KerberosNFSv4: Difference between revisions
From DcSharedWiki
(add TODO) |
m (24 revisions imported) |
||
| (19 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
How to install NFSv4 with Kerberos authentication on Debian |
'''How to install NFSv4 with Kerberos authentication on Debian Squeeze''' |
||
References: |
References: |
||
| Line 9: | Line 9: | ||
== Packages == |
== Packages == |
||
=== nfs-kernel-server === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 16: | Line 16: | ||
== Configuration == |
== Configuration == |
||
=== /etc/default/nfs-common === |
|||
<pre><nowiki> |
|||
* Create needed directory |
|||
[...] |
|||
# Do you want to start the idmapd daemon? It is only needed for NFSv4. |
|||
NEED_IDMAPD=yes |
|||
# Do you want to start the gssd daemon? It is required for Kerberos mounts. |
|||
NEED_GSSD=yes |
|||
</nowiki></pre> |
|||
=== /etc/default/nfs-kernel-server === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
NEED_SVCGSSD=yes |
|||
host:/root# mkdir /mnt/sdb1 |
|||
host:/root# mkdir -p /export/Documents |
|||
</nowiki></pre> |
</nowiki></pre> |
||
* /etc/exports |
|||
=== /etc/krb5.conf === |
|||
Enable allow_weak_crypto in libdefaults section |
|||
* [http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ] |
|||
* [http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=8c67890de427e35a01e2777db805d0366bea0c8c;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 is supported in recent kernel] |
|||
<pre><nowiki> |
|||
[libdefaults] |
|||
default_realm = COINCOIN.EU |
|||
allow_weak_crypto = true |
|||
permitted_enctypes = des-cbc-crc # needed nfs-utils version of clients >= 1.2.3 (see debian bug #474037, nfs-utils commit 76be349d5dd07f55797cb9920cc275667258f10f) |
|||
</nowiki></pre> |
|||
=== Create needed directory === |
|||
<pre><nowiki> |
|||
kdc:/root# mkdir /mnt/sdb1 |
|||
kdc:/root# mkdir -p /export/Documents |
|||
</nowiki></pre> |
|||
=== /etc/exports === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 31: | Line 63: | ||
</nowiki></pre> |
</nowiki></pre> |
||
* /etc/fstab |
|||
=== /etc/fstab === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 39: | Line 72: | ||
</nowiki></pre> |
</nowiki></pre> |
||
* mount directory |
|||
=== mount directory === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
kdc:/root# mount /mnt/sdb1 |
|||
kdc:/root# mount /export/Documents |
|||
</nowiki></pre> |
</nowiki></pre> |
||
* Export directories |
|||
=== Export directories === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
kdc:/root# exportfs -rv |
|||
exporting gss/krb5p:/export/Documents |
exporting gss/krb5p:/export/Documents |
||
exporting gss/krb5p:/export |
exporting gss/krb5p:/export |
||
</nowiki></pre> |
</nowiki></pre> |
||
=== NFS service: Create principal entry === |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
|||
Authenticating as principal root/admin@COINCOIN.EU with password. |
|||
kadmin: addprinc -randkey nfs/kdc.coincoin.eu |
|||
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy |
|||
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created. |
|||
</nowiki></pre> |
|||
=== export nfs@kdc principal to the keytab === |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
|||
Authenticating as principal root/admin@COINCOIN.EU with password. |
|||
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu |
|||
</nowiki></pre> |
|||
You can list content of keytab: |
|||
<pre><nowiki> |
|||
kdc:~# ktutil |
|||
ktutil: rkt /etc/krb5.keytab |
|||
ktutil: list |
|||
slot KVNO Principal |
|||
---- ---- --------------------------------------------------------------------- |
|||
1 2 nfs/kdc.coincoin.eu@COINCOIN.EU |
|||
</nowiki></pre> |
|||
=== Create client entry === |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
|||
kadmin: addprinc -randkey nfs/client.coincoin.eu |
|||
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy |
|||
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created. |
|||
</nowiki></pre> |
|||
== Start services == |
|||
* /etc/init.d/nfs-common start |
|||
* /etc/init.d/nfs-kernel-server start |
|||
= Client = |
= Client = |
||
| Line 66: | Line 146: | ||
== Configuration == |
== Configuration == |
||
=== /etc/krb5.conf === |
|||
Enable allow_weak_crypto in libdefaults section |
|||
<pre><nowiki> |
|||
[libdefaults] |
|||
default_realm = COINCOIN.EU |
|||
allow_weak_crypto = true |
|||
</nowiki></pre> |
|||
=== /etc/fstab === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 73: | Line 163: | ||
=== Check DNS configuration === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 83: | Line 173: | ||
=== /etc/default/nfs-common === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 94: | Line 184: | ||
</nowiki></pre> |
</nowiki></pre> |
||
* Start services |
|||
=== Start services === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
/etc/init.d/nfs-common restart |
/etc/init.d/nfs-common restart |
||
</nowiki></pre> |
|||
=== Create keytab === |
|||
<pre><nowiki> |
|||
client:/root# kadmin -p superuser |
|||
Authenticating as principal superuser with password. |
|||
Password for superuser@COINCOIN.EU: |
|||
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu |
|||
</nowiki></pre> |
|||
= Errors = |
|||
== Additional pre-authentication required == |
|||
/var/log/kerberos/krb5kdc.log: |
|||
<pre><nowiki> |
|||
Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required |
|||
</nowiki></pre> |
|||
check allow_weak_crypto in /etc/krb5.conf of server and client |
|||
== rpc.nfsd: unable to set any sockets for nfsd == |
|||
Add 127.0.0.1 in /etc/hosts.allow for service portmap or rpcbind |
|||
== No supported encryption types (config file error?) == |
|||
In daemon.log: |
|||
<pre><nowiki> |
|||
Feb 4 03:42:11 kdc rpc.svcgssd[3126]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) |
|||
</nowiki></pre> |
|||
Update the kernel. |
|||
== Increase verbosity == |
|||
=== server === |
|||
==== /etc/default/nfs-kernel-server ==== |
|||
<pre><nowiki> |
|||
RPCSVCGSSDOPTS=-vvvvvvvvv |
|||
</nowiki></pre> |
|||
=== server and client === |
|||
==== /etc/init.d/nfs-common ==== |
|||
<pre><nowiki> |
|||
RPCGSSDOPTS=-vvvvvvvvvvvvvv |
|||
</nowiki></pre> |
|||
Replace |
|||
<pre><nowiki> |
|||
start-stop-daemon --start --oknodo --quiet \ |
|||
--exec /usr/sbin/rpc.idmapd |
|||
</nowiki></pre> |
|||
by |
|||
<pre><nowiki> |
|||
start-stop-daemon --start --oknodo --quiet \ |
|||
--exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv |
|||
</nowiki></pre> |
</nowiki></pre> |
||
== TODO == |
== TODO == |
||
* details client:/root# kadmin -p superuser |
|||
* /etc/idmapd.conf |
|||
= Performances = |
|||
keytab part |
|||
* network: 100Mbps, server: Atom D525 and 2Go, client: Core i7 and 2Go |
|||
** krb5/krb5i/krb5p: no difference when moving a file ~ 1 minute 6 sec |
|||
Latest revision as of 05:20, 22 April 2019
How to install NFSv4 with Kerberos authentication on Debian Squeeze
References:
Server
Packages
nfs-kernel-server
apt-get install nfs-kernel-server
Configuration
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
/etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
/etc/krb5.conf
Enable allow_weak_crypto in libdefaults section
- nfsv4 and encryption types
- Note that RC4-HMAC, 3DES, AES128 and AES256 is supported in recent kernel
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
permitted_enctypes = des-cbc-crc # needed nfs-utils version of clients >= 1.2.3 (see debian bug #474037, nfs-utils commit 76be349d5dd07f55797cb9920cc275667258f10f)
Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
/etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
/etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey nfs/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Start services
- /etc/init.d/nfs-common start
- /etc/init.d/nfs-kernel-server start
Client
Packages
apt-get install nfs-client
Configuration
/etc/krb5.conf
Enable allow_weak_crypto in libdefaults section
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
/etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Start services
/etc/init.d/nfs-common restart
Create keytab
client:/root# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu
Errors
Additional pre-authentication required
/var/log/kerberos/krb5kdc.log:
Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required
check allow_weak_crypto in /etc/krb5.conf of server and client
rpc.nfsd: unable to set any sockets for nfsd
Add 127.0.0.1 in /etc/hosts.allow for service portmap or rpcbind
No supported encryption types (config file error?)
In daemon.log:
Feb 4 03:42:11 kdc rpc.svcgssd[3126]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
Update the kernel.
Increase verbosity
server
/etc/default/nfs-kernel-server
RPCSVCGSSDOPTS=-vvvvvvvvv
server and client
/etc/init.d/nfs-common
RPCGSSDOPTS=-vvvvvvvvvvvvvv
Replace
start-stop-daemon --start --oknodo --quiet \ --exec /usr/sbin/rpc.idmapd
by
start-stop-daemon --start --oknodo --quiet \ --exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv
TODO
- details client:/root# kadmin -p superuser
- /etc/idmapd.conf
Performances
- network: 100Mbps, server: Atom D525 and 2Go, client: Core i7 and 2Go
- krb5/krb5i/krb5p: no difference when moving a file ~ 1 minute 6 sec
