From 8b6a73f73d0227f539b2dbf172e18389de431922 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 26 Feb 2020 21:41:38 +0100 Subject: [PATCH] nix/os/devices/steveej-t480s-work: krb5 redhat setup --- nix/os/devices/steveej-t480s-work/system.nix | 41 ++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index 99ef011..c68cb26 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -94,4 +94,45 @@ in { services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages; + + krb5 = { + enable = true; + config = let + pkinit_crt = pkgs.fetchurl { + url = "https://password.corp.redhat.com/ipa.crt"; + sha256 = "0cflhkb7szzlakjmz2rmw8l8j5jqsyy2rl7ciclmi5fdfjrrx1cd"; + }; + in '' + [libdefaults] + default_realm = IPA.REDHAT.COM + dns_lookup_realm = true + dns_lookup_kdc = true + rdns = false + dns_canonicalize_hostname = true + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 0 + default_ccache_name = KEYRING:persistent:%{uid} + + [realms] + REDHAT.COM = { + default_domain = redhat.com + dns_lookup_kdc = true + master_kdc = kerberos.corp.redhat.com + admin_server = kerberos.corp.redhat.com + } + + #make sure to save the IPA CA cert + #mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt + IPA.REDHAT.COM = { + pkinit_anchors = FILE:${pkinit_crt} + pkinit_pool = FILE:${pkinit_crt} + default_domain = ipa.redhat.com + dns_lookup_kdc = true + # Trust tickets issued by legacy realm on this host + auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*// + auth_to_local = DEFAULT + } + ''; + }; }