From 133ebbe46a431374b7d2025444cfd0643ec28c5b Mon Sep 17 00:00:00 2001 From: Dan Callaghan Date: Mon, 25 Apr 2022 13:14:45 +1000 Subject: nixos/sssd: add an option to enable KCM support --- nixos/modules/services/misc/sssd.nix | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 386281e2b7cca..873c3b7351934 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -38,6 +38,15 @@ in { For this to work, the ssh SSS service must be enabled in the sssd configuration. ''; }; + + kcm = mkOption { + type = types.bool; + default = false; + description = '' + Whether to use SSS as a Kerberos Cache Manager (KCM). + Kerberos will be configured to cache credentials in SSS. + ''; + }; }; }; config = mkMerge [ @@ -79,6 +88,28 @@ in { services.dbus.packages = [ pkgs.sssd ]; }) + (mkIf cfg.kcm { + systemd.services.sssd-kcm = { + description = "SSSD Kerberos Cache Manager"; + requires = [ "sssd-kcm.socket" ]; + serviceConfig = { + ExecStartPre = "-${pkgs.sssd}/bin/sssd --genconf-section=kcm"; + ExecStart = "${pkgs.sssd}/libexec/sssd/sssd_kcm --uid 0 --gid 0"; + }; + restartTriggers = [ + config.environment.etc."sssd/sssd.conf".source + ]; + }; + systemd.sockets.sssd-kcm = { + description = "SSSD Kerberos Cache Manager responder socket"; + wantedBy = [ "sockets.target" ]; + # Matches the default in MIT krb5 and Heimdal: + # https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/include/kcm.h#L43 + listenStreams = [ "/var/run/.heim_org.h5l.kcm-socket" ]; + }; + krb5.libdefaults.default_ccache_name = "KCM:"; + }) + (mkIf cfg.sshAuthorizedKeysIntegration { # Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable. # So indirect by a symlink. -- cgit 1.4.1