search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.4k stars 13.62k forks source link

nixos/krb5: krb5 and services.kerberos_server are at odds with each other #29623

Open eqyiel opened 6 years ago

eqyiel commented 6 years ago

Issue description

Setting krb5.enable puts pkgs.krb5Full into environment.systemPackages, and setting services.kerberos_server.enable = true puts pkgs.heimdalFull into environment.systemPackages. I don't know if they can cooperate at all, but in my experience so far this is a bit of a mess because their tools (ktutil and friends) are not able to use binary keytabs created using different Kerberos implementations.

I can see what is going on and why nfs-utils can't use my keytab file but I don't think it's intuitive for people just trying to set up a Kerberos server and client using NixOS.

At the very least, the implementation used by the krb5 module should be configurable.

Right now it's not enough to just add an option for it because there are some configuration keys that are not valid for Heimdal and probably vice versa:

eqyiel@ayanami ~ % /nix/store/bhv8mw2ivda5b7ihvbcamfv87i388nna-heimdal-7.4.0/bin/verify_krb5_conf --warn-mit-syntax
verify_krb5_conf: krb5_config_parse_file: open /home/eqyiel/.krb5/config: No such file or directory
verify_krb5_conf: /libdefaults/krb4_config: unknown entry
verify_krb5_conf: /libdefaults/krb4_realms: unknown entry
verify_krb5_conf: /libdefaults/ccache_type: unknown entry
verify_krb5_conf: /realms/HOSHIJIRO.MAHER.FYI/kdc: Name or service not known (hoshijiro.lan)
verify_krb5_conf: /realms/HOSHIJIRO.MAHER.FYI/admin_server: Name or service not known (hoshijiro.lan)
verify_krb5_conf: /realms/MEDIA-LAB.MIT.EDU/kdc: Name or service not known (kerberos.media.mit.edu)
verify_krb5_conf: /realms/MEDIA-LAB.MIT.EDU/admin_server: Name or service not known (kerberos.media.mit.edu)
verify_krb5_conf: /realms/MOOF.MIT.EDU/kdc: Name or service not known (three-headed-dogcow.mit.edu)
verify_krb5_conf: /realms/MOOF.MIT.EDU/kdc: Name or service not known (three-headed-dogcow-1.mit.edu)
verify_krb5_conf: /realms/MOOF.MIT.EDU/admin_server: Name or service not known (three-headed-dogcow.mit.edu)
verify_krb5_conf: /realms/GNU.ORG/kdc: Name or service not known (kerberos.gnu.org)
verify_krb5_conf: /realms/GNU.ORG/kdc: Name or service not known (kerberos-2.gnu.org)
verify_krb5_conf: /realms/GNU.ORG/kdc: Name or service not known (kerberos-3.gnu.org)
verify_krb5_conf: /realms/GNU.ORG/admin_server: Name or service not known (kerberos.gnu.org)
verify_krb5_conf: /realms/GRATUITOUS.ORG/kdc: Name or service not known (kerberos.gratuitous.org)
verify_krb5_conf: /realms/GRATUITOUS.ORG/admin_server: Name or service not known (kerberos.gratuitous.org)
verify_krb5_conf: /realms/DOOMCOM.ORG/kdc: Name or service not known (kerberos.doomcom.org)
verify_krb5_conf: /realms/DOOMCOM.ORG/admin_server: Name or service not known (kerberos.doomcom.org)
verify_krb5_conf: /realms/ANDREW.CMU.EDU/kdc: Name or service not known (vice12.fs.andrew.cmu.edu)
verify_krb5_conf: /realms/DEMENTIA.ORG/kdc: Name or service not known (kerberos.dementia.org)
verify_krb5_conf: /realms/DEMENTIA.ORG/kdc: Name or service not known (kerberos2.dementia.org)
verify_krb5_conf: /realms/DEMENTIA.ORG/admin_server: Name or service not known (kerberos.dementia.org)
verify_krb5_conf: /logging/krb4_convert: unknown log type: "true"
verify_krb5_conf: /logging/krb4_get_tickets: unknown log type: "false"
verify_krb5_conf: /appdefaults/pam/debug: unknown or wrong type
verify_krb5_conf: /appdefaults/pam/max_timeout: unknown or wrong type
verify_krb5_conf: /appdefaults/pam/timeout_shift: unknown or wrong type
verify_krb5_conf: /appdefaults/pam/initial_timeout: unknown or wrong type

(Also what's the deal with the krb5 module? Is this how services used to be specified in NixOS? Why not services.krb5?)

Steps to reproduce

On the client:

krb5 = {
  enable = true;
  defaultRealm = "SERVER.LAN"
  domainRealm = "SERVER.LAN;
  kdc = "server.lan";
  kerberosAdminServer = "server.lan";
};

networking.extraHosts = ''
   xxx.xxx.xxx.xxx server.lan
   127.0.0.1       client.lan
'';

On the server:

krb5 = {
  enable = true;
  defaultRealm = "SERVER.LAN"
  domainRealm = "SERVER.LAN;
  kdc = "server.lan";
  kerberosAdminServer = "server.lan";
};

networking.extraHosts = ''
   xxx.xxx.xxx.xxx client.lan
   127.0.0.1       server.lan
'';

services.kerberos_server.enable = true;

Observe that:

Technical details

eqyiel commented 6 years ago

I wonder if it would be useful to have something like this so that people can select a Kerberos implementation for the whole system? https://github.com/NixOS/nixpkgs/blob/bd545892332ede39cd5c1c0ba26e7101b0d2c971/nixos/modules/config/no-x-libs.nix

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.
danc86 commented 2 years ago

I can confirm this was indeed fixed by the linked PRs. If you configure both Kerberos client and KDC, you will get MIT for both out of the box (I have this on my systems) and can switch them both to Heimdal if desired.