(gnu services kerberos) module provides services relating to the
authentication protocol Kerberos.
Programs using a Kerberos client library normally expect a configuration file in /etc/krb5.conf. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started.
No “keytab” files are provided by this service—you must explicitly
create them. This service is known to work with the MIT client library,
mit-krb5. Other implementations have not been tested.
A service type for Kerberos 5 clients.
Here is an example of its use:
(service krb5-service-type (krb5-configuration (default-realm "EXAMPLE.COM") (allow-weak-crypto? #t) (realms (list (krb5-realm (name "EXAMPLE.COM") (admin-server "groucho.example.com") (kdc "karl.example.com")) (krb5-realm (name "ARGRX.EDU") (admin-server "kerb-admin.argrx.edu") (kdc "keys.argrx.edu"))))))
This example provides a Kerberos 5 client configuration which:
krb5-configuration types have many fields.
Only the most commonly used ones are described here. For a full list, and
more detailed explanation of each, see the MIT
This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case.
This field is a string identifying the host where the administration server is running.
This field is a string identifying the key distribution center for the realm.
If this flag is
#t then services which only offer encryption
algorithms known to be weak will be accepted.
This field should be a string identifying the default Kerberos realm for the
client. You should set this field to the name of your Kerberos realm. If
this value is
#f then a realm must be specified with every Kerberos
principal when invoking programs such as
This should be a non-empty list of
krb5-realm objects, which clients
may access. Normally, one of them will have a
name field matching
pam-krb5 service allows for login authentication and password
management via Kerberos. You will need this service if you want PAM enabled
applications to authenticate users using Kerberos.
A service type for the Kerberos 5 PAM module.
Data type representing the configuration of the Kerberos 5 PAM module. This type has the following parameters:
The pam-krb5 package to use.
The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate.