From ae23b68ee8bed66d29d0ed573e91d9afaaae1a7e Mon Sep 17 00:00:00 2001 From: Marco Maggesi Date: Fri, 6 Nov 2009 12:58:44 +0000 Subject: [PATCH] Add configurations for MIT kerberos. svn path=/nixos/trunk/; revision=18203 --- modules/config/krb5.nix | 185 ++++++++++++++++++++++++++++++++++++++++ modules/module-list.nix | 1 + 2 files changed, 186 insertions(+) create mode 100644 modules/config/krb5.nix diff --git a/modules/config/krb5.nix b/modules/config/krb5.nix new file mode 100644 index 000000000000..960ef8500840 --- /dev/null +++ b/modules/config/krb5.nix @@ -0,0 +1,185 @@ +{pkgs, config, ...}: + +###### interface +let + inherit (pkgs.lib) mkOption mkIf; + + cfg = config.krb5; + + #myPkgs = import /home/nixer/nix/my-expr.nix { system = "x86_64-linux"; }; + + options = { + krb5 = { + + enable = mkOption { + default = false; + description = "Whether to enable Kerberos V."; + }; + + defaultRealm = mkOption { + default = "ATENA.MIT.EDU"; + description = "Default realm."; + }; + + kdc = mkOption { + default = "kerberos.mit.edu"; + description = "Kerberos Domain Controller"; + }; + + kerberosAdminServer = mkOption { + default = "kerberos.mit.edu"; + description = "Kerberos Admin Server"; + }; + + }; + }; +in + +###### implementation + +mkIf config.krb5.enable { + require = [ + options + ]; + + environment = { + systemPackages = [ pkgs.krb5 ]; + etc = [ + { source = pkgs.writeText "krb5.conf" + '' +[libdefaults] + default_realm = ${cfg.defaultRealm} + +# The following krb5.conf variables are only for MIT Kerberos. + krb4_config = /etc/krb.conf + krb4_realms = /etc/krb.realms + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + +# The following encryption type specification will be used by MIT Kerberos +# if uncommented. In general, the defaults in the MIT Kerberos code are +# correct and overriding these specifications only serves to disable new +# encryption types as they are added, creating interoperability problems. + +# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 +# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 +# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 + +# The following libdefaults parameters are only for Heimdal Kerberos. + v4_instance_resolve = false + v4_name_convert = { + host = { + rcmd = host + ftp = ftp + } + plain = { + something = something-else + } + } + fcc-mit-ticketflags = true + +[realms] + ${cfg.defaultRealm} = { + kdc = ${cfg.kdc} + admin_server = ${cfg.kerberosAdminServer} + } + ATHENA.MIT.EDU = { + kdc = kerberos.mit.edu:88 + kdc = kerberos-1.mit.edu:88 + kdc = kerberos-2.mit.edu:88 + admin_server = kerberos.mit.edu + default_domain = mit.edu + } + MEDIA-LAB.MIT.EDU = { + kdc = kerberos.media.mit.edu + admin_server = kerberos.media.mit.edu + } + ZONE.MIT.EDU = { + kdc = casio.mit.edu + kdc = seiko.mit.edu + admin_server = casio.mit.edu + } + MOOF.MIT.EDU = { + kdc = three-headed-dogcow.mit.edu:88 + kdc = three-headed-dogcow-1.mit.edu:88 + admin_server = three-headed-dogcow.mit.edu + } + CSAIL.MIT.EDU = { + kdc = kerberos-1.csail.mit.edu + kdc = kerberos-2.csail.mit.edu + admin_server = kerberos.csail.mit.edu + default_domain = csail.mit.edu + krb524_server = krb524.csail.mit.edu + } + IHTFP.ORG = { + kdc = kerberos.ihtfp.org + admin_server = kerberos.ihtfp.org + } + GNU.ORG = { + kdc = kerberos.gnu.org + kdc = kerberos-2.gnu.org + kdc = kerberos-3.gnu.org + admin_server = kerberos.gnu.org + } + 1TS.ORG = { + kdc = kerberos.1ts.org + admin_server = kerberos.1ts.org + } + GRATUITOUS.ORG = { + kdc = kerberos.gratuitous.org + admin_server = kerberos.gratuitous.org + } + DOOMCOM.ORG = { + kdc = kerberos.doomcom.org + admin_server = kerberos.doomcom.org + } + ANDREW.CMU.EDU = { + kdc = vice28.fs.andrew.cmu.edu + kdc = vice2.fs.andrew.cmu.edu + kdc = vice11.fs.andrew.cmu.edu + kdc = vice12.fs.andrew.cmu.edu + admin_server = vice28.fs.andrew.cmu.edu + default_domain = andrew.cmu.edu + } + CS.CMU.EDU = { + kdc = kerberos.cs.cmu.edu + kdc = kerberos-2.srv.cs.cmu.edu + admin_server = kerberos.cs.cmu.edu + } + DEMENTIA.ORG = { + kdc = kerberos.dementia.org + kdc = kerberos2.dementia.org + admin_server = kerberos.dementia.org + } + stanford.edu = { + kdc = krb5auth1.stanford.edu + kdc = krb5auth2.stanford.edu + kdc = krb5auth3.stanford.edu + admin_server = krb5-admin.stanford.edu + default_domain = stanford.edu + } + +[domain_realm] + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU + .media.mit.edu = MEDIA-LAB.MIT.EDU + media.mit.edu = MEDIA-LAB.MIT.EDU + .csail.mit.edu = CSAIL.MIT.EDU + csail.mit.edu = CSAIL.MIT.EDU + .whoi.edu = ATHENA.MIT.EDU + whoi.edu = ATHENA.MIT.EDU + .stanford.edu = stanford.edu + +[login] + krb4_convert = true + krb4_get_tickets = false + + ''; + target = "krb5.conf"; + } + ]; + }; + +} diff --git a/modules/module-list.nix b/modules/module-list.nix index 4addbda5760b..dc20fa605c4b 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -1,5 +1,6 @@ [ ./config/fonts.nix ./config/i18n.nix + ./config/krb5.nix ./config/ldap.nix ./config/networking.nix ./config/no-x-libs.nix