SqueezeKerberosNFSv4StrongCrypto: Difference between revisions
From DcSharedWiki
(add output of klist) |
(minor modifications) |
||
Line 11: | Line 11: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t linux-image-2.6 |
kdc:~# apt-get install -t linux-image-2.6 |
||
reboot |
kdc:~# reboot |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 18: | Line 18: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201) |
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201) |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 24: | Line 24: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1 |
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1 |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 149: | Line 149: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t linux-image-2.6 |
client:~# apt-get install -t linux-image-2.6 |
||
reboot |
client:~# reboot |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 156: | Line 156: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t unstable nfs-client |
client:~# apt-get install -t unstable nfs-client |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 201: | Line 201: | ||
<pre><nowiki> |
<pre><nowiki> |
||
/etc/init.d/nfs-common restart |
client:~# /etc/init.d/nfs-common restart |
||
</nowiki></pre> |
</nowiki></pre> |
||
Line 208: | Line 208: | ||
<pre><nowiki> |
<pre><nowiki> |
||
client: |
client:~# kadmin -p superuser |
||
Authenticating as principal superuser with password. |
Authenticating as principal superuser with password. |
||
Password for superuser@COINCOIN.EU: |
Password for superuser@COINCOIN.EU: |
||
Line 230: | Line 230: | ||
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
||
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU |
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU |
||
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
||
</nowiki></pre> |
</nowiki></pre> |
Revision as of 22:50, 30 March 2011
How to install NFSv4 with Kerberos authentication and strong crypto on Debian Squeeze
Server
Packages
unstable packages
- linux-image-2.6 >= 2.6.35
- version nfs-common >= 1.2.3
- rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6 kdc:~# reboot
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1
Configuration
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
/etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU
Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
/etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
/etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey nfs/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Start services
- /etc/init.d/nfs-common start
- /etc/init.d/nfs-kernel-server start
Client
Packages
- linux-image-2.6 >= 2.6.35
- version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6 client:~# reboot
client:~# apt-get install -t unstable nfs-client
Configuration
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU
/etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Start services
client:~# /etc/init.d/nfs-common restart
Create keytab
client:~# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu
Check configuration
verify enctypes
klist -e Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq Default principal: plop@COINCOIN.EU Valid starting Expires Service principal 03/30/11 18:32:59 03/31/11 04:32:59 krbtgt/COINCOIN.EU@COINCOIN.EU renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96