Kerberos Services (GNU Guix Reference Manual)

12.9.17 Kerberos Services

The (gnu services kerberos) module provides services relating to the authentication protocol Kerberos.

Krb5 Service

Programs using a Kerberos client library normally expect a configuration file in /etc/krb5.conf. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started.

No “keytab” files are provided by this service—you must explicitly create them. This service is known to work with the MIT client library, mit-krb5. Other implementations have not been tested.

Scheme Variable: krb5-service-type: A service type for Kerberos 5 clients.

Here is an example of its use:

(service krb5-service-type
         (krb5-configuration
          (default-realm "EXAMPLE.COM")
          (allow-weak-crypto? #t)
          (realms (list
                   (krb5-realm
                    (name "EXAMPLE.COM")
                    (admin-server "groucho.example.com")
                    (kdc "karl.example.com"))
                   (krb5-realm
                    (name "ARGRX.EDU")
                    (admin-server "kerb-admin.argrx.edu")
                    (kdc "keys.argrx.edu"))))))

This example provides a Kerberos 5 client configuration which:

Recognizes two realms, viz: “EXAMPLE.COM” and “ARGRX.EDU”, both of which have distinct administration servers and key distribution centers;
Will default to the realm “EXAMPLE.COM” if the realm is not explicitly specified by clients;
Accepts services which only support encryption types known to be weak.

The krb5-realm and krb5-configuration types have many fields. Only the most commonly used ones are described here. For a full list, and more detailed explanation of each, see the MIT krb5.conf documentation.

Data Type: krb5-realm

name: This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case.
admin-server: This field is a string identifying the host where the administration server is running.
kdc: This field is a string identifying the key distribution center for the realm.

Data Type: krb5-configuration

allow-weak-crypto? (default: #f): If this flag is #t then services which only offer encryption algorithms known to be weak will be accepted.
default-realm (default: #f): This field should be a string identifying the default Kerberos realm for the client. You should set this field to the name of your Kerberos realm. If this value is #f then a realm must be specified with every Kerberos principal when invoking programs such as kinit.
realms: This should be a non-empty list of krb5-realm objects, which clients may access. Normally, one of them will have a name field matching the default-realm field.

PAM krb5 Service

The pam-krb5 service allows for login authentication and password management via Kerberos. You will need this service if you want PAM enabled applications to authenticate users using Kerberos.

Scheme Variable: pam-krb5-service-type: A service type for the Kerberos 5 PAM module.

Data Type: pam-krb5-configuration

Data type representing the configuration of the Kerberos 5 PAM module. This type has the following parameters:

pam-krb5 (default: pam-krb5): The pam-krb5 package to use.
minimum-uid (default: 1000): The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate.