summary refs log tree commit diff
path: root/doc/guix.texi
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2016-12-04 17:41:36 +0100
committerMarius Bakke <mbakke@fastmail.com>2016-12-04 17:41:36 +0100
commita351fc83694f436c3bff7cbdef09bd3cc91c74fc (patch)
tree646145378742a6943d7c4dda995fc0fb67f9db32 /doc/guix.texi
parent80b63e670ef4fe1fd40a903bcd4ee47a11415bd9 (diff)
parentd1a5b20081c30da7503201df260cf20b8d0ba633 (diff)
downloadguix-a351fc83694f436c3bff7cbdef09bd3cc91c74fc.tar.gz
Merge branch 'master' into staging
Diffstat (limited to 'doc/guix.texi')
-rw-r--r--doc/guix.texi100
1 files changed, 96 insertions, 4 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 3b4ba487ad..47d0d7169a 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -7142,7 +7142,7 @@ entry (@pxref{Invoking guix system}).
 
 The normal way to change the system configuration is by updating this
 file and re-running @command{guix system reconfigure}.  One should never
-have to touch files in @command{/etc} or to run commands that modify the
+have to touch files in @file{/etc} or to run commands that modify the
 system state such as @command{useradd} or @command{grub-install}.  In
 fact, you must avoid that since that would not only void your warranty
 but also prevent you from rolling back to previous versions of your
@@ -10654,7 +10654,7 @@ Defaults to @samp{""}.
 
 @deftypevr {@code{dovecot-configuration} parameter} string auth-krb5-keytab
 Kerberos keytab to use for the GSSAPI mechanism.  Will use the
-system default (usually /etc/krb5.keytab) if not specified.  You may
+system default (usually @file{/etc/krb5.keytab}) if not specified.  You may
 need to change the auth service to run as root to be able to read this
 file.
 Defaults to @samp{""}.
@@ -11542,6 +11542,99 @@ remote servers.  Run @command{man smtpd.conf} for more information.
 The @code{(gnu services kerberos)} module provides services relating to
 the authentication protocol @dfn{Kerberos}.
 
+@subsubheading Krb5 Service
+
+Programs using a Kerberos client library normally
+expect a configuration file in @file{/etc/krb5.conf}.
+This service generates such a file from a definition provided in the
+operating system declaration.
+It does not cause any daemon to be started.
+
+No ``keytab'' files are provided by this service---you must explicitly create them.
+This service is known to work with the MIT client library, @code{mit-krb5}.
+Other implementations have not been tested.
+
+@defvr {Scheme Variable} krb5-service-type
+A service type for Kerberos 5 clients.
+@end defvr
+
+@noindent
+Here is an example of its use:
+@lisp
+(service krb5-service-type
+         (krb5-configuration
+          (default-realm "EXAMPLE.COM")
+          (allow-weak-crypto? #t)
+          (realms (list
+                   (krb5-realm
+                    (name "EXAMPLE.COM")
+                    (admin-server "groucho.example.com")
+                    (kdc "karl.example.com"))
+                   (krb5-realm
+                    (name "ARGRX.EDU")
+                    (admin-server "kerb-admin.argrx.edu")
+                    (kdc "keys.argrx.edu"))))))
+@end lisp
+
+@noindent
+This example provides a Kerberos@tie{}5 client configuration which:
+@itemize
+@item Recognizes two realms, @i{viz:} ``EXAMPLE.COM'' and ``ARGRX.EDU'', both
+of which have distinct administration servers and key distribution centers;
+@item Will default to the realm ``EXAMPLE.COM'' if the realm is not explicitly
+specified by clients;
+@item Accepts services which only support encryption types known to be weak.
+@end itemize
+
+The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
+Only the most commonly used ones are described here.
+For a full list, and more detailed explanation of each, see the MIT
+@uref{http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
+documentation.
+
+
+@deftp {Data Type} krb5-realm
+@cindex realm, kerberos
+@table @asis
+@item @code{name}
+This field is a string identifying the name of the realm.
+A common convention is to use the fully qualified DNS name of your organization,
+converted to upper case.
+
+@item @code{admin-server}
+This field is a string identifying the host where the administration server is
+running.
+
+@item @code{kdc}
+This field is a string identifying the key distribution center
+for the realm.
+@end table
+@end deftp
+
+@deftp {Data Type} krb5-configuration
+
+@table @asis
+@item @code{allow-weak-crypto?} (default: @code{#f})
+If this flag is @code{#t} then services which only offer encryption algorithms
+known to be weak will be accepted.
+
+@item @code{default-realm} (default: @code{#f})
+This field should be a string identifying the default Kerberos
+realm for the client.
+You should set this field to the name of your Kerberos realm.
+If this value is @code{#f}
+then a realm must be specified with every Kerberos principal when invoking programs
+such as @command{kinit}.
+
+@item @code{realms}
+This should be a non-empty list of @code{krb5-realm} objects, which clients may
+access.
+Normally, one of them will have a @code{name} field matching the @code{default-realm}
+field.
+@end table
+@end deftp
+
+
 @subsubheading PAM krb5 Service
 @cindex pam-krb5
 
@@ -12787,8 +12880,7 @@ host.
 @item -net user
 Enable the unprivileged user-mode network stack.  The guest OS can
 access the host but not vice versa.  This is the simplest way to get the
-guest OS online.  If you do not choose a network stack, the boot will
-fail.
+guest OS online.
 
 @item -net nic,model=virtio
 You must create a network interface of a given model.  If you do not