SqueezeKerberosNFSv4StrongCrypto: Difference between revisions
From DcSharedWiki
(add output of klist) |
m (6 revisions imported) |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
How to install NFSv4 with |
How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable) |
||
| Line 6: | Line 6: | ||
== Packages == |
== Packages == |
||
=== unstable packages === |
=== unstable packages === |
||
* linux-image-2.6 >= 2.6.35 |
* linux-image-2.6 >= 2.6.35 (but it's was not working with linux-image-2.6.39-bpo.2: 2.6.39-3~bpo60+1) |
||
* version nfs-common >= 1.2.3 |
* version nfs-common >= 1.2.3 |
||
* rpcbind instead of portmap (see debian bug #620059) |
* rpcbind instead of portmap (see debian bug #620059) |
||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t linux-image-2.6 |
kdc:~# apt-get install -t linux-image-2.6 |
||
reboot |
kdc:~# reboot |
||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 18: | Line 18: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201) |
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201) |
||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 24: | Line 24: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1 |
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1 |
||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 44: | Line 44: | ||
<pre><nowiki> |
<pre><nowiki> |
||
NEED_SVCGSSD=yes |
NEED_SVCGSSD=yes |
||
</nowiki></pre> |
|||
=== /etc/krb5kdc/kdc.conf === |
|||
` supported_enctypes` must only contains encryption types which are not weak ([http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Supported%20Encryption%20Types see weak encryption types]) |
|||
<pre><nowiki> |
|||
[kdcdefaults] |
|||
kdc_ports = 750,88 |
|||
kdc_tcp_ports = 750,88 |
|||
[realms] |
|||
COINCOIN.EU = { |
|||
database_name = /var/lib/krb5kdc/principal |
|||
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab |
|||
acl_file = /etc/krb5kdc/kadm5.acl |
|||
key_stash_file = /etc/krb5kdc/stash |
|||
kdc_ports = 750,88 |
|||
max_life = 10h 0m 0s |
|||
max_renewable_life = 7d 0h 0m 0s |
|||
master_key_type = des3-hmac-sha1 |
|||
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal |
|||
default_principal_flags = +preauth |
|||
} |
|||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 107: | Line 132: | ||
</nowiki></pre> |
</nowiki></pre> |
||
Check that weak encryption types are not allowed with `getprinc nfs/kdc.coincoin.eu`. |
|||
=== export nfs@kdc principal to the keytab === |
=== export nfs@kdc principal to the keytab === |
||
| Line 127: | Line 154: | ||
</nowiki></pre> |
</nowiki></pre> |
||
You should check that weak encryption types are not enabled with `list -e`. |
|||
=== Create client entry === |
=== Create client entry === |
||
| Line 149: | Line 178: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t linux-image-2.6 |
client:~# apt-get install -t linux-image-2.6 |
||
reboot |
client:~# reboot |
||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 156: | Line 185: | ||
<pre><nowiki> |
<pre><nowiki> |
||
apt-get install -t unstable nfs-client |
client:~# apt-get install -t unstable nfs-client |
||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 201: | Line 230: | ||
<pre><nowiki> |
<pre><nowiki> |
||
/etc/init.d/nfs-common restart |
client:~# /etc/init.d/nfs-common restart |
||
</nowiki></pre> |
</nowiki></pre> |
||
| Line 208: | Line 237: | ||
<pre><nowiki> |
<pre><nowiki> |
||
client: |
client:~# kadmin -p superuser |
||
Authenticating as principal superuser with password. |
Authenticating as principal superuser with password. |
||
Password for superuser@COINCOIN.EU: |
Password for superuser@COINCOIN.EU: |
||
| Line 230: | Line 259: | ||
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
||
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU |
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU |
||
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 |
||
</nowiki></pre> |
</nowiki></pre> |
||
Latest revision as of 06:20, 22 April 2019
How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable)
Server
Packages
unstable packages
- linux-image-2.6 >= 2.6.35 (but it's was not working with linux-image-2.6.39-bpo.2: 2.6.39-3~bpo60+1)
- version nfs-common >= 1.2.3
- rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6 kdc:~# reboot
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1
Configuration
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
/etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
/etc/krb5kdc/kdc.conf
` supported_enctypes` must only contains encryption types which are not weak (see weak encryption types)
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_ports = 750,88
[realms]
COINCOIN.EU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
default_principal_flags = +preauth
}
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
/etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
/etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
Check that weak encryption types are not allowed with `getprinc nfs/kdc.coincoin.eu`.
export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
You should check that weak encryption types are not enabled with `list -e`.
Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey nfs/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Start services
- /etc/init.d/nfs-common start
- /etc/init.d/nfs-kernel-server start
Client
Packages
- linux-image-2.6 >= 2.6.35
- version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6 client:~# reboot
client:~# apt-get install -t unstable nfs-client
Configuration
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
/etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Start services
client:~# /etc/init.d/nfs-common restart
Create keytab
client:~# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu
Check configuration
verify enctypes
klist -e
Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq
Default principal: plop@COINCOIN.EU
Valid starting Expires Service principal
03/30/11 18:32:59 03/31/11 04:32:59 krbtgt/COINCOIN.EU@COINCOIN.EU
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
