From patchwork Fri Dec  1 00:45:11 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Felix Lechner <felix.lechner@lease-up.com>
X-Patchwork-Id: 57164
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 9737027BBEA; Fri,  1 Dec 2023 00:46:13 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 8375F27BBE2
	for <patchwork@mira.cbaines.net>; Fri,  1 Dec 2023 00:46:12 +0000 (GMT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1r8rfH-0007an-Jy; Thu, 30 Nov 2023 19:45:55 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1r8rfG-0007Zw-5e
 for guix-patches@gnu.org; Thu, 30 Nov 2023 19:45:54 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1r8rfF-0002fw-PO
 for guix-patches@gnu.org; Thu, 30 Nov 2023 19:45:53 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1r8rfO-0008RM-0d
 for guix-patches@gnu.org; Thu, 30 Nov 2023 19:46:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#67555] [PATCH 1/2] services: kerberos.scm: Rename
 krb5-service-type and krb5-configuration.
Resent-From: Felix Lechner <felix.lechner@lease-up.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 01 Dec 2023 00:46:01 +0000
Resent-Message-ID: <handler.67555.B67555.170139154832412@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 67555
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 67555@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Received: via spool by 67555-submit@debbugs.gnu.org id=B67555.170139154832412
 (code B ref 67555); Fri, 01 Dec 2023 00:46:01 +0000
Received: (at 67555) by debbugs.gnu.org; 1 Dec 2023 00:45:48 +0000
Received: from localhost ([127.0.0.1]:54763 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1r8rfA-0008Qh-9Z
 for submit@debbugs.gnu.org; Thu, 30 Nov 2023 19:45:48 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:60898)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1r8rf8-0008QZ-A7
 for 67555@debbugs.gnu.org; Thu, 30 Nov 2023 19:45:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=5Ay5GIgtBpEOjs3
 0ZAwBJLf93Kk+UFpi2OEqz7wER9M=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=P/OQnjJ34APwSk0YRdkhJO3Q1T09xNJmKoeecKHp
 cU0zQeKV4romXn1zc9BxGXgtS/DembtjIkJheXAEBZ9qxP7RHLP/np/hOHJ2Y+YZT/uDCn
 wbR9DRKIYsxBQiBJM+0vgI/HxFtHL2WEKzDyp8N8kVgbN0bzJmM07JWzwzY7c=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 8cdcaadf
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
 Fri, 1 Dec 2023 00:45:36 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 9dcd47a8;
 Fri, 1 Dec 2023 00:45:36 +0000 (UTC)
Date: Thu, 30 Nov 2023 16:45:11 -0800
Message-ID: 
 <7f5ebe249e930c046dafdfc3fb31985d5b820b07.1701390969.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1701390969.git.felix.lechner@lease-up.com>
References: <cover.1701390969.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to: Felix Lechner <felix.lechner@lease-up.com>
X-ACL-Warn: ,  Felix Lechner via Guix-patches <guix-patches@gnu.org>
X-Patchwork-Original-From: Felix Lechner via Guix-patches via
 <guix-patches@gnu.org>
From: Felix Lechner <felix.lechner@lease-up.com>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

In preparation for a nearby commit that will add actual Kerberos services to
Guix, the older names were made more specific. The original names were
misleading and too generic. The krb5-service-type provided no service at all
but merely created a file at /etc/krb5.conf that is needed to associate
equipment with a Kerberos realm.

The original names further suggested that at least some of the needed servers
might be started, making it necessary to clarify otherwise in the
documentation.

Change-Id: I951c16aedcf1141d7d947f984cf89c22d3cc96ce
---
 doc/guix.texi             | 16 ++++++++--------
 gnu/services/kerberos.scm | 19 ++++++++++++++-----
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 1fd2e21608..a5119d2058 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -29963,10 +29963,10 @@ Kerberos Services
 @subsection Kerberos Services
 @cindex Kerberos
 
-The @code{(gnu services kerberos)} module provides services relating to
-the authentication protocol @dfn{Kerberos}.
+@subsubheading Krb5 Association Service
 
-@subsubheading Krb5 Service
+The @code{(gnu services kerberos)} module provides miscellaneous
+services relating to the authentication protocol @dfn{Kerberos}.
 
 Programs using a Kerberos client library normally
 expect a configuration file in @file{/etc/krb5.conf}.
@@ -29978,15 +29978,15 @@ Kerberos Services
 This service is known to work with the MIT client library, @code{mit-krb5}.
 Other implementations have not been tested.
 
-@defvar krb5-service-type
+@defvar krb5-association-service-type
 A service type for Kerberos 5 clients.
 @end defvar
 
 @noindent
 Here is an example of its use:
 @lisp
-(service krb5-service-type
-         (krb5-configuration
+(service krb5-association-service-type
+         (krb5-association-configuration
           (default-realm "EXAMPLE.COM")
           (allow-weak-crypto? #t)
           (realms (list
@@ -30010,7 +30010,7 @@ Kerberos Services
 @item Accepts services which only support encryption types known to be weak.
 @end itemize
 
-The @code{krb5-realm} and @code{krb5-configuration} types have many fields.
+The @code{krb5-realm} and @code{krb5-association-configuration} types have many fields.
 Only the most commonly used ones are described here.
 For a full list, and more detailed explanation of each, see the MIT
 @uref{https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html,,krb5.conf}
@@ -30035,7 +30035,7 @@ Kerberos Services
 @end table
 @end deftp
 
-@deftp {Data Type} krb5-configuration
+@deftp {Data Type} krb5-association-configuration
 
 @table @asis
 @item @code{allow-weak-crypto?} (default: @code{#f})
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index a6f540a9b6..ec9b6c10b5 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -20,6 +20,7 @@ (define-module (gnu services kerberos)
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu system pam)
+  #:use-module (guix deprecation)
   #:use-module (guix gexp)
   #:use-module (guix records)
   #:use-module (srfi srfi-1)
@@ -33,6 +34,10 @@ (define-module (gnu services kerberos)
             krb5-realm
             krb5-realm?
 
+            krb5-association-configuration
+            krb5-association-configuration?
+            krb5-association-service-type
+
             krb5-configuration
             krb5-configuration?
             krb5-service-type))
@@ -228,7 +233,7 @@ (define-configuration krb5-realm
 
 
 ;; For a more detailed explanation of these fields see man 5 krb5.conf
-(define-configuration krb5-configuration
+(define-configuration krb5-association-configuration
   (allow-weak-crypto?
    (boolean/unset unset-field)
    "If true, permits access to services which only offer weak encryption.")
@@ -394,20 +399,20 @@ (define-configuration krb5-configuration
    "The list of realms which clients may access."))
 
 
-(define (krb5-configuration-file config)
+(define (krb5-association-configuration-file config)
   "Create a Kerberos 5 configuration file based on CONFIG"
   (mixed-text-file "krb5.conf"
                    "[libdefaults]\n\n"
                    (with-output-to-string
                      (lambda ()
                        (serialize-configuration config
-                                                krb5-configuration-fields)))))
+                                                krb5-association-configuration-fields)))))
 
 (define (krb5-etc-service config)
-  (list `("krb5.conf" ,(krb5-configuration-file config))))
+  (list `("krb5.conf" ,(krb5-association-configuration-file config))))
 
 
-(define krb5-service-type
+(define krb5-association-service-type
   (service-type (name 'krb5)
                 (extensions
                  (list (service-extension etc-service-type
@@ -416,6 +421,10 @@ (define krb5-service-type
 normally expect a configuration file in @file{/etc/krb5.conf}.  This service
 generates such a file.  It does not cause any daemon to be started.")))
 
+(define-deprecated krb-configuration krb5-association-configuration)
+(define-deprecated krb-configuration? krb5-association-configuration?)
+(define-deprecated krb-service-type krb5-association-service-type)
+
 
 
 (define-record-type* <pam-krb5-configuration>

From patchwork Fri Dec  1 00:45:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Felix Lechner <felix.lechner@lease-up.com>
X-Patchwork-Id: 57165
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id BE99027BBE9; Fri,  1 Dec 2023 00:46:31 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED
	autolearn=unavailable autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 6D9BE27BBE2
	for <patchwork@mira.cbaines.net>; Fri,  1 Dec 2023 00:46:28 +0000 (GMT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1r8rfI-0007bL-KC; Thu, 30 Nov 2023 19:45:56 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1r8rfG-0007a3-CU
 for guix-patches@gnu.org; Thu, 30 Nov 2023 19:45:54 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1r8rfG-0002g0-3y
 for guix-patches@gnu.org; Thu, 30 Nov 2023 19:45:54 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1r8rfO-0008RU-GE
 for guix-patches@gnu.org; Thu, 30 Nov 2023 19:46:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#67555] [PATCH 2/2] services: kerberos/heimdal.scm: New file,
 add Heimdal Kerberos services.
Resent-From: Felix Lechner <felix.lechner@lease-up.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 01 Dec 2023 00:46:02 +0000
Resent-Message-ID: <handler.67555.B67555.170139155432431@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 67555
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 67555@debbugs.gnu.org
Cc: Felix Lechner <felix.lechner@lease-up.com>
Received: via spool by 67555-submit@debbugs.gnu.org id=B67555.170139155432431
 (code B ref 67555); Fri, 01 Dec 2023 00:46:02 +0000
Received: (at 67555) by debbugs.gnu.org; 1 Dec 2023 00:45:54 +0000
Received: from localhost ([127.0.0.1]:54766 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1r8rfE-0008Qz-Oj
 for submit@debbugs.gnu.org; Thu, 30 Nov 2023 19:45:53 -0500
Received: from sail-ipv4.us-core.com ([208.82.101.137]:60898)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <felix.lechner@us-core.com>) id 1r8rfB-0008QZ-Ac
 for 67555@debbugs.gnu.org; Thu, 30 Nov 2023 19:45:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=SkaMzPHE2H5J4MO
 NA6f9dRX0SqYi8nYFRri3EogMn2g=;
 h=references:in-reply-to:date:subject:
 cc:to:from; d=lease-up.com; b=fwCQRG9DsXLBhyf+nboNKwq7M2pD3a2wCJG1skrQ
 bwmJlBkaO2YBqs22ujjPlPZDpg85en3LEltnwlNRUsc9y2m4wC5DXjAf91G1Fot7r6FBZc
 +GsbvoJosAhn7Hjuwmbrzqyfmz2FpbfL0QfDs4y7ud+em/CODvJUsbpBwsESc=
Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id ba5eea3d
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
 Fri, 1 Dec 2023 00:45:40 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 1fae17e7;
 Fri, 1 Dec 2023 00:45:39 +0000 (UTC)
Date: Thu, 30 Nov 2023 16:45:12 -0800
Message-ID: 
 <b0b0e3ebe07b86a83295bce34a81a71daba2fd89.1701390970.git.felix.lechner@lease-up.com>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <cover.1701390969.git.felix.lechner@lease-up.com>
References: <cover.1701390969.git.felix.lechner@lease-up.com>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Reply-to: Felix Lechner <felix.lechner@lease-up.com>
X-ACL-Warn: ,  Felix Lechner via Guix-patches <guix-patches@gnu.org>
X-Patchwork-Original-From: Felix Lechner via Guix-patches via
 <guix-patches@gnu.org>
From: Felix Lechner <felix.lechner@lease-up.com>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Includes detailed documentation and two system tests.

Change-Id: I7b3a9da1340b559f1db8a8156581e73b918cfb78
---
 doc/guix.texi                     | 101 +++++++++++++++-
 gnu/local.mk                      |   3 +
 gnu/services/kerberos.scm         | 120 ++++++++++++++++++-
 gnu/services/kerberos/heimdal.scm | 189 ++++++++++++++++++++++++++++++
 gnu/tests/heimdal-kadmind.scm     |  71 +++++++++++
 gnu/tests/heimdal-kdc.scm         |  71 +++++++++++
 6 files changed, 551 insertions(+), 4 deletions(-)
 create mode 100644 gnu/services/kerberos/heimdal.scm
 create mode 100644 gnu/tests/heimdal-kadmind.scm
 create mode 100644 gnu/tests/heimdal-kdc.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index a5119d2058..ecb85771ad 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -29979,7 +29979,8 @@ Kerberos Services
 Other implementations have not been tested.
 
 @defvar krb5-association-service-type
-A service type for Kerberos 5 clients.
+A service type for Kerberos 5 clients. This service type was previously
+named @code{krb5-service-type}.
 @end defvar
 
 @noindent
@@ -30037,6 +30038,8 @@ Kerberos Services
 
 @deftp {Data Type} krb5-association-configuration
 
+This configuration record was previously named @code{krb5-configuration}.
+
 @table @asis
 @item @code{allow-weak-crypto?} (default: @code{#f})
 If this flag is @code{#t} then services which only offer encryption algorithms
@@ -30059,6 +30062,102 @@ Kerberos Services
 @end deftp
 
 
+@subsubheading Heimdal Key Distribution (Kdc) Service
+
+The @code{(gnu services kerberos heimdal)} module provides services
+related to the @dfn{Heimdal} implementation for the authentication
+protocol @dfn{Kerberos}.
+
+This service starts the @dfn{Kerberos Key Distribution Center}
+server. The server will remain running.
+
+Kerberos client programs can obtain the location of this server from a
+configuration file at @file{/etc/krb5.conf}. You may wish to create that
+file separately via the @code{krb5-association-service-type}.
+
+@c %start of fragment
+@deftp {Data Type} heimdal-kdc-configuration
+Available @code{heimdal-kdc-configuration} fields are:
+
+@table @asis
+@item @code{heimdal} (default: @code{heimdal}) (type: file-like)
+The heimdal package to use.
+
+@item @code{config-file} (type: maybe-string)
+Configuration file for Heimdal KDC server.
+
+@item @code{require-preauth?} (default: @code{#t}) (type: boolean)
+Require pre-authentication in the initial AS-REQ for all principals.
+
+@item @code{max-request-size} (type: maybe-non-negative-integer)
+Maximum size of requests the server is willing to handle.
+
+@item @code{enable-http?} (default: @code{#f}) (type: boolean)
+Listen on port 80 and handle requests encapsulated in HTTP.
+
+@item @code{v4-realm} (type: maybe-string)
+Realm for version 4 requests.
+
+@item @code{ports} (default: @code{()}) (type: list-of-strings)
+Ports to listen on.
+
+@item @code{addresses} (default: @code{()}) (type: list-of-strings)
+Addresses to listen on.
+
+@item @code{disable-des?} (default: @code{#f}) (type: boolean)
+Disable all DES encryption types.
+
+@end table
+
+@end deftp
+@c %end of fragment
+
+
+@subsubheading Heimdal Admin (Kadmind) Service
+
+The @code{(gnu services kerberos heimdal)} module provides services
+related to the @dfn{Heimdal} implementation for the authentication
+protocol @dfn{Kerberos}.
+
+This service starts the @dfn{Kerberos Administration} server. The server
+will remain running.
+
+Kerberos client programs can obtain the location of the server from a
+configuration file at @file{/etc/krb5.conf}. You may wish to create that
+file separately via the @code{krb5-association-service-type}.
+
+@c %start of fragment
+@deftp {Data Type} heimdal-kadmind-configuration
+Available @code{heimdal-kadmind-configuration} fields are:
+
+@table @asis
+@item @code{heimdal} (default: @code{heimdal}) (type: file-like)
+The heimdal package to use.
+
+@item @code{config-file} (type: maybe-string)
+Configuration file for Heimdal Kadmind server.
+
+@item @code{key-file} (type: maybe-string)
+Location of master key file.
+
+@item @code{keytab} (type: maybe-string)
+Kerberos keytab to use.
+
+@item @code{realm} (type: maybe-string)
+Kerberos realm to serve.
+
+@item @code{debug?} (default: @code{#f}) (type: boolean)
+Enable debugging.
+
+@item @code{ports} (default: @code{()}) (type: list-of-strings)
+Ports to listen on.
+
+@end table
+
+@end deftp
+@c %end of fragment
+
+
 @subsubheading PAM krb5 Service
 @cindex pam-krb5
 
diff --git a/gnu/local.mk b/gnu/local.mk
index a82372527e..64cda5b8b6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -695,6 +695,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/services/guix.scm			\
   %D%/services/hurd.scm				\
   %D%/services/kerberos.scm			\
+  %D%/services/kerberos/heimdal.scm		\
   %D%/services/ldap.scm		      		\
   %D%/services/lightdm.scm      		\
   %D%/services/linux.scm			\
@@ -790,6 +791,8 @@ GNU_SYSTEM_MODULES =				\
   %D%/tests/ganeti.scm				\
   %D%/tests/gdm.scm				\
   %D%/tests/guix.scm				\
+  %D%/tests/heimdal-kadmind.scm			\
+  %D%/tests/heimdal-kdc.scm			\
   %D%/tests/monitoring.scm                      \
   %D%/tests/nfs.scm				\
   %D%/tests/image.scm				\
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
index ec9b6c10b5..432f205904 100644
--- a/gnu/services/kerberos.scm
+++ b/gnu/services/kerberos.scm
@@ -421,9 +421,123 @@ (define krb5-association-service-type
 normally expect a configuration file in @file{/etc/krb5.conf}.  This service
 generates such a file.  It does not cause any daemon to be started.")))
 
-(define-deprecated krb-configuration krb5-association-configuration)
-(define-deprecated krb-configuration? krb5-association-configuration?)
-(define-deprecated krb-service-type krb5-association-service-type)
+(define-deprecated krb5-service-type krb5-association-service-type)
+
+(define-deprecated/public-alias
+  krb5-configuration
+  krb5-association-configuration)
+(define-deprecated/public-alias
+  krb5-configuration?
+  krb5-association-configuration?)
+
+(define-deprecated/public-alias
+  krb5-configuration-allow-weak-crypto?
+  krb5-association-configuration-allow-weak-crypto?)
+(define-deprecated/public-alias
+  krb5-configuration-ap-req-checksum-type
+  krb5-association-configuration-ap-req-checksum-type)
+(define-deprecated/public-alias
+  krb5-configuration-canonicalize?
+  krb5-association-configuration-canonicalize?)
+(define-deprecated/public-alias
+  krb5-configuration-ccache-type
+  krb5-association-configuration-ccache-type)
+(define-deprecated/public-alias
+  krb5-configuration-clockskew
+  krb5-association-configuration-clockskew)
+(define-deprecated/public-alias
+  krb5-configuration-default-ccache-name
+  krb5-association-configuration-default-ccache-name)
+(define-deprecated/public-alias
+  krb5-configuration-default-client-keytab-name
+  krb5-association-configuration-default-client-keytab-name)
+(define-deprecated/public-alias
+  krb5-configuration-default-keytab-name
+  krb5-association-configuration-default-keytab-name)
+(define-deprecated/public-alias
+  krb5-configuration-default-realm
+  krb5-association-configuration-default-realm)
+(define-deprecated/public-alias
+  krb5-configuration-default-tgs-enctypes
+  krb5-association-configuration-default-tgs-enctypes)
+(define-deprecated/public-alias
+  krb5-configuration-default-tkt-enctypes
+  krb5-association-configuration-default-tkt-enctypes)
+(define-deprecated/public-alias
+  krb5-configuration-dns-canonicalize-hostname?
+  krb5-association-configuration-dns-canonicalize-hostname?)
+(define-deprecated/public-alias
+  krb5-configuration-dns-lookup-kdc?
+  krb5-association-configuration-dns-lookup-kdc?)
+(define-deprecated/public-alias
+  krb5-configuration-err-fmt
+  krb5-association-configuration-err-fmt)
+(define-deprecated/public-alias
+  krb5-configuration-forwardable?
+  krb5-association-configuration-forwardable?)
+(define-deprecated/public-alias
+  krb5-configuration-ignore-acceptor-hostname?
+  krb5-association-configuration-ignore-acceptor-hostname?)
+(define-deprecated/public-alias
+  krb5-configuration-k5login-authoritative?
+  krb5-association-configuration-k5login-authoritative?)
+(define-deprecated/public-alias
+  krb5-configuration-k5login-directory
+  krb5-association-configuration-k5login-directory)
+(define-deprecated/public-alias
+  krb5-configuration-kcm-mach-service
+  krb5-association-configuration-kcm-mach-service)
+(define-deprecated/public-alias
+  krb5-configuration-kcm-socket
+  krb5-association-configuration-kcm-socket)
+(define-deprecated/public-alias
+  krb5-configuration-kdc-default-options
+  krb5-association-configuration-kdc-default-options)
+(define-deprecated/public-alias
+  krb5-configuration-kdc-timesync
+  krb5-association-configuration-kdc-timesync)
+(define-deprecated/public-alias
+  krb5-configuration-kdc-req-checksum-type
+  krb5-association-configuration-kdc-req-checksum-type)
+(define-deprecated/public-alias
+  krb5-configuration-noaddresses?
+  krb5-association-configuration-noaddresses?)
+(define-deprecated/public-alias
+  krb5-configuration-permitted-enctypes
+  krb5-association-configuration-permitted-enctypes)
+(define-deprecated/public-alias
+  krb5-configuration-plugin-base-dir
+  krb5-association-configuration-plugin-base-dir)
+(define-deprecated/public-alias
+  krb5-configuration-preferred-preauth-types
+  krb5-association-configuration-preferred-preauth-types)
+(define-deprecated/public-alias
+  krb5-configuration-proxiable?
+  krb5-association-configuration-proxiable?)
+(define-deprecated/public-alias
+  krb5-configuration-rdns?
+  krb5-association-configuration-rdns?)
+(define-deprecated/public-alias
+  krb5-configuration-realm-try-domains
+  krb5-association-configuration-realm-try-domains)
+(define-deprecated/public-alias
+  krb5-configuration-renew-lifetime
+  krb5-association-configuration-renew-lifetime)
+(define-deprecated/public-alias
+  krb5-configuration-safe-checksum-type
+  krb5-association-configuration-safe-checksum-type)
+(define-deprecated/public-alias
+  krb5-configuration-ticket-lifetime
+  krb5-association-configuration-ticket-lifetime)
+(define-deprecated/public-alias
+  krb5-configuration-udp-preference-limit
+  krb5-association-configuration-udp-preference-limit)
+(define-deprecated/public-alias
+  krb5-configuration-verify-ap-rereq-nofail?
+  krb5-association-configuration-verify-ap-rereq-nofail?)
+(define-deprecated/public-alias
+  krb5-configuration-realms
+  krb5-association-configuration-realms)
 
 
 
diff --git a/gnu/services/kerberos/heimdal.scm b/gnu/services/kerberos/heimdal.scm
new file mode 100644
index 0000000000..0dc17f6315
--- /dev/null
+++ b/gnu/services/kerberos/heimdal.scm
@@ -0,0 +1,189 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services kerberos heimdal)
+  #:use-module (gnu packages kerberos)
+  #:use-module (gnu services)
+  #:use-module (gnu services configuration)
+  #:use-module (gnu services shepherd)
+  #:use-module (guix gexp)
+  #:use-module (guix records)
+  #:use-module (ice-9 match)
+  #:export (heimdal-kdc-configuration
+            heimdal-kdc-service-type
+            heimdal-kadmind-configuration
+            heimdal-kadmind-service-type))
+
+
+;;;
+;;; Heimdal Kdc
+;;;
+
+(define-maybe/no-serialization string)
+
+(define (non-negative-integer? val)
+  (and (exact-integer? val) (not (negative? val))))
+
+(define-maybe/no-serialization non-negative-integer)
+
+(define-configuration/no-serialization heimdal-kdc-configuration
+  (heimdal
+   (file-like heimdal)
+   "The heimdal package to use.")
+  (config-file
+   maybe-string
+   "Configuration file for Heimdal KDC server.")
+  (require-preauth?
+   (boolean #t)
+   "Require pre-authentication in the initial AS-REQ for all principals.")
+  (max-request-size
+   maybe-non-negative-integer
+   "Maximum size of requests the server is willing to handle.")
+  (enable-http?
+   (boolean #f)
+   "Listen on port 80 and handle requests encapsulated in HTTP.")
+  (v4-realm
+   maybe-string
+   "Realm for version 4 requests.")
+  (ports
+   (list-of-strings '())
+   "Ports to listen on.")
+  (addresses
+   (list-of-strings '())
+   "Addresses to listen on.")
+  (disable-des?
+   (boolean #f)
+   "Disable all DES encryption types."))
+
+(define (heimdal-kdc-shepherd-service config)
+  "Return a <shepherd-service> for Heimdal's kdc for CONFIG."
+  (match-record config
+      <heimdal-kdc-configuration> (heimdal config-file require-preauth?
+                                           max-request-size enable-http?
+                                           v4-realm ports addresses
+                                           disable-des?)
+    (shepherd-service
+     (documentation "Run the Heimdal Kerberos KDC daemon (heimdal-kdc).")
+     (provision '(heimdal-kdc))
+     (requirement '(networking))
+     (start #~(make-forkexec-constructor
+               (list #$(file-append heimdal "/libexec/kdc")
+                     #$@(if (maybe-value-set? config-file)
+                            `(,(string-append "--config-file=" (maybe-value config-file)))
+                            '())
+                     #$@(if require-preauth? '() '("--no-require-preauth"))
+                     #$@(if (maybe-value-set? max-request-size)
+                            `(,(string-append
+                                "--max-request-size="
+                                (number->string (maybe-value max-request-size))))
+                            '())
+                     #$@(if enable-http? '("--enable-http") '())
+                     #$@(if (maybe-value-set? v4-realm)
+                            `(,(string-append "--v4-realm=" (maybe-value v4-realm)))
+                            '())
+                     ;; ports parameter is white-space separated
+                     #$@(if (null? ports)
+                            '()
+                            `(,(string-append "--ports=" (string-join ports))))
+                     ;; addresses parameter is white-space separated
+                     #$@(if (null? addresses)
+                            '()
+                            `(,(string-append "--addresses=" (string-join addresses))))
+                     #$@(if disable-des? '("--disable-des") '()))
+               #:log-file "/var/log/kdc-shepherd"))
+     (stop #~(make-kill-destructor)))))
+
+(define heimdal-kdc-service-type
+  (service-type
+   (name 'heimdal-kdc)
+   (description
+    "Run the Heimdal @command{kdc} daemon.")
+   (extensions
+    (list
+     (service-extension shepherd-root-service-type
+                        (compose list heimdal-kdc-shepherd-service))))
+   (default-value (heimdal-kdc-configuration))))
+
+
+;;;
+;;; Heimdal Kadmind
+;;;
+
+(define-configuration/no-serialization heimdal-kadmind-configuration
+  (heimdal
+   (file-like heimdal)
+   "The heimdal package to use.")
+  (config-file
+   maybe-string
+   "Configuration file for Heimdal Kadmind server.")
+  (key-file
+   maybe-string
+   "Location of master key file.")
+  (keytab
+   maybe-string
+   "Kerberos keytab to use.")
+  (realm
+   maybe-string
+   "Kerberos realm to serve.")
+  (debug?
+   (boolean #f)
+   "Enable debugging.")
+  (ports
+   (list-of-strings '())
+   "Ports to listen on."))
+
+(define (heimdal-kadmind-shepherd-service config)
+  "Return a <shepherd-service> for Heimdal's kadmind for CONFIG."
+  (match-record config
+      <heimdal-kadmind-configuration> (heimdal config-file key-file keytab
+                                               realm debug? ports)
+    (shepherd-service
+     (documentation "Run the Heimdal Kerberos admin daemon (heimdal-kadmind).")
+     (provision '(heimdal-kadmind))
+     (requirement '(networking))
+     (start #~(make-forkexec-constructor
+               (list #$(file-append heimdal "/libexec/kadmind")
+                     #$@(if (maybe-value-set? config-file)
+                            `(,(string-append "--config-file=" (maybe-value config-file)))
+                            '())
+                     #$@(if (maybe-value-set? key-file)
+                            `(,(string-append "--key-file=" (maybe-value key-file)))
+                            '())
+                     #$@(if (maybe-value-set? keytab)
+                            `(,(string-append "--keytab=" (maybe-value keytab)))
+                            '())
+                     #$@(if (maybe-value-set? realm)
+                            `(,(string-append "--realm=" (maybe-value realm)))
+                            '())
+                     #$@(if debug? '("--debug") '())
+                     ;; ports parameter is white-space separated
+                     #$@(if (null? ports)
+                            '()
+                            `(,(string-append "--ports=" (string-join ports)))))))
+     (stop #~(make-kill-destructor)))))
+
+(define heimdal-kadmind-service-type
+  (service-type
+   (name 'heimdal-kadmind)
+   (description
+    "Run the Heimdal @command{kadmind} daemon.")
+   (extensions
+    (list
+     (service-extension shepherd-root-service-type
+                        (compose list heimdal-kadmind-shepherd-service))))
+   (default-value (heimdal-kadmind-configuration))))
diff --git a/gnu/tests/heimdal-kadmind.scm b/gnu/tests/heimdal-kadmind.scm
new file mode 100644
index 0000000000..b340017c69
--- /dev/null
+++ b/gnu/tests/heimdal-kadmind.scm
@@ -0,0 +1,71 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Peter Mikkelsen <petermikkelsen10@gmail.com>
+;;; Copyright © 2022 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests heimdal-kadmind)
+  #:use-module (gnu tests)
+  #:use-module (gnu system)
+  #:use-module (gnu system vm)
+  #:use-module (gnu services)
+  #:use-module (gnu services kerberos heimdal)
+  #:use-module (gnu services networking)
+  #:use-module (guix gexp)
+  #:export (%test-heimdal-kadmind))
+
+(define %heimdal-kadmind-os
+  (simple-operating-system
+   (service dhcp-client-service-type)
+   (service heimdal-kadmind-service-type)))
+
+(define (run-heimdal-kadmind-test)
+  "Run tests in %heimdal-kadmind-os, which has heimdal-kadmind running."
+  (define os
+    (marionette-operating-system
+     %heimdal-kadmind-os
+     #:imported-modules '((gnu services herd))))
+
+  (define vm
+    (virtual-machine os))
+
+  (define test
+    (with-imported-modules '((gnu build marionette))
+      #~(begin
+          (use-modules (srfi srfi-64)
+                       (gnu build marionette))
+          (define marionette
+            (make-marionette (list #$vm)))
+
+          (test-runner-current (system-test-runner #$output))
+          (test-begin "heimdal-kadmind")
+
+          (test-assert "service is running"
+            (marionette-eval
+             '(begin
+                (use-modules (gnu services herd))
+                (start-service 'heimdal-kadmind))
+             marionette))
+
+          (test-end))))
+  (gexp->derivation "heimdal-kadmind-test" test))
+
+(define %test-heimdal-kadmind
+  (system-test
+   (name "heimdal-kadmind")
+   (description "Test that the heimdal-kadmind runs when started.")
+   (value (run-heimdal-kadmind-test))))
diff --git a/gnu/tests/heimdal-kdc.scm b/gnu/tests/heimdal-kdc.scm
new file mode 100644
index 0000000000..b6424ace9e
--- /dev/null
+++ b/gnu/tests/heimdal-kdc.scm
@@ -0,0 +1,71 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Peter Mikkelsen <petermikkelsen10@gmail.com>
+;;; Copyright © 2022 Bruno Victal <mirai@makinata.eu>
+;;; Copyright © 2023 Felix Lechner <felix.lechner@lease-up.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests heimdal-kdc)
+  #:use-module (gnu tests)
+  #:use-module (gnu system)
+  #:use-module (gnu system vm)
+  #:use-module (gnu services)
+  #:use-module (gnu services kerberos heimdal)
+  #:use-module (gnu services networking)
+  #:use-module (guix gexp)
+  #:export (%test-heimdal-kdc))
+
+(define %heimdal-kdc-os
+  (simple-operating-system
+   (service dhcp-client-service-type)
+   (service heimdal-kdc-service-type)))
+
+(define (run-heimdal-kdc-test)
+  "Run tests in %heimdal-kdc-os, which has heimdal-kdc running."
+  (define os
+    (marionette-operating-system
+     %heimdal-kdc-os
+     #:imported-modules '((gnu services herd))))
+
+  (define vm
+    (virtual-machine os))
+
+  (define test
+    (with-imported-modules '((gnu build marionette))
+      #~(begin
+          (use-modules (srfi srfi-64)
+                       (gnu build marionette))
+          (define marionette
+            (make-marionette (list #$vm)))
+
+          (test-runner-current (system-test-runner #$output))
+          (test-begin "heimdal-kdc")
+
+          (test-assert "service is running"
+            (marionette-eval
+             '(begin
+                (use-modules (gnu services herd))
+                (start-service 'heimdal-kdc))
+             marionette))
+
+          (test-end))))
+  (gexp->derivation "heimdal-kdc-test" test))
+
+(define %test-heimdal-kdc
+  (system-test
+   (name "heimdal-kdc")
+   (description "Test that the heimdal-kdc runs when started.")
+   (value (run-heimdal-kdc-test))))