(gnu services kerberos) module provides services relating to
the authentication protocol Kerberos.
Programs using a Kerberos client library normally expect a configuration file in /etc/krb5.conf. This service generates such a file from a definition provided in the operating system declaration. It does not cause any daemon to be started.
No “keytab” files are provided by this service—you must explicitly create them.
This service is known to work with the MIT client library,
Other implementations have not been tested.
A service type for Kerberos 5 clients.
Here is an example of its use:
(service krb5-service-type (krb5-configuration (default-realm "EXAMPLE.COM") (allow-weak-crypto? #t) (realms (list (krb5-realm (name "EXAMPLE.COM") (admin-server "groucho.example.com") (kdc "karl.example.com")) (krb5-realm (name "ARGRX.EDU") (admin-server "kerb-admin.argrx.edu") (kdc "keys.argrx.edu"))))))
This example provides a Kerberos 5 client configuration which:
krb5-configuration types have many fields.
Only the most commonly used ones are described here.
For a full list, and more detailed explanation of each, see the MIT
This field is a string identifying the name of the realm. A common convention is to use the fully qualified DNS name of your organization, converted to upper case.
This field is a string identifying the host where the administration server is running.
This field is a string identifying the key distribution center for the realm.
If this flag is
#t then services which only offer encryption algorithms
known to be weak will be accepted.
This field should be a string identifying the default Kerberos
realm for the client.
You should set this field to the name of your Kerberos realm.
If this value is
then a realm must be specified with every Kerberos principal when invoking programs
This should be a non-empty list of
krb5-realm objects, which clients may
Normally, one of them will have a
name field matching the
pam-krb5 service allows for login authentication and password
management via Kerberos.
You will need this service if you want PAM enabled applications to authenticate
users using Kerberos.
A service type for the Kerberos 5 PAM module.
Data type representing the configuration of the Kerberos 5 PAM module This type has the following parameters:
The pam-krb5 package to use.
The smallest user ID for which Kerberos authentications should be attempted. Local accounts with lower values will silently fail to authenticate.