KerberosNFSv4: Difference between revisions

From DcSharedWiki
(add solution about "No supported encryption types (config file error?)")
(update link to net/sunrpc/auth_gss/gss_krb5_mech.c)
Line 38: Line 38:
Enable allow_weak_crypto in libdefaults section
Enable allow_weak_crypto in libdefaults section
* [http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ]
* [http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ]
* [http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=032644610524306ea0e01383b3c4ea54888b10ab;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel]
* [http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=8c67890de427e35a01e2777db805d0366bea0c8c;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 is supported in recent kernel]


<pre><nowiki>
<pre><nowiki>

Revision as of 04:18, 4 February 2012

How to install NFSv4 with Kerberos authentication on Debian Squeeze

References:


Server

Packages

nfs-kernel-server

apt-get install nfs-kernel-server

Configuration

/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


/etc/default/nfs-kernel-server

NEED_SVCGSSD=yes


/etc/krb5.conf

Enable allow_weak_crypto in libdefaults section 

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true
        permitted_enctypes = des-cbc-crc # needed nfs-utils version of clients >= 1.2.3 (see debian bug #474037, nfs-utils commit 76be349d5dd07f55797cb9920cc275667258f10f)


Create needed directory

kdc:/root# mkdir /mnt/sdb1
kdc:/root# mkdir -p /export/Documents


/etc/exports

/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)


/etc/fstab

# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0


mount directory

kdc:/root# mount /mnt/sdb1
kdc:/root# mount /export/Documents


Export directories

kdc:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export


NFS service: Create principal entry

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin:  addprinc -randkey nfs/kdc.coincoin.eu
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.


export nfs@kdc principal to the keytab

kdc:/root# kadmin.local
Authenticating as principal root/admin@COINCOIN.EU with password.
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu

You can list content of keytab: 

kdc:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2    nfs/kdc.coincoin.eu@COINCOIN.EU


Create client entry

kdc:/root# kadmin.local
kadmin:  addprinc -randkey nfs/client.coincoin.eu
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.


Start services

  • /etc/init.d/nfs-common start
  • /etc/init.d/nfs-kernel-server start

Client

Packages

apt-get install nfs-client


Configuration

/etc/krb5.conf

Enable allow_weak_crypto in libdefaults section 

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true


/etc/fstab

kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0


Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.


/etc/default/nfs-common

[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes


Start services

/etc/init.d/nfs-common restart


Create keytab

client:/root# kadmin -p superuser
Authenticating as principal superuser with password.
Password for superuser@COINCOIN.EU: 
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu


Errors

Additional pre-authentication required

/var/log/kerberos/krb5kdc.log: 

Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required

check allow_weak_crypto in /etc/krb5.conf of server and client

rpc.nfsd: unable to set any sockets for nfsd

Add 127.0.0.1 in /etc/hosts.allow for service portmap or rpcbind

No supported encryption types (config file error?)

In daemon.log: 

Feb  4 03:42:11 kdc rpc.svcgssd[3126]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)


Update the kernel.

Increase verbosity

server

/etc/default/nfs-kernel-server

RPCSVCGSSDOPTS=-vvvvvvvvv

server and client

/etc/init.d/nfs-common

RPCGSSDOPTS=-vvvvvvvvvvvvvv

Replace 

start-stop-daemon --start --oknodo --quiet \
--exec /usr/sbin/rpc.idmapd

by 

start-stop-daemon --start --oknodo --quiet \
--exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv


TODO

  • details client:/root# kadmin -p superuser
  • /etc/idmapd.conf

Performances

  • network: 100Mbps, server: Atom D525 and 2Go, client: Core i7 and 2Go
    • krb5/krb5i/krb5p: no difference when moving a file ~ 1 minute 6 sec
Retrieved from "https://wiki.duckcorp.org//index.php?title=KerberosNFSv4&oldid=88"