How to install NFSv4 with Kerberos authentication on Debian Squeeze

References:

• http://wiki.debian.org/NFS/Kerberos

Server

Packages

• nfs-kernel-server

apt-get install nfs-kernel-server

Configuration

• /etc/krb5.conf

Enable allow_weak_crypto in libdefaults section

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true

nfsv4 and encryption types Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel

• Create needed directory

host:/root# mkdir /mnt/sdb1
host:/root# mkdir -p /export/Documents

• /etc/exports

/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)

• /etc/fstab

# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0

• mount directory

host:/root# mount /mnt/sdb1
host:/root# mount /export/Documents

• Export directories

host:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export

Client

Packages

apt-get install nfs-client

Configuration

• /etc/krb5.conf

Enable allow_weak_crypto in libdefaults section

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true

• /etc/fstab

kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0

• Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.

• /etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

• Start services

/etc/init.d/nfs-common restart

TODO

keytab part