nixos: authenticate through kerberos

config.krb5.enable needs to be set as true.
Also use pam_ccreds to cache Kerberos credentials for offline logins.

svn path=/nixos/trunk/; revision=22986

modules/config/krb5.nix

@@ -6,8 +6,6 @@ let
 
   cfg = config.krb5;
 
-  #myPkgs = import /home/nixer/nix/my-expr.nix { system = "x86_64-linux"; };
-
   options = {
     krb5 = {
 
@@ -21,6 +19,11 @@ let
         description = "Default realm.";
       };
 
+      domainRealm = mkOption {
+        default = "atena.mit.edu";
+        description = "Default domain realm.";
+      };
+
       kdc = mkOption {
         default = "kerberos.mit.edu";
         description = "Kerberos Domain Controller";
@@ -49,6 +52,7 @@ mkIf config.krb5.enable {
           ''
 [libdefaults]
     default_realm = ${cfg.defaultRealm}
+    encrypt = true
 
 # The following krb5.conf variables are only for MIT Kerberos.
     krb4_config = /etc/krb.conf
@@ -84,6 +88,7 @@ mkIf config.krb5.enable {
     ${cfg.defaultRealm} = {
         kdc = ${cfg.kdc}
         admin_server = ${cfg.kerberosAdminServer}
+#        kpasswd_server = ${cfg.kerberosAdminServer}
     }
     ATHENA.MIT.EDU = {
         kdc = kerberos.mit.edu:88
@@ -162,6 +167,8 @@ mkIf config.krb5.enable {
     }
 
 [domain_realm]
+    .${cfg.domainRealm} = ${cfg.defaultRealm}
+    ${cfg.domainRealm} = ${cfg.defaultRealm}
     .mit.edu = ATHENA.MIT.EDU
     mit.edu = ATHENA.MIT.EDU
     .media.mit.edu = MEDIA-LAB.MIT.EDU
@@ -172,10 +179,23 @@ mkIf config.krb5.enable {
     whoi.edu = ATHENA.MIT.EDU
     .stanford.edu = stanford.edu
 
-[login]
+[logging]
+    kdc = SYSLOG:INFO:DAEMON
+    admin_server = SYSLOG:INFO:DAEMON
+    default = SYSLOG:INFO:DAEMON
     krb4_convert = true
     krb4_get_tickets = false
 
+
+[appdefaults]
+    pam = {
+        debug = false
+        ticket_lifetime = 36000
+        renew_lifetime = 36000
+        max_timeout = 30
+        timeout_shift = 2
+        initial_timeout = 1
+    }
           '';
         target = "krb5.conf";
       }

modules/security/pam.nix

@@ -7,7 +7,7 @@ with pkgs.lib;
 
 let
 
-  inherit (pkgs) pam_usb pam_ldap;
+  inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds;
 
   otherService = pkgs.writeText "other.pam"
     ''
@@ -63,6 +63,8 @@ let
           # Account management.
           ${optionalString config.users.ldap.enable
               "account optional ${pam_ldap}/lib/security/pam_ldap.so"}
+          ${optionalString config.krb5.enable
+              "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
           account required pam_unix.so
 
           # Authentication management.
@@ -74,11 +76,18 @@ let
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
           auth sufficient pam_unix.so ${
             optionalString allowNullPassword "nullok"}
+          ${optionalString config.krb5.enable
+''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
+auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
+auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
+          ''}
           auth required   pam_deny.so
 
           # Password management.
           ${optionalString config.users.ldap.enable
               "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
+          ${optionalString config.krb5.enable
+              "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
           password requisite pam_unix.so nullok sha512
           ${optionalString config.services.samba.syncPasswordsByPam
               "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
@@ -86,6 +95,8 @@ let
           # Session management.
           ${optionalString config.users.ldap.enable
               "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
+          ${optionalString config.krb5.enable
+              "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
           session required pam_unix.so
           ${optionalString ownDevices
               "session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
@@ -184,7 +195,8 @@ in
     environment.systemPackages =
       # Include the PAM modules in the system path mostly for the manpages.
       [ pkgs.pam ]
-      ++ optional config.users.ldap.enable pam_ldap;
+      ++ optional config.users.ldap.enable pam_ldap
+      ++ optional config.krb5.enable [pam_krb5 pam_ccreds];
 
     environment.etc =
       map makePAMService config.security.pam.services