nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-26 07:34:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
0f73a33f7e
nixpkgs/nixos/modules/services/system/kerberos/kerberos-server.md
h7x4 195d155a1c
nixos/kerberos_server: use krb format generator, plus misc cleanup 
- Introduce more possible options by using the krb format generator.
- Enforce package choice is using a correct package.
- Use meta attribute to decide implementation, allows for overriding the
  package.
- Make necessary changes to the format, to allow for multiple ACL files in
  heimdal.
- Add systemd target and slice for both implementations.
- Move state to `/var/lib`
- Add documentation
2024-06-08 23:29:53 +02:00

2.3 KiB
Raw Blame History

kerberos_server

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

This module provides both the MIT and Heimdal implementations of the a Kerberos server.

Usage

To enable a Kerberos server:

{
  security.krb5 = {
    # Here you can choose between the MIT and Heimdal implementations.
    package = pkgs.krb5;
    # package = pkgs.heimdal;

    # Optionally set up a client on the same machine as the server
    enable = true;
    settings = {
      libdefaults.default_realm = "EXAMPLE.COM";
      realms."EXAMPLE.COM" = {
        kdc = "kerberos.example.com";
        admin_server = "kerberos.example.com";
      };
    };
  }

  services.kerberos-server = {
    enable = true;
    settings = {
      realms."EXAMPLE.COM" = {
        acl = [{ principal = "adminuser"; access=  ["add" "cpw"]; }];
      };
    };
  };
}

Notes

  • The Heimdal documentation will sometimes assume that state is stored in /var/heimdal, but this module uses /var/lib/heimdal instead.
  • Due to the heimdal implementation being chosen through security.krb5.package, it is not possible to have a system with one implementation of the client and another of the server.
  • While services.kerberos_server.settings has a common freeform type between the two implementations, the actual settings that can be set can vary between the two implementations. To figure out what settings are available, you should consult the upstream documentation for the implementation you are using.

Upstream Documentation

Note the version number in the URLs, it may be different for the latest version.