
104
-
admin_server = kerberos.media.mit.edu
105
-
}
106
-
ZONE.MIT.EDU = {
107
-
kdc = casio.mit.edu
108
-
kdc = seiko.mit.edu
109
-
admin_server = casio.mit.edu
110
-
}
111
-
MOOF.MIT.EDU = {
112
-
kdc = three-headed-dogcow.mit.edu:88
113
-
kdc = three-headed-dogcow-1.mit.edu:88
114
-
admin_server = three-headed-dogcow.mit.edu
115
-
}
116
-
CSAIL.MIT.EDU = {
117
-
kdc = kerberos-1.csail.mit.edu
118
-
kdc = kerberos-2.csail.mit.edu
119
-
admin_server = kerberos.csail.mit.edu
120
-
default_domain = csail.mit.edu
121
-
krb524_server = krb524.csail.mit.edu
122
-
}
123
-
IHTFP.ORG = {
124
-
kdc = kerberos.ihtfp.org
125
-
admin_server = kerberos.ihtfp.org
126
-
}
127
-
GNU.ORG = {
128
-
kdc = kerberos.gnu.org
129
-
kdc = kerberos-2.gnu.org
130
-
kdc = kerberos-3.gnu.org
131
-
admin_server = kerberos.gnu.org
132
-
}
133
-
1TS.ORG = {
134
-
kdc = kerberos.1ts.org
135
-
admin_server = kerberos.1ts.org
136
-
}
137
-
GRATUITOUS.ORG = {
138
-
kdc = kerberos.gratuitous.org
139
-
admin_server = kerberos.gratuitous.org
140
-
}
141
-
DOOMCOM.ORG = {
142
-
kdc = kerberos.doomcom.org
143
-
admin_server = kerberos.doomcom.org
144
-
}
145
-
ANDREW.CMU.EDU = {
146
-
kdc = vice28.fs.andrew.cmu.edu
147
-
kdc = vice2.fs.andrew.cmu.edu
148
-
kdc = vice11.fs.andrew.cmu.edu
149
-
kdc = vice12.fs.andrew.cmu.edu
150
-
admin_server = vice28.fs.andrew.cmu.edu
151
-
default_domain = andrew.cmu.edu
152
-
}
153
-
CS.CMU.EDU = {
154
-
kdc = kerberos.cs.cmu.edu
155
-
kdc = kerberos-2.srv.cs.cmu.edu
156
-
admin_server = kerberos.cs.cmu.edu
157
-
}
158
-
DEMENTIA.ORG = {
159
-
kdc = kerberos.dementia.org
160
-
kdc = kerberos2.dementia.org
161
-
admin_server = kerberos.dementia.org
162
-
}
163
-
stanford.edu = {
164
-
kdc = krb5auth1.stanford.edu
165
-
kdc = krb5auth2.stanford.edu
166
-
kdc = krb5auth3.stanford.edu
167
-
admin_server = krb5-admin.stanford.edu
168
-
default_domain = stanford.edu
169
-
}
170
-
171
-
[domain_realm]
172
-
.${cfg.domainRealm} = ${cfg.defaultRealm}
173
-
${cfg.domainRealm} = ${cfg.defaultRealm}
174
-
.mit.edu = ATHENA.MIT.EDU
175
-
mit.edu = ATHENA.MIT.EDU
176
-
.exchange.mit.edu = EXCHANGE.MIT.EDU
177
-
exchange.mit.edu = EXCHANGE.MIT.EDU
178
-
.media.mit.edu = MEDIA-LAB.MIT.EDU
179
-
media.mit.edu = MEDIA-LAB.MIT.EDU
180
-
.csail.mit.edu = CSAIL.MIT.EDU
181
-
csail.mit.edu = CSAIL.MIT.EDU
182
-
.whoi.edu = ATHENA.MIT.EDU
183
-
whoi.edu = ATHENA.MIT.EDU
184
-
.stanford.edu = stanford.edu
185
-
186
-
[logging]
187
-
kdc = SYSLOG:INFO:DAEMON
188
-
admin_server = SYSLOG:INFO:DAEMON
189
-
default = SYSLOG:INFO:DAEMON
190
-
krb4_convert = true
191
-
krb4_get_tickets = false
192
-
193
-
[appdefaults]
194
-
pam = {
195
-
debug = false
196
-
ticket_lifetime = 36000
197
-
renew_lifetime = 36000
198
-
max_timeout = 30
199
-
timeout_shift = 2
200
-
initial_timeout = 1
201
-
}
202
-
'';
203
-
204
-
};
205
-
206
-
}
+367
nixos/modules/config/krb5/default.nix
+367
nixos/modules/config/krb5/default.nix
···
1
+
{ config, lib, pkgs, ... }:
2
+
3
+
with lib;
4
+
5
+
let
6
+
7
+
cfg = config.krb5;
8
+
9
+
# This is to provide support for old configuration options (as much as is
10
+
# reasonable). This can be removed after 18.03 was released.
11
+
defaultConfig = {
12
+
libdefaults = optionalAttrs (cfg.defaultRealm != null)
13
+
{ default_realm = cfg.defaultRealm; };
14
+
15
+
realms = optionalAttrs (lib.all (value: value != null) [
16
+
cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
17
+
]) {
18
+
"${cfg.defaultRealm}" = {
19
+
kdc = cfg.kdc;
20
+
admin_server = cfg.kerberosAdminServer;
21
+
};
22
+
};
23
+
24
+
domain_realm = optionalAttrs (lib.all (value: value != null) [
25
+
cfg.domainRealm cfg.defaultRealm
26
+
]) {
27
+
".${cfg.domainRealm}" = cfg.defaultRealm;
28
+
"${cfg.domainRealm}" = cfg.defaultRealm;
29
+
};
30
+
};
31
+
32
+
mergedConfig = (recursiveUpdate defaultConfig {
33
+
inherit (config.krb5)
34
+
kerberos libdefaults realms domain_realm capaths appdefaults plugins
35
+
extraConfig config;
36
+
});
37
+
38
+
filterEmbeddedMetadata = value: if isAttrs value then
39
+
(filterAttrs
40
+
(attrName: attrValue: attrName != "_module" && attrValue != null)
41
+
value)
42
+
else value;
43
+
44
+
mkIndent = depth: concatStrings (builtins.genList (_: " ") (2 * depth));
45
+
46
+
mkRelation = name: value: "${name} = ${mkVal { inherit value; }}";
47
+
48
+
mkVal = { value, depth ? 0 }:
49
+
if (value == true) then "true"
50
+
else if (value == false) then "false"
51
+
else if (isInt value) then (toString value)
52
+
else if (isList value) then
53
+
concatMapStringsSep " " mkVal { inherit value depth; }
54
+
else if (isAttrs value) then
55
+
(concatStringsSep "\n${mkIndent (depth + 1)}"
56
+
([ "{" ] ++ (mapAttrsToList
57
+
(attrName: attrValue: let
58
+
mappedAttrValue = mkVal {
59
+
value = attrValue;
60
+
depth = depth + 1;
61
+
};
62
+
in "${attrName} = ${mappedAttrValue}")
63
+
value))) + "\n${mkIndent depth}}"
64
+
else value;
65
+
66
+
mkMappedAttrsOrString = value: concatMapStringsSep "\n"
67
+
(line: if builtins.stringLength line > 0
68
+
then "${mkIndent 1}${line}"
69
+
else line)
70
+
(splitString "\n"
71
+
(if isAttrs value then
72
+
concatStringsSep "\n"
73
+
(mapAttrsToList mkRelation value)
74
+
else value));
75
+
76
+
in {
77
+
78
+
###### interface
79
+
80
+
options = {
81
+
krb5 = {
82
+
enable = mkEnableOption "Whether to enable Kerberos V.";
83
+
84
+
kerberos = mkOption {
85
+
type = types.package;
86
+
default = pkgs.krb5Full;
87
+
defaultText = "pkgs.krb5Full";
88
+
example = literalExample "pkgs.heimdalFull";
89
+
description = ''
90
+
The Kerberos implementation that will be present in
91
+
<literal>environment.systemPackages</literal> after enabling this
92
+
service.
93
+
'';
94
+
};
95
+
96
+
libdefaults = mkOption {
97
+
type = with types; either attrs lines;
98
+
default = {};
99
+
apply = attrs: filterEmbeddedMetadata attrs;
100
+
example = literalExample ''
101
+
{
102
+
default_realm = "ATHENA.MIT.EDU";
103
+
};
104
+
'';
105
+
description = ''
106
+
Settings used by the Kerberos V5 library.
107
+
'';
108
+
};
109
+
110
+
realms = mkOption {
111
+
type = with types; either attrs lines;
112
+
default = {};
113
+
example = literalExample ''
114
+
{
115
+
"ATHENA.MIT.EDU" = {
116
+
admin_server = "athena.mit.edu";
117
+
kdc = "athena.mit.edu";
118
+
};
119
+
};
120
+
'';
121
+
apply = attrs: filterEmbeddedMetadata attrs;
122
+
description = "Realm-specific contact information and settings.";
123
+
};
124
+
125
+
domain_realm = mkOption {
126
+
type = with types; either attrs lines;
127
+
default = {};
128
+
example = literalExample ''
129
+
{
130
+
"example.com" = "EXAMPLE.COM";
131
+
".example.com" = "EXAMPLE.COM";
132
+
};
133
+
'';
134
+
apply = attrs: filterEmbeddedMetadata attrs;
135
+
description = ''
136
+
Map of server hostnames to Kerberos realms.
137
+
'';
138
+
};
139
+
140
+
capaths = mkOption {
141
+
type = with types; either attrs lines;
142
+
default = {};
143
+
example = literalExample ''
144
+
{
145
+
"ATHENA.MIT.EDU" = {
146
+
"EXAMPLE.COM" = ".";
147
+
};
148
+
"EXAMPLE.COM" = {
149
+
"ATHENA.MIT.EDU" = ".";
150
+
};
151
+
};
152
+
'';
153
+
apply = attrs: filterEmbeddedMetadata attrs;
154
+
description = ''
155
+
Authentication paths for non-hierarchical cross-realm authentication.
156
+
'';
157
+
};
158
+
159
+
appdefaults = mkOption {
160
+
type = with types; either attrs lines;
161
+
default = {};
162
+
example = literalExample ''
163
+
{
164
+
pam = {
165
+
debug = false;
166
+
ticket_lifetime = 36000;
167
+
renew_lifetime = 36000;
168
+
max_timeout = 30;
169
+
timeout_shift = 2;
170
+
initial_timeout = 1;
171
+
};
172
+
};
173
+
'';
174
+
apply = attrs: filterEmbeddedMetadata attrs;
175
+
description = ''
176
+
Settings used by some Kerberos V5 applications.
177
+
'';
178
+
};
179
+
180
+
plugins = mkOption {
181
+
type = with types; either attrs lines;
182
+
default = {};
183
+
example = literalExample ''
184
+
{
185
+
ccselect = {
186
+
disable = "k5identity";
187
+
};
188
+
};
189
+
'';
190
+
apply = attrs: filterEmbeddedMetadata attrs;
191
+
description = ''
192
+
Controls plugin module registration.
193
+
'';
194
+
};
195
+
196
+
extraConfig = mkOption {
197
+
type = with types; nullOr lines;
198
+
default = null;
199
+
example = ''
200
+
[logging]
201
+
kdc = SYSLOG:NOTICE
202
+
admin_server = SYSLOG:NOTICE
203
+
default = SYSLOG:NOTICE
204
+
'';
205
+
description = ''
206
+
These lines go to the end of <literal>krb5.conf</literal> verbatim.
207
+
<literal>krb5.conf</literal> may include any of the relations that are
208
+
valid for <literal>kdc.conf</literal> (see <literal>man
209
+
kdc.conf</literal>), but it is not a recommended practice.
210
+
'';
211
+
};
212
+
213
+
config = mkOption {
214
+
type = with types; nullOr lines;
215
+
default = null;
216
+
example = ''
217
+
[libdefaults]
218
+
default_realm = EXAMPLE.COM
219
+
220
+
[realms]
221
+
EXAMPLE.COM = {
222
+
admin_server = kerberos.example.com
223
+
kdc = kerberos.example.com
224
+
default_principal_flags = +preauth
225
+
}
226
+
227
+
[domain_realm]
228
+
example.com = EXAMPLE.COM
229
+
.example.com = EXAMPLE.COM
230
+
231
+
[logging]
232
+
kdc = SYSLOG:NOTICE
233
+
admin_server = SYSLOG:NOTICE
234
+
default = SYSLOG:NOTICE
235
+
'';
236
+
description = ''
237
+
Verbatim <literal>krb5.conf</literal> configuration. Note that this
238
+
is mutually exclusive with configuration via
239
+
<literal>libdefaults</literal>, <literal>realms</literal>,
240
+
<literal>domain_realm</literal>, <literal>capaths</literal>,
241
+
<literal>appdefaults</literal>, <literal>plugins</literal> and
242
+
<literal>extraConfig</literal> configuration options. Consult
243
+
<literal>man krb5.conf</literal> for documentation.
244
+
'';
245
+
};
246
+
247
+
defaultRealm = mkOption {
248
+
type = with types; nullOr str;
249
+
default = null;
250
+
example = "ATHENA.MIT.EDU";
251
+
description = ''
252
+
DEPRECATED, please use
253
+
<literal>krb5.libdefaults.default_realm</literal>.
254
+
'';
255
+
};
256
+
257
+
domainRealm = mkOption {
258
+
type = with types; nullOr str;
259
+
default = null;
260
+
example = "athena.mit.edu";
261
+
description = ''
262
+
DEPRECATED, please create a map of server hostnames to Kerberos realms
263
+
in <literal>krb5.domain_realm</literal>.
264
+
'';
265
+
};
266
+
267
+
kdc = mkOption {
268
+
type = with types; nullOr str;
269
+
default = null;
270
+
example = "kerberos.mit.edu";
271
+
description = ''
272
+
DEPRECATED, please pass a <literal>kdc</literal> attribute to a realm
273
+
in <literal>krb5.realms</literal>.
274
+
'';
275
+
};
276
+
277
+
kerberosAdminServer = mkOption {
278
+
type = with types; nullOr str;
279
+
default = null;
280
+
example = "kerberos.mit.edu";
281
+
description = ''
282
+
DEPRECATED, please pass an <literal>admin_server</literal> attribute
283
+
to a realm in <literal>krb5.realms</literal>.
284
+
'';
285
+
};
286
+
};
287
+
};
288
+
289
+
###### implementation
290
+
291
+
config = mkIf cfg.enable {
292
+
293
+
environment.systemPackages = [ cfg.kerberos ];
294
+
295
+
environment.etc."krb5.conf".text = if isString cfg.config
296
+
then cfg.config
297
+
else (''
298
+
[libdefaults]
299
+
${mkMappedAttrsOrString mergedConfig.libdefaults}
300
+
301
+
[realms]
302
+
${mkMappedAttrsOrString mergedConfig.realms}
303
+
304
+
[domain_realm]
305
+
${mkMappedAttrsOrString mergedConfig.domain_realm}
306
+
307
+
[capaths]
308
+
${mkMappedAttrsOrString mergedConfig.capaths}
309
+
310
+
[appdefaults]
311
+
${mkMappedAttrsOrString mergedConfig.appdefaults}
312
+
313
+
[plugins]
314
+
${mkMappedAttrsOrString mergedConfig.plugins}
315
+
'' + optionalString (mergedConfig.extraConfig != null)
316
+
("\n" + mergedConfig.extraConfig));
317
+
318
+
warnings = flatten [
319
+
(optional (cfg.defaultRealm != null) ''
320
+
The option krb5.defaultRealm is deprecated, please use
321
+
krb5.libdefaults.default_realm.
322
+
'')
323
+
(optional (cfg.domainRealm != null) ''
324
+
The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
325
+
'')
326
+
(optional (cfg.kdc != null) ''
327
+
The option krb5.kdc is deprecated, please pass a kdc attribute to a
328
+
realm in krb5.realms.
329
+
'')
330
+
(optional (cfg.kerberosAdminServer != null) ''
331
+
The option krb5.kerberosAdminServer is deprecated, please pass an
332
+
admin_server attribute to a realm in krb5.realms.
333
+
'')
334
+
];
335
+
336
+
assertions = [
337
+
{ assertion = !((builtins.any (value: value != null) [
338
+
cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
339
+
]) && ((builtins.any (value: value != {}) [
340
+
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
341
+
cfg.appdefaults cfg.plugins
342
+
]) || (builtins.any (value: value != null) [
343
+
cfg.config cfg.extraConfig
344
+
])));
345
+
message = ''
346
+
Configuration of krb5.conf by deprecated options is mutually exclusive
347
+
with configuration by section. Please migrate your config using the
348
+
attributes suggested in the warnings.
349
+
'';
350
+
}
351
+
{ assertion = !(cfg.config != null
352
+
&& ((builtins.any (value: value != {}) [
353
+
cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
354
+
cfg.appdefaults cfg.plugins
355
+
]) || (builtins.any (value: value != null) [
356
+
cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
357
+
cfg.kerberosAdminServer
358
+
])));
359
+
message = ''
360
+
Configuration of krb5.conf using krb.config is mutually exclusive with
361
+
configuration by section. If you want to mix the two, you can pass
362
+
lines to any configuration section or lines to krb5.extraConfig.
363
+
'';
364
+
}
365
+
];
366
+
};
367
+
}
+1
-1
nixos/modules/module-list.nix
+1
-1
nixos/modules/module-list.nix
+5
nixos/tests/krb5/default.nix
+5
nixos/tests/krb5/default.nix
+48
nixos/tests/krb5/deprecated-config.nix
+48
nixos/tests/krb5/deprecated-config.nix
···
1
+
# Verifies that the configuration suggested in deprecated example values
2
+
# will result in the expected output.
3
+
4
+
import ../make-test.nix ({ pkgs, ...} : {
5
+
name = "krb5-with-deprecated-config";
6
+
meta = with pkgs.stdenv.lib.maintainers; {
7
+
maintainers = [ eqyiel ];
8
+
};
9
+
10
+
machine =
11
+
{ config, pkgs, ... }: {
12
+
krb5 = {
13
+
enable = true;
14
+
defaultRealm = "ATHENA.MIT.EDU";
15
+
domainRealm = "athena.mit.edu";
16
+
kdc = "kerberos.mit.edu";
17
+
kerberosAdminServer = "kerberos.mit.edu";
18
+
};
19
+
};
20
+
21
+
testScript =
22
+
let snapshot = pkgs.writeText "krb5-with-deprecated-config.conf" ''
23
+
[libdefaults]
24
+
default_realm = ATHENA.MIT.EDU
25
+
26
+
[realms]
27
+
ATHENA.MIT.EDU = {
28
+
admin_server = kerberos.mit.edu
29
+
kdc = kerberos.mit.edu
30
+
}
31
+
32
+
[domain_realm]
33
+
.athena.mit.edu = ATHENA.MIT.EDU
34
+
athena.mit.edu = ATHENA.MIT.EDU
35
+
36
+
[capaths]
37
+
38
+
39
+
[appdefaults]
40
+
41
+
42
+
[plugins]
43
+
44
+
'';
45
+
in ''
46
+
$machine->succeed("diff /etc/krb5.conf ${snapshot}");
47
+
'';
48
+
})
+106
nixos/tests/krb5/example-config.nix
+106
nixos/tests/krb5/example-config.nix
···
1
+
# Verifies that the configuration suggested in (non-deprecated) example values
2
+
# will result in the expected output.
3
+
4
+
import ../make-test.nix ({ pkgs, ...} : {
5
+
name = "krb5-with-example-config";
6
+
meta = with pkgs.stdenv.lib.maintainers; {
7
+
maintainers = [ eqyiel ];
8
+
};
9
+
10
+
machine =
11
+
{ config, pkgs, ... }: {
12
+
krb5 = {
13
+
enable = true;
14
+
kerberos = pkgs.krb5Full;
15
+
libdefaults = {
16
+
default_realm = "ATHENA.MIT.EDU";
17
+
};
18
+
realms = {
19
+
"ATHENA.MIT.EDU" = {
20
+
admin_server = "athena.mit.edu";
21
+
kdc = "athena.mit.edu";
22
+
};
23
+
};
24
+
domain_realm = {
25
+
"example.com" = "EXAMPLE.COM";
26
+
".example.com" = "EXAMPLE.COM";
27
+
};
28
+
capaths = {
29
+
"ATHENA.MIT.EDU" = {
30
+
"EXAMPLE.COM" = ".";
31
+
};
32
+
"EXAMPLE.COM" = {
33
+
"ATHENA.MIT.EDU" = ".";
34
+
};
35
+
};
36
+
appdefaults = {
37
+
pam = {
38
+
debug = false;
39
+
ticket_lifetime = 36000;
40
+
renew_lifetime = 36000;
41
+
max_timeout = 30;
42
+
timeout_shift = 2;
43
+
initial_timeout = 1;
44
+
};
45
+
};
46
+
plugins = {
47
+
ccselect = {
48
+
disable = "k5identity";
49
+
};
50
+
};
51
+
extraConfig = ''
52
+
[logging]
53
+
kdc = SYSLOG:NOTICE
54
+
admin_server = SYSLOG:NOTICE
55
+
default = SYSLOG:NOTICE
56
+
'';
57
+
};
58
+
};
59
+
60
+
testScript =
61
+
let snapshot = pkgs.writeText "krb5-with-example-config.conf" ''
62
+
[libdefaults]
63
+
default_realm = ATHENA.MIT.EDU
64
+
65
+
[realms]
66
+
ATHENA.MIT.EDU = {
67
+
admin_server = athena.mit.edu
68
+
kdc = athena.mit.edu
69
+
}
70
+
71
+
[domain_realm]
72
+
.example.com = EXAMPLE.COM
73
+
example.com = EXAMPLE.COM
74
+
75
+
[capaths]
76
+
ATHENA.MIT.EDU = {
77
+
EXAMPLE.COM = .
78
+
}
79
+
EXAMPLE.COM = {
80
+
ATHENA.MIT.EDU = .
81
+
}
82
+
83
+
[appdefaults]
84
+
pam = {
85
+
debug = false
86
+
initial_timeout = 1
87
+
max_timeout = 30
88
+
renew_lifetime = 36000
89
+
ticket_lifetime = 36000
90
+
timeout_shift = 2
91
+
}
92
+
93
+
[plugins]
94
+
ccselect = {
95
+
disable = k5identity
96
+
}
97
+
98
+
[logging]
99
+
kdc = SYSLOG:NOTICE
100
+
admin_server = SYSLOG:NOTICE
101
+
default = SYSLOG:NOTICE
102
+
'';
103
+
in ''
104
+
$machine->succeed("diff /etc/krb5.conf ${snapshot}");
105
+
'';
106
+
})