diff options
author | Mario Rodas <marsam@users.noreply.github.com> | 2022-07-30 18:52:05 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-30 18:52:05 -0500 |
commit | a255355f467ee02133df71e38d4cb1a3ea479165 (patch) | |
tree | 78d9feea173e2f345b5a97e5f1a9d0e0d66295b1 /nixos | |
parent | 4a2c16fc05e8ec6b39071f82556183d8e2d0d6db (diff) | |
parent | 133ebbe46a431374b7d2025444cfd0643ec28c5b (diff) |
Merge pull request #182520 from danc86/sssd-kcm
nixos/sssd: add an option to enable KCM support
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/misc/sssd.nix | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 386281e2b7cca..873c3b7351934 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -38,6 +38,15 @@ in { For this to work, the <literal>ssh</literal> SSS service must be enabled in the sssd configuration. ''; }; + + kcm = mkOption { + type = types.bool; + default = false; + description = '' + Whether to use SSS as a Kerberos Cache Manager (KCM). + Kerberos will be configured to cache credentials in SSS. + ''; + }; }; }; config = mkMerge [ @@ -79,6 +88,28 @@ in { services.dbus.packages = [ pkgs.sssd ]; }) + (mkIf cfg.kcm { + systemd.services.sssd-kcm = { + description = "SSSD Kerberos Cache Manager"; + requires = [ "sssd-kcm.socket" ]; + serviceConfig = { + ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; + ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; + }; + restartTriggers = [ + config.environment.etc."sssd/sssd.conf".source + ]; + }; + systemd.sockets.sssd-kcm = { + description = "SSSD Kerberos Cache Manager responder socket"; + wantedBy = [ "sockets.target" ]; + # Matches the default in MIT krb5 and Heimdal: + # https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43 + listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ]; + }; + krb5.libdefaults.default_ccache_name = "KCM:"; + }) + (mkIf cfg.sshAuthorizedKeysIntegration { # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. |