Add Heimdal CI testing

Set up a Heimdal KDC and add Heimdal to the test matrix. Remove some unnecessary configuration from the MIT Kerberos CI configuration. Ensure the user programs are installed for whatever Kerberos we're using, which will enable more of the Perl test suite.
author: Russ Allbery <eagle@eyrie.org> 2020-05-17 19:01:47 -0700
committer: Russ Allbery <eagle@eyrie.org> 2020-05-17 19:03:55 -0700
commit: e1714fffa69f30aacf44ccd3be8bd60c3bc1e8c4 (patch)
tree: ce829624a97060d9b71e88dbbedb558d42f290e9 /ci/files
parent: b45efd7ab0b9b77d048566d4441e91e4d85e1757 (diff)
6 files changed, 52 insertions, 6 deletions
diff --git a/ci/files/heimdal/heimdal-kdc b/ci/files/heimdal/heimdal-kdc
new file mode 100644
index 0000000..d781463
--- /dev/null
+++ b/ci/files/heimdal/heimdal-kdc
@@ -0,0 +1,9 @@
+# Heimdal KDC init script setup.  -*- sh -*-
+
+# KDC configuration.
+KDC_ENABLED=yes
+KDC_PARAMS='--config-file=/etc/heimdal-kdc/kdc.conf'
+
+# kpasswdd configuration.
+KPASSWDD_ENABLED=yes
+KPASSWDD_PARAMS='-r HEIMDAL.TEST'
diff --git a/ci/files/heimdal/kadmind.acl b/ci/files/heimdal/kadmind.acl
new file mode 100644
index 0000000..2f4a084
--- /dev/null
+++ b/ci/files/heimdal/kadmind.acl
@@ -0,0 +1 @@
+test/wallet@HEIMDAL.TEST  all,get-keys  wallet/*@HEIMDAL.TEST
diff --git a/ci/files/heimdal/kdc.conf b/ci/files/heimdal/kdc.conf
new file mode 100644
index 0000000..bd00dcd
--- /dev/null
+++ b/ci/files/heimdal/kdc.conf
@@ -0,0 +1,22 @@
+# Heimdal KDC configuration.  -*- conf -*-
+
+[kadmin]
+    default_keys           = aes256-cts-hmac-sha1-96:pw-salt
+
+[kdc]
+    acl_file               = /etc/heimdal-kdc/kadmind.acl
+    check-ticket-addresses = false
+    logging                = SYSLOG:NOTICE
+    ports                  = 88
+
+[libdefaults]
+    default_realm          = HEIMDAL.TEST
+    dns_lookup_kdc         = false
+    dns_lookup_realm       = false
+
+[realms]
+    HEIMDAL.TEST.EYRIE.ORG = {
+        kdc            = 127.0.0.1
+        master_kdc     = 127.0.0.1
+        admin_server   = 127.0.0.1
+    }
diff --git a/ci/files/heimdal/krb5.conf b/ci/files/heimdal/krb5.conf
new file mode 100644
index 0000000..65dc71e
--- /dev/null
+++ b/ci/files/heimdal/krb5.conf
@@ -0,0 +1,18 @@
+[libdefaults]
+    default_realm         = HEIMDAL.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    HEIMDAL.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
index 7bf4e6a..09e6795 100644
--- a/ci/files/mit/kdc.conf
+++ b/ci/files/mit/kdc.conf
@@ -1,7 +1,6 @@
 [kdcdefaults]
-    kdc_ports                   = 88
-    kdc_tcp_ports               = 88
-    restrict_anonymous_to_tgt   = true
+    kdc_ports     = 88
+    kdc_tcp_ports = 88
 
 [realms]
     MIT.TEST = {
@@ -14,6 +13,4 @@
         master_key_type         = aes256-cts
         supported_enctypes      = aes256-cts:normal
         default_principal_flags = +preauth
-        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
-        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
     }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
index 9b0d5ab..37816a2 100644
--- a/ci/files/mit/krb5.conf
+++ b/ci/files/mit/krb5.conf
@@ -11,7 +11,6 @@
         kdc               = 127.0.0.1
         master_kdc        = 127.0.0.1
         admin_server      = 127.0.0.1
-        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
     }
 
 [logging]
author	Russ Allbery <eagle@eyrie.org>	2020-05-17 19:01:47 -0700
committer	Russ Allbery <eagle@eyrie.org>	2020-05-17 19:03:55 -0700
commit	e1714fffa69f30aacf44ccd3be8bd60c3bc1e8c4 (patch)
tree	ce829624a97060d9b71e88dbbedb558d42f290e9 /ci/files
parent	b45efd7ab0b9b77d048566d4441e91e4d85e1757 (diff)