Next: LDAP Services, Previous: Monitoring Services, Up: Services [Contents][Index]
The (gnu services kerberos)
module provides services relating to
the authentication protocol Kerberos.
Programs using a Kerberos client library normally expect a configuration file in /etc/krb5.conf. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started.
No “keytab” files are provided by this service—you must explicitly create them.
This service is known to work with the MIT client library, mit-krb5
.
Other implementations have not been tested.
A service type for Kerberos 5 clients.
Here is an example of its use:
(service krb5-service-type (krb5-configuration (default-realm "EXAMPLE.COM") (allow-weak-crypto? #t) (realms (list (krb5-realm (name "EXAMPLE.COM") (admin-server "groucho.example.com") (kdc "karl.example.com")) (krb5-realm (name "ARGRX.EDU") (admin-server "kerb-admin.argrx.edu") (kdc "keys.argrx.edu"))))))
This example provides a Kerberos 5 client configuration which:
The krb5-realm
and krb5-configuration
types have many fields.
Only the most commonly used ones are described here.
For a full list, and more detailed explanation of each, see the MIT
krb5.conf
documentation.
name
This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case.
admin-server
This field is a string identifying the host where the administration server is running.
kdc
This field is a string identifying the key distribution center for the realm.
allow-weak-crypto?
(default: #f
)If this flag is #t
then services which only offer encryption algorithms
known to be weak will be accepted.
default-realm
(default: #f
)This field should be a string identifying the default Kerberos
realm for the client.
You should set this field to the name of your Kerberos realm.
If this value is #f
then a realm must be specified with every Kerberos principal when invoking programs
such as kinit
.
realms
This should be a non-empty list of krb5-realm
objects, which clients may
access.
Normally, one of them will have a name
field matching the default-realm
field.
The pam-krb5
service allows for login authentication and password
management via Kerberos.
You will need this service if you want PAM enabled applications to authenticate
users using Kerberos.
A service type for the Kerberos 5 PAM module.
Data type representing the configuration of the Kerberos 5 PAM module. This type has the following parameters:
pam-krb5
(default: pam-krb5
)The pam-krb5 package to use.
minimum-uid
(default: 1000
)The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate.
Next: LDAP Services, Previous: Monitoring Services, Up: Services [Contents][Index]