Compare commits

..

2 Commits

Author SHA1 Message Date
noah metz 99adf5a794 Added kadmind 2023-11-30 13:55:25 -07:00
noah metz 049425aad0 Got kdc working 2023-11-30 13:52:13 -07:00
2 changed files with 67 additions and 23 deletions

@ -21,7 +21,7 @@
#:use-module (gnu packages perl)
#:use-module (gnu packages tcl)
#:use-module (gnu packages readline)
#:use-module (gnu packages openldap)
#:use-module (gnu packages slapd)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu services configuration)
@ -45,7 +45,7 @@
(base32
"0bz16sh0vgzlpy2kx5acmpyy181hl83a1alz7wbk06457kfjn0ky"))))
(build-system gnu-build-system)
(native-inputs (list bison perl tcl openldap)) ;required for some tests
(native-inputs (list bison perl tcl openldap-slapd)) ;required for some tests
(inputs (list openssl readline))
(arguments
`( ;XXX: On 32-bit systems, 'kdb5_util' hangs on an fcntl/F_SETLKW call
@ -64,7 +64,7 @@
"ac_cv_file__etc_environment=yes"
"ac_cv_file__etc_TIMEZONE=no")
#:make-flags (list "CFLAGS+=-DDESTRUCTOR_ATTR_WORKS=1" ))
'(#:configure-flags (list "--with-readline" "--with-ldap" "--localstatedir=/var")))
'(#:configure-flags (list "--with-tls-impl=openssl" "--with-readline" "--with-ldap" "--localstatedir=/var")))
#:phases (modify-phases %standard-phases
(add-after 'unpack 'enter-source-directory
(lambda _
@ -129,7 +129,7 @@ cryptography.")
(name (string "EXAMPLE.COM") "realm name" serialize-none)
(database_module maybe-string "database module")
(acl_file maybe-file-like "acl file")
(key_stash_file maybe-string "key stash file")
(key_stash_file (string "/var/lib/kerberos/stash") "key stash file")
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on"
realm-serialize-list-of-ports)
@ -223,6 +223,10 @@ cryptography.")
(define-configuration kdc-configuration
(krb5 (file-like mit-krb5-ldap) "krb5 package to use"
serialize-none)
(pkinit_anchors
(string "DIR:/run/current-system/profile/etc/ssl/certs/")
"CA certificate directory/file"
(serialize-field (lambda (x) x) " "))
(kdc_ports (list-of-ports '(750 88))
"list of ports to listen on")
(realms (list-of-kdc-realm-configuration '())
@ -249,14 +253,14 @@ cryptography.")
(group "kerberos")
(system? #t)
(comment "kdc service account")
(home-directory "/var/lib/krb5kdc/")
(home-directory "/var/lib/kerberos/")
(shell #~(string-append #$shadow "/sbin/nologin")))))
(define (kdc-activation configuration)
#~(begin
(let ((user (getpw "kerberos"))
(group (getgr "kerberos")))
(mkdir-p/perms "/var/lib/krb5kdc" user 488))))
(mkdir-p/perms "/var/lib/kerberos" user 488))))
(define (kdc-etc configuration)
`(("kdc.conf" ,(serialize-kdc-configuration configuration))))
@ -265,7 +269,7 @@ cryptography.")
; TODO: have to stash the KDC master key with `KRB5_KDC_PROFILE=/etc/kdc.conf kdb5_util stash` on first boot
(define (kdc-shepherd configuration)
(list (shepherd-service (documentation "")
(provision '(krb5kdc))
(provision '(kdc))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
@ -279,6 +283,27 @@ cryptography.")
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
(stop #~(make-kill-destructor)))
(shepherd-service (documentation "")
(provision '(kadmind))
(requirement '(networking user-processes))
(start #~(make-forkexec-constructor (list #$(file-append
(kdc-configuration-krb5
configuration)
"/sbin/kadmind")
"-nofork" "-P"
"/run/kadmind.pid")
#:environment-variables
(list (string-append
"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:"
#$(kdc-configuration-krb5
configuration)
"/lib/krb5/plugins/kdb")
"SSL_CERT_DIR=/etc/ssl/certs"
"KRB5_KDC_PROFILE=/etc/kdc.conf")
#:user "root"
#:group "root"))
@ -311,7 +336,7 @@ cryptography.")
(kldap-configuration
(ldap_kdc_dn %kerberos-dn)
(ldap_kadmind_dn %kerberos-dn)
(ldap_servers "ldap://ldap.metznet.ca")
(ldap_servers "ldaps://ldap.metznet.ca")
(ldap_service_password_file
(plain-file
"service.keyfile"
@ -320,8 +345,6 @@ cryptography.")
(name "METZNET.CA")
(database_module
"openldap_ldapconf")
(key_stash_file
"/var/lib/krb5kdc/stash")
(default_principal_flags
"+preauth")
(acl_file (plain-file

@ -9,6 +9,7 @@
#:use-module (gnu system accounts)
#:use-module (gnu system shadow)
#:use-module (gnu system setuid)
#:use-module (gnu services configuration)
#:use-module (gnu system file-systems)
#:use-module (gnu system)
#:use-module (gnu system nss)
@ -24,6 +25,10 @@
#:use-module (gnu services dbus)
#:use-module (gnu system keyboard)
#:use-module (gnu packages admin)
#:use-module (gnu packages slapd)
#:use-module (gnu packages linux)
#:use-module (gnu packages shells)
#:use-module (gnu packages gnome)
#:use-module (gnu packages ssh)
@ -71,7 +76,7 @@
(name "root")
(group "root")
(uid 0)
(password (crypt "root" "$6$salt"))
(password (crypt (or (getenv "GUIX_ROOT_PW")"root") "$6$salt"))
(shell (file-append zsh "/bin/zsh")))) %base-user-accounts))
(define %metznet-base-groups
@ -84,6 +89,10 @@
(define %metznet-base-packages
(append (list openssh
openldap-slapd
strace
git
neovim
zsh
@ -136,35 +145,47 @@
(shadow services)
(group services))))
(define (pam-mkhomedir-service config)
(define list-of-strings? (list-of string?))
(define-configuration/no-serialization
metznet-system-configuration
(certs (file-like le-certs) "certificate package")
(pam-services (list-of-strings (list "su" "gdm-password" "login" "sshd" "passwd")) "list of pam services to configure"))
(define (pam-mkhomedir-service configuration)
(lambda (pam)
(if (member (pam-service-name pam) config)
(if (member (pam-service-name pam) (metznet-system-configuration-pam-services configuration))
(let ((required (pam-entry (control "required")
(module "pam_mkhomedir.so"))))
(pam-service (inherit pam)
(session (cons required
(pam-service-account pam))))) pam)))
(define (pam-mkhomedir-services config)
(list (pam-mkhomedir-service config)))
(define (pam-mkhomedir-services configuration)
(list (pam-mkhomedir-service configuration)))
(define (metznet-activation config)
(define (metznet-activation configuration)
#~(if (access? "/bin/zsh" F_OK)
(display "zsh already linked")
(begin
(display "linking zsh")
(symlink (string-append #$zsh "/bin/zsh") "/bin/zsh"))))
(define (metznet-etc-service configuration)
'())
(define metznet-service-type
(service-type (name 'metznet-service)
(description "MetzNet Services")
(extensions (list (service-extension activation-service-type
metznet-activation)
(service-extension profile-service-type
(compose list metznet-system-configuration-certs))
(service-extension etc-service-type
metznet-etc-service)
(service-extension pam-root-service-type
pam-mkhomedir-services)))
(default-value '())))
(define pam-service-list
(list "su" "gdm-password" "login" "sshd" "passwd"))
(default-value (metznet-system-configuration))))
(define %metznet-services
(list (service openssh-service-type
@ -175,8 +196,8 @@
(pam-krb5-configuration (pam-krb5 pam-krb5)
(minimum-uid 1000)))
(service sssd-service-type
(sssd-configuration (pam-services pam-service-list)))
(service metznet-service-type pam-service-list)))
(sssd-configuration (pam-services (list "su" "gdm-password" "login" "sshd" "passwd"))))
(service metznet-service-type)))
(define %metznet-nscd-configuration
(nscd-configuration (caches (append (list (nscd-cache (database 'passwd)