WIP

.gitignore

@@ -720,6 +720,3 @@ asn1_*_asn1.c
 /tools/krb5-gssapi.pc
 /tools/krb5.pc
 /tools/krb5-config
-
-result
-result-*

configure.ac

@@ -230,6 +230,21 @@ AM_CONDITIONAL([HAVE_MICROHTTPD], [test "$with_microhttpd" != "no"])
 AC_SUBST([MICROHTTPD_CFLAGS])
 AC_SUBST([MICROHTTPD_LIBS])
 
+dnl systemd sd_notify support
+AC_ARG_WITH([systemd],
+  AC_HELP_STRING([--with-systemd], [use systemd sd_notify for readiness @<:@default=check@:>@]),
+  [],
+  [with_systemd=check])
+if test "$with_systemd" != "no"; then
+  PKG_CHECK_MODULES([SYSTEMD], [libsystemd], [with_systemd=yes],[with_systemd=no])
+fi
+if test "$with_systemd" = "yes"; then
+  AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [Define if libsystemd sd_notify is available])
+fi
+AM_CONDITIONAL([HAVE_SYSTEMD], [test "$with_systemd" != "no"])
+AC_SUBST([SYSTEMD_CFLAGS])
+AC_SUBST([SYSTEMD_LIBS])
+
 dnl mitkrb5
 AC_ARG_WITH([mitkrb5],
   AC_HELP_STRING([--with-mitkrb5=PATH], [Path to MIT Kerberos for interop testing]),

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1770380644,
-        "narHash": "sha256-P7dWMHRUWG5m4G+06jDyThXO7kwSk46C1kgjEWcybkE=",
+        "lastModified": 1769740369,
+        "narHash": "sha256-xKPyJoMoXfXpDM5DFDZDsi9PHArf2k5BJjvReYXoFpM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ae67888ff7ef9dff69b3cf0cc0fbfbcd3a722abe",
+        "rev": "6308c3b21396534d8aaeac46179c14c439a89b8a",
         "type": "github"
       },
       "original": {

flake.nix

@@ -22,27 +22,13 @@
       default = pkgs.callPackage ./nix/shell.nix { };
     });
 
-    packages = forAllSystems (system: pkgs: let
-      src = lib.fileset.toSource {
-        root = ./.;
-        fileset = lib.fileset.difference ./. (lib.fileset.unions [
-          ./.github
-          ./.gitignore
-          ./.zed
-          ./flake.nix
-          ./flake.lock
-          ./nix
-        ]);
-      };
-    in {
+    packages = forAllSystems (system: pkgs: with pkgs; {
       default = self.packages.${system}.heimdal;
 
-      src = pkgs.runCommand "heimdal-src" {} "ln -s ${src} \"$out\"";
-
-      heimdal = pkgs.callPackage ./nix/heimdal/package.nix {
-        inherit src;
+      heimdal = pkgs.callPackage ./nix/heimdal {
+        src = lib.cleanSource ./.;
         inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
-        autoreconfHook = pkgs.buildPackages.autoreconfHook271;
+        autoreconfHook = pkgs.buildPackages.autoreconfHook269;
       };
 
       nixosTest = pkgs.testers.runNixOSTest (import ./nix/nixosTest.nix { inherit nixpkgs; });

kadmin/kadm_conn.c

@@ -35,6 +35,9 @@
 #ifdef HAVE_SYS_WAIT_H
 #include <sys/wait.h>
 #endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
 
 extern int daemon_child;
 
@@ -304,6 +307,10 @@ start_server(krb5_context contextp, const char *port_str)
 	krb5_errx(contextp, 1, "no sockets to listen to - exiting");
 
     roken_detach_finish(NULL, daemon_child);
+#ifdef HAVE_SYSTEMD
+    if (getenv("NOTIFY_SOCKET") != NULL)
+	sd_notify(0, "READY=1");
+#endif
 
     wait_for_connection(contextp, socks, num_socks);
     free(socks);

kdc/Makefile.am

@@ -4,7 +4,7 @@ include $(top_srcdir)/Makefile.am.common
 
 WFLAGS += $(WFLAGS_ENUM_CONV)
 
-AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5
+AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5 $(SYSTEMD_CFLAGS)
 
 lib_LTLIBRARIES = ipc_csr_authorizer.la \
 		  libkdc.la
@@ -174,7 +174,7 @@ hpropd_LDADD = \
 	$(LIB_kdb)  \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
-	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
+	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) $(SYSTEMD_LIBS)
 
 if PKINIT
 LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la

kdc/connect.c

@@ -32,6 +32,9 @@
  */
 
 #include "kdc_locl.h"
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
 
 /*
  * a tuple describing on what to listen
@@ -1208,6 +1211,12 @@ start_kdc(krb5_context context,
 #endif
 
     roken_detach_finish(NULL, daemon_child);
+#ifdef HAVE_SYSTEMD
+    /* If built with systemd support and running under systemd, notify readiness.
+       We check NOTIFY_SOCKET to avoid unnecessary calls when not under systemd. */
+    if (getenv("NOTIFY_SOCKET") != NULL)
+	sd_notify(0, "READY=1");
+#endif
 
 #ifdef HAVE_FORK
     if (!testing_flag) {

kdc/hpropd.c

@@ -32,6 +32,9 @@
  */
 
 #include "hprop.h"
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
 
 static int inetd_flag = -1;
 static int help_flag;
@@ -156,6 +159,11 @@ main(int argc, char **argv)
 	    mini_inetd (krb5_getportbyname (context, "hprop", "tcp",
 					    HPROP_PORT), &sock);
 	}
+#ifdef HAVE_SYSTEMD
+	/* Notify systemd that the service is ready when running standalone */
+	if (getenv("NOTIFY_SOCKET") != NULL)
+	    sd_notify(0, "READY=1");
+#endif
 	socket_set_keepalive(sock, 1);
 	sin_len = sizeof(ss);
 	if (getpeername(sock, sa, &sin_len) < 0)

kpasswd/kpasswdd.c

@@ -744,6 +744,14 @@ doit(krb5_keytab keytab, int port)
 	krb5_errx(context, 1, "No sockets!");
 
     roken_detach_finish(NULL, daemon_child);
+#ifdef HAVE_SYSTEMD
+    /* If built with systemd support and running under systemd, notify readiness.
+       We check NOTIFY_SOCKET to avoid unnecessary calls when not under systemd. */
+    if (getenv("NOTIFY_SOCKET") != NULL) {
+	extern int sd_notify(int, const char *);
+	(void) sd_notify(0, "READY=1");
+    }
+#endif
 
     while (exit_flag == 0) {
 	krb5_ssize_t retx;

lib/roken/Makefile.am

@@ -9,7 +9,7 @@ CLEANFILES = roken.h make-roken.c $(XHEADERS)
 lib_LTLIBRARIES = libroken.la
 
 libroken_la_LDFLAGS = -version-info 20:0:1
-libroken_la_CPPFLAGS = -DBUILD_ROKEN_LIB
+libroken_la_CPPFLAGS = -DBUILD_ROKEN_LIB $(SYSTEMD_CFLAGS)
 
 if versionscript
 libroken_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
@@ -199,7 +199,7 @@ EXTRA_libroken_la_SOURCES =	\
 	search.hin		\
 	vis.hin	
 
-libroken_la_LIBADD = @LTLIBOBJS@ $(LIB_crypt) $(LIB_pidfile)
+libroken_la_LIBADD = @LTLIBOBJS@ $(LIB_crypt) $(LIB_pidfile) $(SYSTEMD_LIBS)
 if SUNOS
 libroken_la_LIBADD += -lnsl -lsocket
 endif

lib/roken/detach.c

@@ -38,6 +38,10 @@
 #endif
 #include "roken.h"
 
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
 #ifdef WIN32
 #define dup2 _dup2
 #endif
@@ -171,6 +175,24 @@ roken_detach_prep(int argc, char **argv, const char *special_arg)
 #define dup2 _dup2
 #endif
 
+ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
+roken_sd_notify(const char *state)
+{
+#ifdef HAVE_SYSTEMD
+    int r;
+
+    if (state == NULL)
+	return -1;
+    r = sd_notify(0, state);
+    if (r > 0)
+	return 0;
+    return -1;
+#else
+    (void)state;
+    return -1;
+#endif
+}
+
 ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL
 roken_detach_finish(const char *dir, int daemon_child_fd)
 {
@@ -203,6 +225,13 @@ roken_detach_finish(const char *dir, int daemon_child_fd)
         err(1, "failed to chdir to /");
 #endif
 
+    /*
+     * Notify systemd that we are ready (if built with systemd support).
+     * Do this after setsid/chdir and after pidfiles are written so that
+     * systemd sees the process in its final state.
+     */
+    (void) roken_sd_notify("READY=1");
+
     do {
         bytes = write(pipefds[1], buf, sizeof(buf));
     } while (bytes == -1 && errno == EINTR);

lib/roken/roken.h.in

@@ -939,6 +939,7 @@ ROKEN_LIB_FUNCTION size_t ROKEN_LIB_CALL
 
 ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL roken_detach_prep(int, char **, const char *);
 ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL roken_detach_finish(const char *, int);
+ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL roken_sd_notify(const char *);
 
 ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL
     net_write (rk_socket_t, const void *, size_t);

nix/heimdal/0001-Include-db.h-for-nbdb-compat-mode.patch

@@ -0,0 +1,25 @@
+From 749d9451293f9d9f8a3f506401cae369003aeebf Mon Sep 17 00:00:00 2001
+From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
+Date: Sun, 13 Oct 2024 17:16:13 -0400
+Subject: [PATCH] Include db.h for nbdb compat mode
+
+---
+ lib/otp/otp_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/otp/otp_db.c b/lib/otp/otp_db.c
+index 036359c1d..32c04bc8c 100644
+--- a/lib/otp/otp_db.c
++++ b/lib/otp/otp_db.c
+@@ -39,7 +39,7 @@ RCSID("$Id$");
+ #include "otp_locl.h"
+ 
+ #if defined(HAVE_DB_NDBM)
+-# include <ndbm.h>
++# include <db.h>
+ #elif !defined(HAVE_NDBM)
+ # include "ndbm_wrap.h"
+ #endif
+-- 
+2.46.0
+

nix/heimdal/0001-Link-tests-with-libresolv.patch

@@ -0,0 +1,51 @@
+From 862900febaec4a2c70257a39374b81138ee9f168 Mon Sep 17 00:00:00 2001
+From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
+Date: Tue, 15 Oct 2024 16:06:33 -0400
+Subject: [PATCH] Link tests with libresolv
+
+---
+ lib/gssapi/Makefile.am | 1 +
+ lib/krb5/Makefile.am   | 2 ++
+ lib/roken/Makefile.am  | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am
+index 3254866dc..db967e586 100644
+--- a/lib/gssapi/Makefile.am
++++ b/lib/gssapi/Makefile.am
+@@ -403,6 +403,7 @@ LDADD = libgssapi.la \
+ 	$(top_builddir)/lib/krb5/libkrb5.la \
+ 	$(LIB_roken)
+ 
++test_names_LDFLAGS = -lresolv
+ test_names_LDADD = $(LDADD) $(top_builddir)/lib/asn1/libasn1.la
+ test_context_LDADD = $(LDADD) $(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/wind/libwind.la
+ 
+diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am
+index ecce461dd..e22cfe87c 100644
+--- a/lib/krb5/Makefile.am
++++ b/lib/krb5/Makefile.am
+@@ -330,6 +330,8 @@ test_rfc3961_LDADD = 				\
+ 	$(LIB_hcrypto)				\
+ 	$(LIB_roken)
+ 
++test_plugin_LDFLAGS = -lresolv
++
+ if DEVELOPER_MODE
+ headerdeps = $(dist_libkrb5_la_SOURCES)
+ endif
+diff --git a/lib/roken/Makefile.am b/lib/roken/Makefile.am
+index 1f530c7ae..8350d7034 100644
+--- a/lib/roken/Makefile.am
++++ b/lib/roken/Makefile.am
+@@ -54,6 +54,7 @@ libtest_la_CFLAGS = -DTEST_SNPRINTF -DTEST_STRPFTIME
+ 
+ parse_reply_test_SOURCES = parse_reply-test.c resolve.c
+ parse_reply_test_CFLAGS  = -DTEST_RESOLVE
++parse_reply_test_LDFLAGS = -lresolv
+ 
+ test_readenv_SOURCES = test-readenv.c test-mem.c
+ test_auxval_SOURCES = test-auxval.c
+-- 
+2.46.0
+

nix/heimdal/default.nix

@@ -22,6 +22,7 @@
   pam,
   libmicrohttpd,
   cjson,
+  systemdLibs,
 
   CoreFoundation,
   Security,
@@ -43,6 +44,7 @@
   withOpenLDAPAsHDBModule ? false,
   withOpenSSL ? true,
   withSQLite3 ? true,
+  withSystemd ? true,
 }:
 
 assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
@@ -89,9 +91,14 @@ stdenv.mkDerivation {
     ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
     ++ lib.optionals (withOpenLDAP) [ openldap ]
     ++ lib.optionals (withOpenSSL) [ openssl ]
-    ++ lib.optionals (withSQLite3) [ sqlite ];
+    ++ lib.optionals (withSQLite3) [ sqlite ]
+    ++ lib.optionals (withSystemd) [ systemdLibs ];
 
-  doCheck = true;
+  # env = {
+  #   CHECK_LOCAL = "no-check-local";
+  # };
+
+  # doCheck = true;
   nativeCheckInputs = [
     curl
     jdk_headless
@@ -142,8 +149,6 @@ stdenv.mkDerivation {
       --replace-fail 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
     substituteInPlace tests/ldap/check-ldap.in \
       --replace-fail 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
-    substituteInPlace tests/ldap/Makefile.am \
-      --replace-fail 'TESTS = check-ldap' 'TESTS ='
     substituteInPlace tests/kdc/check-iprop.in \
       --replace-fail '/bin/pwd' 'pwd'
   '';

nix/module/heimdal.nix

@@ -71,6 +71,7 @@ in
       partOf = [ "kerberos-server.target" ];
       wantedBy = [ "kerberos-server.target" ];
       serviceConfig = {
+        Type = "notify";
         ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
         Slice = "system-kerberos-server.slice";
         StateDirectory = "heimdal";
@@ -83,6 +84,7 @@ in
       partOf = [ "kerberos-server.target" ];
       wantedBy = [ "kerberos-server.target" ];
       serviceConfig = {
+        Type = "notify";
         ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
         Slice = "system-kerberos-server.slice";
         StateDirectory = "heimdal";
@@ -95,6 +97,7 @@ in
       partOf = [ "kerberos-server.target" ];
       wantedBy = [ "kerberos-server.target" ];
       serviceConfig = {
+        Type = "notify";
         ExecStart = "${package}/libexec/kpasswdd";
         Slice = "system-kerberos-server.slice";
         StateDirectory = "heimdal";

nix/nixosTest.nix

@@ -159,26 +159,17 @@
         alice_krb_pw = "alice_hunter2"
         alice_old_krb_pw = ""
         alice_krb_admin_pw = "alice_admin_hunter2"
-        bob_krb_pw = "bob_hunter2"
 
         def random_password():
           password_chars = string.ascii_letters + string.digits + string.punctuation.replace('"', "")
           return "".join(random.choice(password_chars) for _ in range(16))
 
-        def clear_tty(node):
-            node.send_chars("clear\n")
-            ps1 = r"\[alice@\w+:~\]\$ "
-            node.wait_until_tty_matches("1", ps1)
-
         with subtest("Server: initialize user principals and keytabs"):
           server.succeed(f'kadmin -l add --password="{alice_krb_admin_pw}" --use-defaults alice/admin')
-          # server.succeed("kadmin -l ext_keytab --keytab=admin.keytab alice/admin")
+          server.succeed("kadmin -l ext_keytab --keytab=admin.keytab alice/admin")
 
-          server.succeed(f'kadmin -p alice/admin add --password="{alice_krb_pw}" --use-defaults alice')
-          # server.succeed("kadmin -l ext_keytab --keytab=alice.keytab alice")
-
-          server.succeed("kadmin -p alice/admin add --password={bob_krb_pw} --use-defaults bob")
-          # server.succeed("kadmin -l ext_keytab --keytab=bob.keytab bob")
+          server.succeed(f'kadmin -p alice/admin -K admin.keytab add --password="{alice_krb_pw}" --use-defaults alice')
+          server.succeed("kadmin -l ext_keytab --keytab=alice.keytab alice")
 
         server.wait_for_unit("getty@tty1.service")
         server.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
@@ -196,7 +187,7 @@
           if not "host/server.foo.bar" in ktutil_list:
             exit(1)
 
-          clear_tty(server)
+          server.send_chars("clear\n")
 
         client.systemctl("start network-online.target")
         client.wait_for_unit("network-online.target")
@@ -221,7 +212,7 @@
           if not "host/client.foo.bar" in ktutil_list:
             exit(1)
 
-          clear_tty(client)
+          client.send_chars("clear\n")
 
         with subtest("Client: kinit alice"):
           client.succeed(
@@ -230,7 +221,7 @@
           )
           tickets = client.succeed("klist")
           assert "Principal: alice@FOO.BAR" in tickets
-          clear_tty(client)
+          client.send_chars("clear\n")
 
         with subtest("Client: kpasswd alice"):
           alice_old_krb_pw = alice_krb_pw
@@ -245,14 +236,7 @@
 
           client.wait_until_tty_matches("1", "Success : Password changed")
 
-          clear_tty(client)
-
-        with subtest("Client: kadmin get bob"):
-          client.send_chars("sudo kadmin -p alice/admin -K admin.keytab get bob\n")
-          client.wait_until_tty_matches("1", "alice/admin@FOO.BAR's Password:")
-          client.send_chars(f"{alice_krb_admin_pw}\n")
-          client.wait_until_tty_matches("1", "Principal: bob@FOO.BAR")
-          clear_tty(client)
+          client.send_chars("clear\n")
 
         with subtest("Server: kinit alice"):
           server.succeed(
@@ -261,7 +245,7 @@
           )
           tickets = client.succeed("klist")
           assert "Principal: alice@FOO.BAR" in tickets
-          clear_tty(server)
+          server.send_chars("clear\n")
 
         with subtest("Server: kpasswd alice"):
           alice_old_krb_pw = alice_krb_pw
@@ -276,14 +260,7 @@
 
           server.wait_until_tty_matches("1", "Success : Password changed")
 
-          clear_tty(server)
-
-        with subtest("Server: kadmin get bob"):
-          server.send_chars("sudo kadmin -p alice/admin -K admin.keytab get bob\n")
-          server.wait_until_tty_matches("1", "alice/admin@FOO.BAR's Password:")
-          server.send_chars(f"{alice_krb_admin_pw}\n")
-          server.wait_until_tty_matches("1", "Principal: bob@FOO.BAR")
-          clear_tty(server)
+          server.send_chars("clear\n")
       '';
 
     meta.maintainers = pkgs.heimdal.meta.maintainers;