KerberosNFSv4
From DcSharedWiki
How to install NFSv4 with Kerberos authentication on Debian Squeeze
References:
Server
Packages
- nfs-kernel-server
apt-get install nfs-kernel-server
Configuration
- /etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
- /etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
- /etc/krb5.conf enable allow_weak_crypto in libdefaults section
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
- Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
- /etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
- /etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
- mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
- Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
- NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
- export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
- Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey host/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Client
Packages
apt-get install nfs-client
Configuration
- /etc/krb5.conf
Enable allow_weak_crypto in libdefaults section
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
- /etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
- Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
- /etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
- Start services
/etc/init.d/nfs-common restart
- Create keytab
client:/root# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu
Errors
/var/log/kerberos/krb5kdc.log: Additional pre-authentication required
Mar 01 01:10:57 kdc krb5kdc[2608](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.25.3: NEEDED_PREAUTH: nfs/kdc.coincoin.eu@COINCOIN.EU for krbtgt/COINCOIN.EU@COINCOIN.EU, Additional pre-authentication required
check allow_weak_crypto in /etc/krb5.conf of server and client
Increase verbosity
server
/etc/default/nfs-kernel-server
RPCSVCGSSDOPTS=-vvvvvvvvv
server and client
/etc/init.d/nfs-common
RPCGSSDOPTS=-vvvvvvvvvvvvvv
Replace
start-stop-daemon --start --oknodo --quiet \ --exec /usr/sbin/rpc.idmapd
by
start-stop-daemon --start --oknodo --quiet \ --exec /usr/sbin/rpc.idmapd -- -vvvvvvvvvvvvvvv
TODO
- details client:/root# kadmin -p superuser
- /etc/idmapd.conf
