Compare commits

...

2 Commits

Author SHA1 Message Date
noah metz 99adf5a794 Added kadmind 2023-11-30 13:55:25 -07:00
noah metz 049425aad0 Got kdc working 2023-11-30 13:52:13 -07:00
2 changed files with 67 additions and 23 deletions

@ -21,7 +21,7 @@
#:use-module (gnu packages perl) #:use-module (gnu packages perl)
#:use-module (gnu packages tcl) #:use-module (gnu packages tcl)
#:use-module (gnu packages readline) #:use-module (gnu packages readline)
#:use-module (gnu packages openldap) #:use-module (gnu packages slapd)
#:use-module (gnu services) #:use-module (gnu services)
#:use-module (gnu services shepherd) #:use-module (gnu services shepherd)
#:use-module (gnu services configuration) #:use-module (gnu services configuration)
@ -45,7 +45,7 @@
(base32 (base32
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky")))) "0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(native-inputs (list bison perl tcl openldap)) ;required for some tests (native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests
(inputs (list openssl readline)) (inputs (list openssl readline))
(arguments (arguments
`( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call `( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call
@ -63,8 +63,8 @@
"ac_cv_printf_positional=yes" "ac_cv_printf_positional=yes"
"ac_cv_file__etc_environment=yes" "ac_cv_file__etc_environment=yes"
"ac_cv_file__etc_TIMEZONE=no") "ac_cv_file__etc_TIMEZONE=no")
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1")) #:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1" ))
'(#:configure-flags (list "--with-readline" "--with-ldap" "--localstatedir=/var"))) '(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var")))
#:phases (modify-phases %standard-phases #:phases (modify-phases %standard-phases
(add-after 'unpack 'enter-source-directory (add-after 'unpack 'enter-source-directory
(lambda _ (lambda _
@ -129,7 +129,7 @@ cryptography.")
(name (string "EXAMPLE.COM") "realm name" serialize-none) (name (string "EXAMPLE.COM") "realm name" serialize-none)
(database_module maybe-string "database module") (database_module maybe-string "database module")
(acl_file maybe-file-like "acl file") (acl_file maybe-file-like "acl file")
(key_stash_file maybe-string "key stash file") (key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
(kdc_ports (list-of-ports '(750 88)) (kdc_ports (list-of-ports '(750 88))
"list of ports to listen on" "list of ports to listen on"
realm-serialize-list-of-ports) realm-serialize-list-of-ports)
@ -223,6 +223,10 @@ cryptography.")
(define-configuration kdc-configuration (define-configuration kdc-configuration
(krb5 (file-like mit-krb5-ldap) "krb5 package to use" (krb5 (file-like mit-krb5-ldap) "krb5 package to use"
serialize-none) serialize-none)
(pkinit_anchors
(string "DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file"
(serialize-field (lambda (x) x) " "))
(kdc_ports (list-of-ports '(750 88)) (kdc_ports (list-of-ports '(750 88))
"list of ports to listen on") "list of ports to listen on")
(realms (list-of-kdc-realm-configuration '()) (realms (list-of-kdc-realm-configuration '())
@ -249,14 +253,14 @@ cryptography.")
(group "kerberos") (group "kerberos")
(system? #t) (system? #t)
(comment "kdc service account") (comment "kdc service account")
(home-directory "/var/lib/krb5kdc/") (home-directory "/var/lib/kerberos/")
(shell #~(string-append #$shadow "/sbin/nologin"))))) (shell #~(string-append #$shadow "/sbin/nologin")))))
(define (kdc-activation configuration) (define (kdc-activation configuration)
#~(begin #~(begin
(let ((user (getpw "kerberos")) (let ((user (getpw "kerberos"))
(group (getgr "kerberos"))) (group (getgr "kerberos")))
(mkdir-p/perms "/var/lib/krb5kdc" user 488)))) (mkdir-p/perms "/var/lib/kerberos" user 488))))
(define (kdc-etc configuration) (define (kdc-etc configuration)
`(("kdc.conf" ,(serialize-kdc-configuration configuration)))) `(("kdc.conf" ,(serialize-kdc-configuration configuration))))
@ -265,7 +269,7 @@ cryptography.")
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot ; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
(define (kdc-shepherd configuration) (define (kdc-shepherd configuration)
(list (shepherd-service (documentation "") (list (shepherd-service (documentation "")
(provision '(krb5kdc)) (provision '(kdc))
(requirement '(networking user-processes)) (requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append (start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5 (kdc-configuration-krb5
@ -279,6 +283,27 @@ cryptography.")
#$(kdc-configuration-krb5 #$(kdc-configuration-krb5
configuration) configuration)
"/lib/krb5/plugins/kdb") "/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
(stop #~(make-kill-destructor)))
(shepherd-service (documentation "")
(provision '(kadmind))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
configuration)
"/sbin/kadmind")
"-nofork" "-P"
"/run/kadmind.pid")
#:environment-variables
(list (string-append
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf") "KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root" #:user "root"
#:group "root")) #:group "root"))
@ -311,7 +336,7 @@ cryptography.")
(kldap-configuration (kldap-configuration
(ldap_kdc_dn %kerberos-dn) (ldap_kdc_dn %kerberos-dn)
(ldap_kadmind_dn %kerberos-dn) (ldap_kadmind_dn %kerberos-dn)
(ldap_servers "ldap://ldap.metznet.ca") (ldap_servers "ldaps://ldap.metznet.ca")
(ldap_service_password_file (ldap_service_password_file
(plain-file (plain-file
"service.keyfile" "service.keyfile"
@ -320,8 +345,6 @@ cryptography.")
(name "METZNET.CA") (name "METZNET.CA")
(database_module (database_module
"openldap_ldapconf") "openldap_ldapconf")
(key_stash_file
"/var/lib/krb5kdc/stash")
(default_principal_flags (default_principal_flags
"+preauth") "+preauth")
(acl_file (plain-file (acl_file (plain-file

@ -9,6 +9,7 @@
#:use-module (gnu system accounts) #:use-module (gnu system accounts)
#:use-module (gnu system shadow) #:use-module (gnu system shadow)
#:use-module (gnu system setuid) #:use-module (gnu system setuid)
#:use-module (gnu services configuration)
#:use-module (gnu system file-systems) #:use-module (gnu system file-systems)
#:use-module (gnu system) #:use-module (gnu system)
#:use-module (gnu system nss) #:use-module (gnu system nss)
@ -24,6 +25,10 @@
#:use-module (gnu services dbus) #:use-module (gnu services dbus)
#:use-module (gnu system keyboard) #:use-module (gnu system keyboard)
#:use-module (gnu packages admin) #:use-module (gnu packages admin)
#:use-module (gnu packages slapd)
#:use-module (gnu packages linux)
#:use-module (gnu packages shells) #:use-module (gnu packages shells)
#:use-module (gnu packages gnome) #:use-module (gnu packages gnome)
#:use-module (gnu packages ssh) #:use-module (gnu packages ssh)
@ -71,7 +76,7 @@
(name "root") (name "root")
(group "root") (group "root")
(uid 0) (uid 0)
(password (crypt "root" "$6$salt")) (password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt"))
(shell (file-append zsh "/bin/zsh")))) %base-user-accounts)) (shell (file-append zsh "/bin/zsh")))) %base-user-accounts))
(define %metznet-base-groups (define %metznet-base-groups
@ -84,6 +89,10 @@
(define %metznet-base-packages (define %metznet-base-packages
(append (list openssh (append (list openssh
openldap-slapd
strace
git git
neovim neovim
zsh zsh
@ -136,35 +145,47 @@
(shadow services) (shadow services)
(group services)))) (group services))))
(define (pam-mkhomedir-service config) (define list-of-strings? (list-of string?))
(define-configuration/no-serialization
metznet-system-configuration
(certs (file-like le-certs) "certificate package")
(pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure"))
(define (pam-mkhomedir-service configuration)
(lambda (pam) (lambda (pam)
(if (member (pam-service-name pam) config) (if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration))
(let ((required (pam-entry (control "required") (let ((required (pam-entry (control "required")
(module "pam_mkhomedir.so")))) (module "pam_mkhomedir.so"))))
(pam-service (inherit pam) (pam-service (inherit pam)
(session (cons required (session (cons required
(pam-service-account pam))))) pam))) (pam-service-account pam))))) pam)))
(define (pam-mkhomedir-services config) (define (pam-mkhomedir-services configuration)
(list (pam-mkhomedir-service config))) (list (pam-mkhomedir-service configuration)))
(define (metznet-activation config) (define (metznet-activation configuration)
#~(if (access? "/bin/zsh" F_OK) #~(if (access? "/bin/zsh" F_OK)
(display "zsh already linked") (display "zsh already linked")
(begin (begin
(display "linking zsh") (display "linking zsh")
(symlink (string-append #$zsh "/bin/zsh") "/bin/zsh")))) (symlink (string-append #$zsh "/bin/zsh") "/bin/zsh"))))
(define (metznet-etc-service configuration)
'())
(define metznet-service-type (define metznet-service-type
(service-type (name 'metznet-service) (service-type (name 'metznet-service)
(description "MetzNet Services") (description "MetzNet Services")
(extensions (list (service-extension activation-service-type (extensions (list (service-extension activation-service-type
metznet-activation) metznet-activation)
(service-extension profile-service-type
(compose list metznet-system-configuration-certs))
(service-extension etc-service-type
metznet-etc-service)
(service-extension pam-root-service-type (service-extension pam-root-service-type
pam-mkhomedir-services))) pam-mkhomedir-services)))
(default-value '()))) (default-value (metznet-system-configuration))))
(define pam-service-list
(list "su" "gdm-password" "login" "sshd" "passwd"))
(define %metznet-services (define %metznet-services
(list (service openssh-service-type (list (service openssh-service-type
@ -175,8 +196,8 @@
(pam-krb5-configuration (pam-krb5 pam-krb5) (pam-krb5-configuration (pam-krb5 pam-krb5)
(minimum-uid 1000))) (minimum-uid 1000)))
(service sssd-service-type (service sssd-service-type
(sssd-configuration (pam-services pam-service-list))) (sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd"))))
(service metznet-service-type pam-service-list))) (service metznet-service-type)))
(define %metznet-nscd-configuration (define %metznet-nscd-configuration
(nscd-configuration (caches (append (list (nscd-cache (database 'passwd) (nscd-configuration (caches (append (list (nscd-cache (database 'passwd)