Open eqyiel opened 6 years ago
I wonder if it would be useful to have something like this so that people can select a Kerberos implementation for the whole system? https://github.com/NixOS/nixpkgs/blob/bd545892332ede39cd5c1c0ba26e7101b0d2c971/nixos/modules/config/no-x-libs.nix
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
I can confirm this was indeed fixed by the linked PRs. If you configure both Kerberos client and KDC, you will get MIT for both out of the box (I have this on my systems) and can switch them both to Heimdal if desired.
Issue description
Setting
krb5.enable
putspkgs.krb5Full
intoenvironment.systemPackages
, and settingservices.kerberos_server.enable = true
putspkgs.heimdalFull
intoenvironment.systemPackages
. I don't know if they can cooperate at all, but in my experience so far this is a bit of a mess because their tools (ktutil
and friends) are not able to use binary keytabs created using different Kerberos implementations.I can see what is going on and why
nfs-utils
can't use my keytab file but I don't think it's intuitive for people just trying to set up a Kerberos server and client using NixOS.At the very least, the implementation used by the
krb5
module should be configurable.Right now it's not enough to just add an option for it because there are some configuration keys that are not valid for Heimdal and probably vice versa:
(Also what's the deal with the
krb5
module? Is this how services used to be specified in NixOS? Why notservices.krb5
?)Steps to reproduce
On the client:
On the server:
Observe that:
ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host
)Technical details