KerberosNFSv4: Difference between revisions
From DcSharedWiki
(add "increase verbosity" part) |
(reformatting) |
||
| Line 9: | Line 9: | ||
== Packages == |
== Packages == |
||
=== nfs-kernel-server === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 16: | Line 16: | ||
== Configuration == |
== Configuration == |
||
=== /etc/default/nfs-common === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 28: | Line 28: | ||
=== /etc/default/nfs-kernel-server === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 35: | Line 35: | ||
=== /etc/krb5.conf === |
|||
Enable allow_weak_crypto in libdefaults section |
|||
* [http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ] |
|||
* [http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=032644610524306ea0e01383b3c4ea54888b10ab;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel] |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 45: | Line 46: | ||
</nowiki></pre> |
</nowiki></pre> |
||
=== Create needed directory === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 52: | Line 54: | ||
</nowiki></pre> |
</nowiki></pre> |
||
=== /etc/exports === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 59: | Line 62: | ||
</nowiki></pre> |
</nowiki></pre> |
||
=== /etc/fstab === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 67: | Line 71: | ||
</nowiki></pre> |
</nowiki></pre> |
||
=== mount directory === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 74: | Line 79: | ||
</nowiki></pre> |
</nowiki></pre> |
||
=== Export directories === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 82: | Line 88: | ||
</nowiki></pre> |
</nowiki></pre> |
||
=== NFS service: Create principal entry === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
| Line 90: | Line 97: | ||
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy |
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy |
||
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created. |
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created. |
||
}} |
|||
</nowiki></pre> |
|||
=== export nfs@kdc principal to the keytab === |
|||
{{{ |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
kdc:/root# kadmin.local |
||
Authenticating as principal root/admin@COINCOIN.EU with password. |
Authenticating as principal root/admin@COINCOIN.EU with password. |
||
| Line 112: | Line 118: | ||
=== Create client entry === |
|||
<pre><nowiki> |
<pre><nowiki> |
||
Revision as of 02:18, 1 March 2011
How to install NFSv4 with Kerberos authentication on Debian Squeeze
References:
Server
Packages
nfs-kernel-server
apt-get install nfs-kernel-server
Configuration
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
/etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
/etc/krb5.conf
Enable allow_weak_crypto in libdefaults section
- nfsv4 and encryption types
- Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
/etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
/etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
NFS service: Create principal entry
kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin: addprinc -randkey nfs/kdc.coincoin.eu
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
}}
=== export nfs@kdc principal to the keytab ===
{{{
kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey host/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Client
Packages
apt-get install nfs-client
Configuration
- /etc/krb5.conf
Enable allow_weak_crypto in libdefaults section
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
- /etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
- Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
- /etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
- Start services
/etc/init.d/nfs-common restart
- Create keytab
client:/root# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu
Errors
/var/log/kerberos/krb5kdc.log: Additional pre-authentication required
Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required
check allow_weak_crypto in /etc/krb5.conf of server and client
Increase verbosity
server
/etc/default/nfs-kernel-server
RPCSVCGSSDOPTS=-vvvvvvvvv
server and client
/etc/init.d/nfs-common
RPCGSSDOPTS=-vvvvvvvvvvvvvv
Replace
start-stop-daemon --start --oknodo --quiet \ --exec /usr/sbin/rpc.idmapd
by
start-stop-daemon --start --oknodo --quiet \ --exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv
TODO
- details client:/root# kadmin -p superuser
- /etc/idmapd.conf
