New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kerberos_server: allow choosing MIT or Heimdal #31832
Conversation
@GrahamcOfBorg test kerberos.mit kerberos.heimdal |
Failure on aarch64-linux (full log) Partial log (click to expand)
|
Failure on x86_64-linux (full log) Partial log (click to expand)
|
@joachifm are there any specific changes you'd like me to make? Tests pass for me locally, and CI seems happy now. As of 13e6a5c all user binaries ( |
I think the point here was |
That makes sense - I will move the other programs back to the default output then unless there is an objection? Should there be separate 'bin' and 'lib' or 'out' and 'lib' outputs or should these go together? |
The |
@kwohlfahrt thanks for making an effort to fix this. I had some similar changes in mind that I never got around to finishing: eqyiel@4114381 I'll probably try to apply it on top of your changes at some point 😸 |
Looks okay to me. Any objections to merging? |
@GrahamcOfBorg test kerberos |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: tests.kerberos Partial log (click to expand)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good but we cannot test it until tests.kerberos is in release.nix
@peterhoeg this is building locally now, but Graham has an error that "target branch staging doesn't evaluate" - should I be targeting a different branch? EDIT: All I did was rebase onto the latest staging. That fixed the libdrm issue in a local build. |
Thanks for doing all this hard work! The staging part is probably due to the change to I will not be able to review this in detail in the near future - the arrival of our twins is imminent now so I'm hoping @vcunat or @FRidh (or others) will be able to dedicate the time this PR deserves. |
This is now rebased, and tests pass locally. @peterhoeg congratulations! |
e3143fe
to
3c3e864
Compare
1140dae
to
13e2cd3
Compare
tcpd doesn't have sbin anymore (so it was broken), and heimdal just symlinks to bin.
Don't use socket activation, as inetd is discouraged by heimdal documentation.
General cleanup before adding more options.
script causes problems for forking services like MIT Kerberos.
Allow switching out kerberos server implementation. Sharing config is probably sensible, but implementation is different enough to be worth splitting into two files. Not sure this is the correct way to split an implementation, but it works for now. Uses the switch from config.krb5 to select implementation.
Could also move kdc.conf, but this makes it inconvenient to use command line utilities with heimdal, as it would require specifying --config-file with every command.
Leave options for multiple realms for similarity to krb5, and future expansion. Currently not tested because I can't make it work and don't need it.
This contains all of the user binaries as of 13e6a5c.
The intention of the previous change was to move krb5-config to .dev (it gives the locations of headers), but it grabbed all of the user-facing binaries too. This puts them back.
This was open for too long. |
I think this closes #39424 as well. |
Motivation for this change
Allow using MIT Kerberos as a kerberos server, and add some initial configuration. Related to #29623.
This is my first PR, let me know if anything is not suitable.
As far as I can tell the upstream kerberos_server service was broken, as it expected binaries to be in
sbin
while they were inbin
(see ab6c57e). There were previously no tests, this adds some basic smoke tests.I'm happy to add more configurable options, I've so far just configured what I'm familiar with. In theory it should be possible to serve multiple realms from one server, but I don't need this and haven't been able to get it to work easily so it's not part of this PR.
Adding the usual set of plain-text configuration is difficult, as MIT and Heimdal take slightly different formats of options.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)