KerberosNFSv4: Difference between revisions

From DcSharedWiki
(keytab part)
m (24 revisions imported)
 
(15 intermediate revisions by one other user not shown)
Line 9: Line 9:


== Packages ==
== Packages ==
* nfs-kernel-server
=== nfs-kernel-server ===


<pre><nowiki>
<pre><nowiki>
Line 16: Line 16:


== Configuration ==
== Configuration ==
=== /etc/default/nfs-common ===
* /etc/krb5.conf enable allow_weak_crypto in libdefaults section

** [http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ]
<pre><nowiki>
** [http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=032644610524306ea0e01383b3c4ea54888b10ab;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel]
[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
</nowiki></pre>


=== /etc/default/nfs-kernel-server ===

<pre><nowiki>
NEED_SVCGSSD=yes
</nowiki></pre>


=== /etc/krb5.conf ===
Enable allow_weak_crypto in libdefaults section
* [http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ]
* [http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=8c67890de427e35a01e2777db805d0366bea0c8c;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 is supported in recent kernel]


<pre><nowiki>
<pre><nowiki>
Line 24: Line 44:
default_realm = COINCOIN.EU
default_realm = COINCOIN.EU
allow_weak_crypto = true
allow_weak_crypto = true
permitted_enctypes = des-cbc-crc # needed nfs-utils version of clients >= 1.2.3 (see debian bug #474037, nfs-utils commit 76be349d5dd07f55797cb9920cc275667258f10f)
</nowiki></pre>
</nowiki></pre>



* Create needed directory
=== Create needed directory ===


<pre><nowiki>
<pre><nowiki>
Line 33: Line 55:
</nowiki></pre>
</nowiki></pre>



* /etc/exports
=== /etc/exports ===


<pre><nowiki>
<pre><nowiki>
Line 40: Line 63:
</nowiki></pre>
</nowiki></pre>



* /etc/fstab
=== /etc/fstab ===


<pre><nowiki>
<pre><nowiki>
Line 48: Line 72:
</nowiki></pre>
</nowiki></pre>



* mount directory
=== mount directory ===


<pre><nowiki>
<pre><nowiki>
Line 55: Line 80:
</nowiki></pre>
</nowiki></pre>



* Export directories
=== Export directories ===


<pre><nowiki>
<pre><nowiki>
Line 63: Line 89:
</nowiki></pre>
</nowiki></pre>



* NFS service: Create principal entry
=== NFS service: Create principal entry ===


<pre><nowiki>
<pre><nowiki>
Line 73: Line 100:
</nowiki></pre>
</nowiki></pre>



* export nfs@kdc principal to the keytab
=== export nfs@kdc principal to the keytab ===


<pre><nowiki>
<pre><nowiki>
Line 93: Line 121:




* Create client entry
=== Create client entry ===


<pre><nowiki>
<pre><nowiki>
kdc:/root# kadmin.local
kdc:/root# kadmin.local
kadmin: addprinc -randkey host/client.coincoin.eu
kadmin: addprinc -randkey nfs/client.coincoin.eu
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
</nowiki></pre>
</nowiki></pre>



== Start services ==
* /etc/init.d/nfs-common start
* /etc/init.d/nfs-kernel-server start


= Client =
= Client =
Line 114: Line 146:


== Configuration ==
== Configuration ==
* /etc/krb5.conf
=== /etc/krb5.conf ===
Enable allow_weak_crypto in libdefaults section
Enable allow_weak_crypto in libdefaults section


Line 123: Line 155:
</nowiki></pre>
</nowiki></pre>



* /etc/fstab
=== /etc/fstab ===


<pre><nowiki>
<pre><nowiki>
Line 130: Line 163:




* Check DNS configuration
=== Check DNS configuration ===


<pre><nowiki>
<pre><nowiki>
Line 140: Line 173:




* /etc/default/nfs-common
=== /etc/default/nfs-common ===


<pre><nowiki>
<pre><nowiki>
Line 151: Line 184:
</nowiki></pre>
</nowiki></pre>



* Start services
=== Start services ===


<pre><nowiki>
<pre><nowiki>
Line 157: Line 191:
</nowiki></pre>
</nowiki></pre>



* Create keytab
=== Create keytab ===


<pre><nowiki>
<pre><nowiki>
Line 164: Line 199:
Password for superuser@COINCOIN.EU:
Password for superuser@COINCOIN.EU:
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu
</nowiki></pre>


= Errors =
== Additional pre-authentication required ==
/var/log/kerberos/krb5kdc.log:

<pre><nowiki>
Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required
</nowiki></pre>

check allow_weak_crypto in /etc/krb5.conf of server and client

== rpc.nfsd: unable to set any sockets for nfsd ==

Add 127.0.0.1 in /etc/hosts.allow for service portmap or rpcbind

== No supported encryption types (config file error?) ==

In daemon.log:

<pre><nowiki>
Feb 4 03:42:11 kdc rpc.svcgssd[3126]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?)
</nowiki></pre>


Update the kernel.

== Increase verbosity ==
=== server ===
==== /etc/default/nfs-kernel-server ====

<pre><nowiki>
RPCSVCGSSDOPTS=-vvvvvvvvv
</nowiki></pre>

=== server and client ===
==== /etc/init.d/nfs-common ====

<pre><nowiki>
RPCGSSDOPTS=-vvvvvvvvvvvvvv
</nowiki></pre>

Replace

<pre><nowiki>
start-stop-daemon --start --oknodo --quiet \
--exec /usr/sbin/rpc.idmapd
</nowiki></pre>

by

<pre><nowiki>
start-stop-daemon --start --oknodo --quiet \
--exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv
</nowiki></pre>
</nowiki></pre>


Line 169: Line 259:
== TODO ==
== TODO ==
* details client:/root# kadmin -p superuser
* details client:/root# kadmin -p superuser
* /etc/idmapd.conf


= Performances =
keytab part
* network: 100Mbps, server: Atom D525 and 2Go, client: Core i7 and 2Go
** krb5/krb5i/krb5p: no difference when moving a file ~ 1 minute 6 sec

Latest revision as of 05:20, 22 April 2019

How to install NFSv4 with Kerberos authentication on Debian Squeeze

References:


Server

Packages

nfs-kernel-server

apt-get install nfs-kernel-server

Configuration

/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/default/nfs-kernel-server

NEED_SVCGSSD=yes


/etc/krb5.conf

Enable allow_weak_crypto in libdefaults section

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true
        permitted_enctypes = des-cbc-crc # needed nfs-utils version of clients >= 1.2.3 (see debian bug #474037, nfs-utils commit 76be349d5dd07f55797cb9920cc275667258f10f)


Create needed directory

kdc:/root# mkdir /mnt/sdb1
kdc:/root# mkdir -p /export/Documents


/etc/exports

/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)


/etc/fstab

# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0


mount directory

kdc:/root# mount /mnt/sdb1
kdc:/root# mount /export/Documents


Export directories

kdc:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export


NFS service: Create principal entry

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin:  addprinc -randkey nfs/kdc.coincoin.eu
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.


export nfs@kdc principal to the keytab

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu

You can list content of keytab:

kdc:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2    nfs/kdc.coincoin.eu@COINCOIN.EU


Create client entry

kdc:/root# kadmin.local
kadmin:  addprinc -randkey nfs/client.coincoin.eu
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.


Start services

  • /etc/init.d/nfs-common start
  • /etc/init.d/nfs-kernel-server start

Client

Packages

apt-get install nfs-client


Configuration

/etc/krb5.conf

Enable allow_weak_crypto in libdefaults section

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true


/etc/fstab

kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0


Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.


/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


Start services

/etc/init.d/nfs-common restart


Create keytab

client:/root# kadmin -p superuser
Authenticating as principal superuser with password.
Password for superuser@COINCOIN.EU: 
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu


Errors

Additional pre-authentication required

/var/log/kerberos/krb5kdc.log:

Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required

check allow_weak_crypto in /etc/krb5.conf of server and client

rpc.nfsd: unable to set any sockets for nfsd

Add 127.0.0.1 in /etc/hosts.allow for service portmap or rpcbind

No supported encryption types (config file error?)

In daemon.log:

Feb  4 03:42:11 kdc rpc.svcgssd[3126]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)


Update the kernel.

Increase verbosity

server

/etc/default/nfs-kernel-server

RPCSVCGSSDOPTS=-vvvvvvvvv

server and client

/etc/init.d/nfs-common

RPCGSSDOPTS=-vvvvvvvvvvvvvv

Replace

start-stop-daemon --start --oknodo --quiet \
--exec /usr/sbin/rpc.idmapd

by

start-stop-daemon --start --oknodo --quiet \
--exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv


TODO

  • details client:/root# kadmin -p superuser
  • /etc/idmapd.conf

Performances

  • network: 100Mbps, server: Atom D525 and 2Go, client: Core i7 and 2Go
    • krb5/krb5i/krb5p: no difference when moving a file ~ 1 minute 6 sec