nixpkgs/modules/config/krb5.nix

{pkgs, config, ...}:

###### interface
let
  inherit (pkgs.lib) mkOption mkIf;

  cfg = config.krb5;

  options = {
    krb5 = {

      enable = mkOption {
        default = false;
        description = "Whether to enable Kerberos V.";
      };

      defaultRealm = mkOption {
        default = "ATENA.MIT.EDU";
        description = "Default realm.";
      };

      domainRealm = mkOption {
        default = "atena.mit.edu";
        description = "Default domain realm.";
      };

      kdc = mkOption {
        default = "kerberos.mit.edu";
        description = "Kerberos Domain Controller";
      };

      kerberosAdminServer = mkOption {
        default = "kerberos.mit.edu";
        description = "Kerberos Admin Server";
      };

    };
  };
in

###### implementation

mkIf config.krb5.enable {
  require = [
    options
  ];

  environment = {
    systemPackages = [ pkgs.krb5 ];
    etc = [
      { source = pkgs.writeText "krb5.conf"
          ''
[libdefaults]
    default_realm = ${cfg.defaultRealm}
    encrypt = true

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

#   default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#   default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#   permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    ${cfg.defaultRealm} = {
        kdc = ${cfg.kdc}
        admin_server = ${cfg.kerberosAdminServer}
#        kpasswd_server = ${cfg.kerberosAdminServer}
    }
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu:88
        kdc = kerberos-1.mit.edu:88
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    MEDIA-LAB.MIT.EDU = {
        kdc = kerberos.media.mit.edu
        admin_server = kerberos.media.mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    MOOF.MIT.EDU = {
        kdc = three-headed-dogcow.mit.edu:88
        kdc = three-headed-dogcow-1.mit.edu:88
        admin_server = three-headed-dogcow.mit.edu
    }
    CSAIL.MIT.EDU = {
        kdc = kerberos-1.csail.mit.edu
        kdc = kerberos-2.csail.mit.edu
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
        krb524_server = krb524.csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    GNU.ORG = {
        kdc = kerberos.gnu.org
        kdc = kerberos-2.gnu.org
        kdc = kerberos-3.gnu.org
        admin_server = kerberos.gnu.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    GRATUITOUS.ORG = {
        kdc = kerberos.gratuitous.org
        admin_server = kerberos.gratuitous.org
    }
    DOOMCOM.ORG = {
        kdc = kerberos.doomcom.org
        admin_server = kerberos.doomcom.org
    }
    ANDREW.CMU.EDU = {
        kdc = vice28.fs.andrew.cmu.edu
        kdc = vice2.fs.andrew.cmu.edu
        kdc = vice11.fs.andrew.cmu.edu
        kdc = vice12.fs.andrew.cmu.edu
        admin_server = vice28.fs.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
    CS.CMU.EDU = {
        kdc = kerberos.cs.cmu.edu
        kdc = kerberos-2.srv.cs.cmu.edu
        admin_server = kerberos.cs.cmu.edu
    }
    DEMENTIA.ORG = {
        kdc = kerberos.dementia.org
        kdc = kerberos2.dementia.org
        admin_server = kerberos.dementia.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }

[domain_realm]
    .${cfg.domainRealm} = ${cfg.defaultRealm}
    ${cfg.domainRealm} = ${cfg.defaultRealm}
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu

[logging]
    kdc = SYSLOG:INFO:DAEMON
    admin_server = SYSLOG:INFO:DAEMON
    default = SYSLOG:INFO:DAEMON
    krb4_convert = true
    krb4_get_tickets = false


[appdefaults]
    pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        max_timeout = 30
        timeout_shift = 2
        initial_timeout = 1
    }
          '';
        target = "krb5.conf";
      }
    ];
  };

}
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00			`{pkgs, config, ...}:`

			`###### interface`
			`let`
			`inherit (pkgs.lib) mkOption mkIf;`

			`cfg = config.krb5;`

			`options = {`
			`krb5 = {`

			`enable = mkOption {`
			`default = false;`
			`description = "Whether to enable Kerberos V.";`
			`};`

			`defaultRealm = mkOption {`
			`default = "ATENA.MIT.EDU";`
			`description = "Default realm.";`
			`};`

nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986 2010-08-06 08:50:48 +00:00			`domainRealm = mkOption {`
			`default = "atena.mit.edu";`
			`description = "Default domain realm.";`
			`};`

Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00			`kdc = mkOption {`
			`default = "kerberos.mit.edu";`
			`description = "Kerberos Domain Controller";`
			`};`

strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00			`kerberosAdminServer = mkOption {`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00			`default = "kerberos.mit.edu";`
			`description = "Kerberos Admin Server";`
			`};`

			`};`
			`};`
			`in`

			`###### implementation`

			`mkIf config.krb5.enable {`
			`require = [`
			`options`
			`];`

			`environment = {`
			`systemPackages = [ pkgs.krb5 ];`
			`etc = [`
			`{ source = pkgs.writeText "krb5.conf"`
			`''`
			`[libdefaults]`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`default_realm = ${cfg.defaultRealm}`
nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986 2010-08-06 08:50:48 +00:00			`encrypt = true`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00
			`# The following krb5.conf variables are only for MIT Kerberos.`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`krb4_config = /etc/krb.conf`
			`krb4_realms = /etc/krb.realms`
			`kdc_timesync = 1`
			`ccache_type = 4`
			`forwardable = true`
			`proxiable = true`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00
			`# The following encryption type specification will be used by MIT Kerberos`
			`# if uncommented. In general, the defaults in the MIT Kerberos code are`
			`# correct and overriding these specifications only serves to disable new`
			`# encryption types as they are added, creating interoperability problems.`

Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5`
			`# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5`
			`# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00
			`# The following libdefaults parameters are only for Heimdal Kerberos.`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`v4_instance_resolve = false`
			`v4_name_convert = {`
			`host = {`
			`rcmd = host`
			`ftp = ftp`
			`}`
			`plain = {`
			`something = something-else`
			`}`
			`}`
			`fcc-mit-ticketflags = true`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00
			`[realms]`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`${cfg.defaultRealm} = {`
			`kdc = ${cfg.kdc}`
			`admin_server = ${cfg.kerberosAdminServer}`
nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986 2010-08-06 08:50:48 +00:00			`# kpasswd_server = ${cfg.kerberosAdminServer}`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`}`
			`ATHENA.MIT.EDU = {`
			`kdc = kerberos.mit.edu:88`
			`kdc = kerberos-1.mit.edu:88`
			`kdc = kerberos-2.mit.edu:88`
			`admin_server = kerberos.mit.edu`
			`default_domain = mit.edu`
			`}`
			`MEDIA-LAB.MIT.EDU = {`
			`kdc = kerberos.media.mit.edu`
			`admin_server = kerberos.media.mit.edu`
			`}`
			`ZONE.MIT.EDU = {`
			`kdc = casio.mit.edu`
			`kdc = seiko.mit.edu`
			`admin_server = casio.mit.edu`
			`}`
			`MOOF.MIT.EDU = {`
			`kdc = three-headed-dogcow.mit.edu:88`
			`kdc = three-headed-dogcow-1.mit.edu:88`
			`admin_server = three-headed-dogcow.mit.edu`
			`}`
			`CSAIL.MIT.EDU = {`
			`kdc = kerberos-1.csail.mit.edu`
			`kdc = kerberos-2.csail.mit.edu`
			`admin_server = kerberos.csail.mit.edu`
			`default_domain = csail.mit.edu`
			`krb524_server = krb524.csail.mit.edu`
			`}`
			`IHTFP.ORG = {`
			`kdc = kerberos.ihtfp.org`
			`admin_server = kerberos.ihtfp.org`
			`}`
			`GNU.ORG = {`
			`kdc = kerberos.gnu.org`
			`kdc = kerberos-2.gnu.org`
			`kdc = kerberos-3.gnu.org`
			`admin_server = kerberos.gnu.org`
			`}`
			`1TS.ORG = {`
			`kdc = kerberos.1ts.org`
			`admin_server = kerberos.1ts.org`
			`}`
			`GRATUITOUS.ORG = {`
			`kdc = kerberos.gratuitous.org`
			`admin_server = kerberos.gratuitous.org`
			`}`
			`DOOMCOM.ORG = {`
			`kdc = kerberos.doomcom.org`
			`admin_server = kerberos.doomcom.org`
			`}`
			`ANDREW.CMU.EDU = {`
			`kdc = vice28.fs.andrew.cmu.edu`
			`kdc = vice2.fs.andrew.cmu.edu`
			`kdc = vice11.fs.andrew.cmu.edu`
			`kdc = vice12.fs.andrew.cmu.edu`
			`admin_server = vice28.fs.andrew.cmu.edu`
			`default_domain = andrew.cmu.edu`
			`}`
			`CS.CMU.EDU = {`
			`kdc = kerberos.cs.cmu.edu`
			`kdc = kerberos-2.srv.cs.cmu.edu`
			`admin_server = kerberos.cs.cmu.edu`
			`}`
			`DEMENTIA.ORG = {`
			`kdc = kerberos.dementia.org`
			`kdc = kerberos2.dementia.org`
			`admin_server = kerberos.dementia.org`
			`}`
			`stanford.edu = {`
			`kdc = krb5auth1.stanford.edu`
			`kdc = krb5auth2.stanford.edu`
			`kdc = krb5auth3.stanford.edu`
			`admin_server = krb5-admin.stanford.edu`
			`default_domain = stanford.edu`
			`}`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00
			`[domain_realm]`
nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986 2010-08-06 08:50:48 +00:00			`.${cfg.domainRealm} = ${cfg.defaultRealm}`
			`${cfg.domainRealm} = ${cfg.defaultRealm}`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`.mit.edu = ATHENA.MIT.EDU`
			`mit.edu = ATHENA.MIT.EDU`
			`.media.mit.edu = MEDIA-LAB.MIT.EDU`
			`media.mit.edu = MEDIA-LAB.MIT.EDU`
			`.csail.mit.edu = CSAIL.MIT.EDU`
			`csail.mit.edu = CSAIL.MIT.EDU`
			`.whoi.edu = ATHENA.MIT.EDU`
			`whoi.edu = ATHENA.MIT.EDU`
			`.stanford.edu = stanford.edu`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00
nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986 2010-08-06 08:50:48 +00:00			`[logging]`
			`kdc = SYSLOG:INFO:DAEMON`
			`admin_server = SYSLOG:INFO:DAEMON`
			`default = SYSLOG:INFO:DAEMON`
Remove tabs svn path=/nixos/trunk/; revision=21104 2010-04-15 15:47:26 +00:00			`krb4_convert = true`
			`krb4_get_tickets = false`
nixos: authenticate through kerberos config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986 2010-08-06 08:50:48 +00:00

			`[appdefaults]`
			`pam = {`
			`debug = false`
			`ticket_lifetime = 36000`
			`renew_lifetime = 36000`
			`max_timeout = 30`
			`timeout_shift = 2`
			`initial_timeout = 1`
			`}`
Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 2009-11-06 12:58:44 +00:00			`'';`
			`target = "krb5.conf";`
			`}`
			`];`
			`};`

			`}`