Next: LDAP Services, Previous: 监控服务, Up: 服务 [Contents][Index]
The (gnu services kerberos)
module provides services relating to the
authentication protocol Kerberos.
Programs using a Kerberos client library normally expect a configuration file in /etc/krb5.conf. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started.
No “keytab” files are provided by this service—you must explicitly
create them. This service is known to work with the MIT client library,
mit-krb5
. Other implementations have not been tested.
A service type for Kerberos 5 clients.
Here is an example of its use:
(service krb5-service-type
(krb5-configuration
(default-realm "EXAMPLE.COM")
(allow-weak-crypto? #t)
(realms (list
(krb5-realm
(name "EXAMPLE.COM")
(admin-server "groucho.example.com")
(kdc "karl.example.com"))
(krb5-realm
(name "ARGRX.EDU")
(admin-server "kerb-admin.argrx.edu")
(kdc "keys.argrx.edu"))))))
This example provides a Kerberos 5 client configuration which:
The krb5-realm
and krb5-configuration
types have many fields.
Only the most commonly used ones are described here. For a full list, and
more detailed explanation of each, see the MIT
krb5.conf
documentation.
名字
This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case.
admin-server
This field is a string identifying the host where the administration server is running.
kdc
This field is a string identifying the key distribution center for the realm.
allow-weak-crypto?
(default: #f
)If this flag is #t
then services which only offer encryption
algorithms known to be weak will be accepted.
default-realm
(default: #f
)This field should be a string identifying the default Kerberos realm for the
client. You should set this field to the name of your Kerberos realm. If
this value is #f
then a realm must be specified with every Kerberos
principal when invoking programs such as kinit
.
realms
This should be a non-empty list of krb5-realm
objects, which clients
may access. Normally, one of them will have a name
field matching
the default-realm
field.
The pam-krb5
service allows for login authentication and password
management via Kerberos. You will need this service if you want PAM enabled
applications to authenticate users using Kerberos.
A service type for the Kerberos 5 PAM module.
Data type representing the configuration of the Kerberos 5 PAM module. This type has the following parameters:
pam-krb5
(default: pam-krb5
)The pam-krb5 package to use.
minimum-uid
(default: 1000
)The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate.
Next: LDAP Services, Previous: 监控服务, Up: 服务 [Contents][Index]