SqueezeKerberosNFSv4StrongCrypto: Difference between revisions

From DcSharedWiki
(add output of klist)
(minor modifications)
Line 11: Line 11:


<pre><nowiki>
<pre><nowiki>
apt-get install -t linux-image-2.6
kdc:~# apt-get install -t linux-image-2.6
reboot
kdc:~# reboot
</nowiki></pre>
</nowiki></pre>


Line 18: Line 18:


<pre><nowiki>
<pre><nowiki>
apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)
</nowiki></pre>
</nowiki></pre>


Line 24: Line 24:


<pre><nowiki>
<pre><nowiki>
apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1
</nowiki></pre>
</nowiki></pre>


Line 149: Line 149:


<pre><nowiki>
<pre><nowiki>
apt-get install -t linux-image-2.6
client:~# apt-get install -t linux-image-2.6
reboot
client:~# reboot
</nowiki></pre>
</nowiki></pre>


Line 156: Line 156:


<pre><nowiki>
<pre><nowiki>
apt-get install -t unstable nfs-client
client:~# apt-get install -t unstable nfs-client
</nowiki></pre>
</nowiki></pre>


Line 201: Line 201:


<pre><nowiki>
<pre><nowiki>
/etc/init.d/nfs-common restart
client:~# /etc/init.d/nfs-common restart
</nowiki></pre>
</nowiki></pre>


Line 208: Line 208:


<pre><nowiki>
<pre><nowiki>
client:/root# kadmin -p superuser
client:~# kadmin -p superuser
Authenticating as principal superuser with password.
Authenticating as principal superuser with password.
Password for superuser@COINCOIN.EU:
Password for superuser@COINCOIN.EU:
Line 230: Line 230:
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

</nowiki></pre>
</nowiki></pre>

Revision as of 22:50, 30 March 2011

How to install NFSv4 with Kerberos authentication and strong crypto on Debian Squeeze


Server

Packages

unstable packages

  • linux-image-2.6 >= 2.6.35
  • version nfs-common >= 1.2.3
  • rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6
kdc:~# reboot


kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)


kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1

Configuration

/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/default/nfs-kernel-server

NEED_SVCGSSD=yes


/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU


Create needed directory

kdc:/root# mkdir /mnt/sdb1
kdc:/root# mkdir -p /export/Documents


/etc/exports

/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)


/etc/fstab

# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0


mount directory

kdc:/root# mount /mnt/sdb1
kdc:/root# mount /export/Documents


Export directories

kdc:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export


NFS service: Create principal entry

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin:  addprinc -randkey nfs/kdc.coincoin.eu
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.


export nfs@kdc principal to the keytab

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu

You can list content of keytab:

kdc:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2    nfs/kdc.coincoin.eu@COINCOIN.EU


Create client entry

kdc:/root# kadmin.local
kadmin:  addprinc -randkey nfs/client.coincoin.eu
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.


Start services

  • /etc/init.d/nfs-common start
  • /etc/init.d/nfs-kernel-server start

Client

Packages

  • linux-image-2.6 >= 2.6.35
  • version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6
client:~# reboot


client:~# apt-get install -t unstable nfs-client


Configuration

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU


/etc/fstab

kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0


Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.


/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


Start services

client:~# /etc/init.d/nfs-common restart


Create keytab

client:~# kadmin -p superuser
Authenticating as principal superuser with password.
Password for superuser@COINCOIN.EU: 
ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu


Check configuration

See KerberosNFSv4#Errors

verify enctypes

klist -e
Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq
Default principal: plop@COINCOIN.EU

Valid starting     Expires            Service principal
03/30/11 18:32:59  03/31/11 04:32:59  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
03/30/11 21:31:05  03/31/11 04:32:59  nfs/kdc.coincoin.eu@COINCOIN.EU
        renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96