SqueezeKerberosNFSv4StrongCrypto: Difference between revisions

From DcSharedWiki
(minor modifications)
(change title)
Line 1: Line 1:
How to install NFSv4 with Kerberos authentication and strong crypto on Debian Squeeze
How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable)





Revision as of 22:51, 30 March 2011

How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable)


Server

Packages

unstable packages

  • linux-image-2.6 >= 2.6.35
  • version nfs-common >= 1.2.3
  • rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6
kdc:~# reboot


kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)


kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1

Configuration

/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/default/nfs-kernel-server

NEED_SVCGSSD=yes


/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU


Create needed directory

kdc:/root# mkdir /mnt/sdb1
kdc:/root# mkdir -p /export/Documents


/etc/exports

/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)


/etc/fstab

# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0


mount directory

kdc:/root# mount /mnt/sdb1
kdc:/root# mount /export/Documents


Export directories

kdc:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export


NFS service: Create principal entry

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin:  addprinc -randkey nfs/kdc.coincoin.eu
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.


export nfs@kdc principal to the keytab

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu

You can list content of keytab:

kdc:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2    nfs/kdc.coincoin.eu@COINCOIN.EU


Create client entry

kdc:/root# kadmin.local
kadmin:  addprinc -randkey nfs/client.coincoin.eu
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.


Start services

  • /etc/init.d/nfs-common start
  • /etc/init.d/nfs-kernel-server start

Client

Packages

  • linux-image-2.6 >= 2.6.35
  • version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6
client:~# reboot


client:~# apt-get install -t unstable nfs-client


Configuration

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU


/etc/fstab

kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0


Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.


/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


Start services

client:~# /etc/init.d/nfs-common restart


Create keytab

client:~# kadmin -p superuser
Authenticating as principal superuser with password.
Password for superuser@COINCOIN.EU: 
ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu


Check configuration

See KerberosNFSv4#Errors

verify enctypes

klist -e
Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq
Default principal: plop@COINCOIN.EU

Valid starting     Expires            Service principal
03/30/11 18:32:59  03/31/11 04:32:59  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
03/30/11 21:31:05  03/31/11 04:32:59  nfs/kdc.coincoin.eu@COINCOIN.EU
        renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96