KerberosNFSv4: Difference between revisions

From DcSharedWiki
(add TODO)
(add allow_weak_crypto and links)
Line 1: Line 1:
How to install NFSv4 with Kerberos authentication on Debian unstable
How to install NFSv4 with Kerberos authentication on Debian Squeeze


References:
References:
Line 16: Line 16:


== Configuration ==
== Configuration ==
* /etc/krb5.conf
Enable allow_weak_crypto in libdefaults section

<pre><nowiki>
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
</nowiki></pre>


[http://comments.gmane.org/gmane.linux.nfsv4/11322 nfsv4 and encryption types ]
[http://git.kernel.org/?p=linux/kernel/git/longterm/linux-2.6.35.y.git;a=history;f=net/sunrpc/auth_gss/gss_krb5_mech.c;h=032644610524306ea0e01383b3c4ea54888b10ab;hb=HEAD Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel]


* Create needed directory
* Create needed directory
Line 66: Line 78:


== Configuration ==
== Configuration ==
* /etc/krb5.conf
Enable allow_weak_crypto in libdefaults section

<pre><nowiki>
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
</nowiki></pre>

* /etc/fstab
* /etc/fstab



Revision as of 00:49, 21 February 2011

How to install NFSv4 with Kerberos authentication on Debian Squeeze

References:


Server

Packages

  • nfs-kernel-server
apt-get install nfs-kernel-server

Configuration

  • /etc/krb5.conf

Enable allow_weak_crypto in libdefaults section

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true


nfsv4 and encryption types Note that RC4-HMAC, 3DES, AES128 and AES256 seem supported in recent kernel

  • Create needed directory
host:/root# mkdir /mnt/sdb1
host:/root# mkdir -p /export/Documents
  • /etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0)
/export/Documents  gss/krb5p(rw,async,no_subtree_check)
  • /etc/fstab
# [...]
/dev/sdb1           /mnt/sdb1         ext3 defaults,acl 1       2
/mnt/sdb1/Documents /export/Documents none ro,bind      0       0
  • mount directory
host:/root# mount /mnt/sdb1
host:/root# mount /export/Documents
  • Export directories
host:/root# exportfs -rv
exporting gss/krb5p:/export/Documents
exporting gss/krb5p:/export


Client

Packages

apt-get install nfs-client


Configuration

  • /etc/krb5.conf

Enable allow_weak_crypto in libdefaults section

[libdefaults]
        default_realm = COINCOIN.EU
        allow_weak_crypto = true
  • /etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0  0


  • Check DNS configuration
root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.


  • /etc/default/nfs-common
[...]
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
  • Start services
/etc/init.d/nfs-common restart


TODO

keytab part