Re: [PATCH] gnu: Add kerberos service.

[Ludovic Courtès]

Hello!

John Darrington <address@hidden> skribis:

> * gnu/services/kerberos.scm (krb5-realm, krb5-configuration,
> krb5-service-type): New variables.

Could you add documentation in guix.texi, along with an example of how
to use it?

I very strongly encourage you to write a system test for this as well.
Essentially, it’s just about writing down in a file a test that you’ve
already run anyway.  I’m happy to help if needed.  The main ideas are
described in
<https://www.gnu.org/software/guix/news/guixsd-system-tests.html>.

(I think this will become a requirement for future patches.  :-))

> +(define-record-type* <krb5-realm>
> +  krb5-realm      make-krb5-realm
> +  krb5-realm?
> +  (name                krb5-realm-name)
> +
> +  (admin-server        krb5-realm-admin-server)
> +  (kdc                 krb5-realm-kdc)
> +  (auth-to-local       krb5-realm-auth-to-local (default '()))
> +  (auth-to-local-names krb5-realm-auth-to-local-names (default '()))
> +  (http-anchors        krb5-realm-http-anchors (default '()))
> +  (default-domain      krb5-realm-default-domain (default #f))
> +  (kpasswd-server      krb5-realm-kpasswd-server (default #f))
> +  (master-kdc          krb5-realm-master-kdc (default #f))
> +  (v4-instance-convert krb5-realm-v4-instance-convert (default '()))
> +  (v4-realm            krb5-realm-v4-realm (default #f)))

I find it helpful to add a one- or two-line comment above stating what
this is, and margin comments next to the fields to give an idea of what
their type is.

Could you try something along these lines?

> +(define-syntax  guile->krb-cfg
> +  (syntax-rules ()
> +    ((guile->krb-cfg accessor what)
> +     (string-map
> +      (lambda (c) (if (eq? c #\-) #\_ c))
> +      (string-drop (symbol->string accessor)
> +                   (string-length what))))))
> +
> +(define-syntax cfg-opt-string
> +  (syntax-rules ()
> +    ((cfg-opt-string accessor realm)
> +     (if (accessor realm)
> +         (format #f "\n\t~a = ~a"
> +                        (guile->krb-cfg 'accessor "krb5-realm-")
> +                        (accessor realm))
> +         ""))))
> +
> +
> +;; Generates one line of text per list item
> +(define-syntax cfg-opt-list
> +  (syntax-rules ()
> +    ((cfg-opt-list accessor realm)
> +     (if (not (null? (accessor realm)))
> +         (string-concatenate
> +          (map (lambda (item)
> +                 (format #f "\n\t~a = ~a"
> +                         (guile->krb-cfg 'accessor "krb5-realm-")
> +                         item))
> +              (accessor realm)))
> +     ""))))

Would Andy’s ‘define-configuration’ (in mail.scm and cups.scm) be usable
here, possibly with some adjustments?  It has the advantage that
configuration fields, their types, and their docstring all appear at the
same place.  I think we should consolidate it into a single API.

If not, please mind the naming convention (info "(guix) Formatting
Code"), and use ‘define-syntax-rule’ for macros with a single pattern.

Perhaps pass the whole file through M-x indent-region to fix
inconsistencies.

> +;; For explanation of these fields see man 5 krb5.conf
> +(define-record-type* <krb5-configuration>
> +  krb5-configuration    make-krb5-configuration
> +  krb5-configuration?
> +
> +  ;; [libdefaults]
> +  (allow-weak-crypto          krb5-configuration-allow-weak-crypto (default 
> #f))
> +  (ap-req-checksum-type       krb5-configuration-ap-req-checksum-type 
> (default #f))
> +  (canonicalize               krb5-configuration-canonicalize (default #f))
> +  (ccache-type                krb5-configuration-ccache-type (default #f))
> +  (clockskew                  krb5-configuration-clockskew (default #f))
> +  (default-ccache-name        krb5-configuration-default-ccache-name 
> (default #f))
> +  (default-client-keytab-name krb5-configuration-default-client-keytab-name
> +                                                                     
> (default #f))
> +  (default-keytab-name        krb5-configuration-default-keytab-name 
> (default #f))
> +  (default-realm              krb5-configuration-default-realm (default #f))
> +  (default-tgs-enctypes       krb5-configuration-default-tgs-enctypes 
> (default #f))
> +  (default-tkt-enctypes       krb5-configuration-default-tkt-enctypes 
> (default #f))
> +  (dns-canonicalize-hostname  krb5-configuration-dns-canonicalize-hostname
> +                              (default #t))
> +  (dns-lookup-kdc             krb5-configuration-dns-lookup-kdc
> +                              (default #f))
> +  (err-fmt                    krb5-configuration-err-fmt (default #f))
> +  (extra-addresses            krb5-configuration-extra-addresses
> +                              (default #f))
> +  (forwardable                krb5-configuration-forwardable (default #t))
> +  (ignore-acceptor-hostname   krb5-configuration-ignore-acceptor-hostname
> +                              (default #f))
> +  (k5login-authoritative      krb5-configuration-k5login-authoritative 
> (default #t))
> +  (k5login-directory          krb5-configuration-k5login-directory (default 
> #f))
> +  (kcm-mach-service           krb5-configuration-kcm-mach-service
> +                                (default "org.h5l.kcm"))
> +  (kcm-socket                 krb5-configuration-kcm-socket
> +                                (default 
> "/var/run/.heim_org.h5l.kcm-socket"))
> +  (kdc-default-options        krb5-configuration-kdc-default-options
> +                                (default #f))
> +  (kdc-timesync               krb5-configuration-kdc-timesync (default #t))
> +  (kdc-req-checksum-type      krb5-configuration-kdc-req-checksum-type 
> (default #f))
> +  (noaddresses                krb5-configuration-noaddresses
> +                               (default #f))
> +  (permitted-enctypes         krb5-configuration-permitted-enctypes
> +                              (default #f))
> +  (plugin-base-dir            krb5-configuration-plugin-base-dir
> +                                (default #f))
> +  (preferred-preauth-types    krb5-configuration-preferred-preauth-types
> +                              (default #f))
> +  (proxiable                  krb5-configuration-proxiable (default #f))
> +  (rdns                       krb5-configuration-rdns (default #t))
> +  (realm-try-domains          krb5-configuration-realm-try-domains
> +                               (default #f))
> +  (renew-lifetime             krb5-configuration-renew-lifetime
> +                              (default #f))
> +  (safe-checksum-type         krb5-configuration-safe-checksum-type
> +                              (default #f))
> +  (ticket-lifetime            krb5-configuration-ticket-lifetime
> +                              (default #f))
> +  (udp-preference-limit       krb5-configuration-udp-preference-limit
> +                              (default #f))
> +  (verify-ap-req-nofail       krb5-configuration-verify-ap-req-nofail
> +                              (default #f))
> +
> +  ;;[realms]
> +  (realms                     krb5-configuration-realms)
> +
> +  ;;[domain_realm]
> +  (domain-realm-map           krb5-configuration-domain-realm-map (default 
> '())))

Woow!  :-)  Please use full separate words; use question marks for
Boolean fields.

> +(define (krb5-etc-service config)
> +  (list `("krb5.conf" ,(krb5-configuration-file config))))
> +
> +
> +(define krb5-service-type
> +  (service-type (name 'krb5)
> +                (extensions
> +                 (list (service-extension etc-service-type
> +                                          krb5-etc-service)))))

So this service doesn’t do anything by itself.  Perhaps it should also
create a Shepherd service for the Kerberos daemon, or something like
that?

Thank you!

Ludo’.