KerberosNFSv4: Difference between revisions
From DcSharedWiki
(reformatting) |
(keytab part) |
||
| Line 29: | Line 29: | ||
<pre><nowiki> |
<pre><nowiki> |
||
kdc:/root# mkdir /mnt/sdb1 |
|||
kdc:/root# mkdir -p /export/Documents |
|||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 51: | Line 51: | ||
<pre><nowiki> |
<pre><nowiki> |
||
kdc:/root# mount /mnt/sdb1 |
|||
kdc:/root# mount /export/Documents |
|||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 58: | Line 58: | ||
<pre><nowiki> |
<pre><nowiki> |
||
kdc:/root# exportfs -rv |
|||
exporting gss/krb5p:/export/Documents |
exporting gss/krb5p:/export/Documents |
||
exporting gss/krb5p:/export |
exporting gss/krb5p:/export |
||
</nowiki></pre> |
|||
* NFS service: Create principal entry |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
|||
Authenticating as principal root/admin@COINCOIN.EU with password. |
|||
kadmin: addprinc -randkey nfs/kdc.coincoin.eu |
|||
WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy |
|||
Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created. |
|||
</nowiki></pre> |
|||
* export nfs@kdc principal to the keytab |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
|||
Authenticating as principal root/admin@COINCOIN.EU with password. |
|||
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu |
|||
</nowiki></pre> |
|||
You can list content of keytab: |
|||
<pre><nowiki> |
|||
kdc:~# ktutil |
|||
ktutil: rkt /etc/krb5.keytab |
|||
ktutil: list |
|||
slot KVNO Principal |
|||
---- ---- --------------------------------------------------------------------- |
|||
1 2 nfs/kdc.coincoin.eu@COINCOIN.EU |
|||
</nowiki></pre> |
|||
* Create client entry |
|||
<pre><nowiki> |
|||
kdc:/root# kadmin.local |
|||
kadmin: addprinc -randkey host/client.coincoin.eu |
|||
WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy |
|||
Principal "nfs/client.coincoin.eu@COINCOIN.EU" created. |
|||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 116: | Line 155: | ||
<pre><nowiki> |
<pre><nowiki> |
||
/etc/init.d/nfs-common restart |
/etc/init.d/nfs-common restart |
||
</nowiki></pre> |
|||
* Create keytab |
|||
<pre><nowiki> |
|||
client:/root# kadmin -p superuser |
|||
Authenticating as principal superuser with password. |
|||
Password for superuser@COINCOIN.EU: |
|||
ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu |
|||
</nowiki></pre> |
</nowiki></pre> |
||
== TODO == |
== TODO == |
||
* details client:/root# kadmin -p superuser |
|||
keytab part |
keytab part |
||
Revision as of 01:54, 1 March 2011
How to install NFSv4 with Kerberos authentication on Debian Squeeze
References:
Server
Packages
- nfs-kernel-server
apt-get install nfs-kernel-server
Configuration
- /etc/krb5.conf enable allow_weak_crypto in libdefaults section
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
- Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
- /etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
- /etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
- mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
- Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
- NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
- export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
- Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey host/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Client
Packages
apt-get install nfs-client
Configuration
- /etc/krb5.conf
Enable allow_weak_crypto in libdefaults section
[libdefaults]
default_realm = COINCOIN.EU
allow_weak_crypto = true
- /etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
- Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
- /etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
- Start services
/etc/init.d/nfs-common restart
- Create keytab
client:/root# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab nfs/client.coincoin.eu
TODO
- details client:/root# kadmin -p superuser
keytab part
