SqueezeKerberosNFSv4StrongCrypto
From DcSharedWiki
How to install NFSv4 with strong crypto and Kerberos authentication on Debian Squeeze (using some packages of unstable)
Server
Packages
unstable packages
- linux-image-2.6 >= 2.6.35 (but it's was not working with linux-image-2.6.39-bpo.2: 2.6.39-3~bpo60+1)
- version nfs-common >= 1.2.3
- rpcbind instead of portmap (see debian bug #620059)
kdc:~# apt-get install -t linux-image-2.6 kdc:~# reboot
kdc:~# apt-get install rpcbind # replace portmap by rpcbind in initscripts or install rpcbind >= 0.2.0-5 (see debian bug #565201)
kdc:~# apt-get install -t unstable nfs-kernel-server nfs-common libtirpc1
Configuration
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
/etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
/etc/krb5kdc/kdc.conf
` supported_enctypes` must only contains encryption types which are not weak (see weak encryption types)
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_ports = 750,88
[realms]
COINCOIN.EU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
default_principal_flags = +preauth
}
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
Create needed directory
kdc:/root# mkdir /mnt/sdb1 kdc:/root# mkdir -p /export/Documents
/etc/exports
/export gss/krb5p(rw,async,no_subtree_check,crossmnt,fsid=0) /export/Documents gss/krb5p(rw,async,no_subtree_check)
/etc/fstab
# [...] /dev/sdb1 /mnt/sdb1 ext3 defaults,acl 1 2 /mnt/sdb1/Documents /export/Documents none ro,bind 0 0
mount directory
kdc:/root# mount /mnt/sdb1 kdc:/root# mount /export/Documents
Export directories
kdc:/root# exportfs -rv exporting gss/krb5p:/export/Documents exporting gss/krb5p:/export
NFS service: Create principal entry
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin: addprinc -randkey nfs/kdc.coincoin.eu WARNING: no policy specified for nfs/kdc.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/kdc.coincoin.eu@COINCOIN.EU" created.
Check that weak encryption types are not allowed with `getprinc nfs/kdc.coincoin.eu`.
export nfs@kdc principal to the keytab
kdc:/root# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. ktadd -k /etc/krb5.keytab nfs/kdc.coincoin.eu
You can list content of keytab:
kdc:~# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/kdc.coincoin.eu@COINCOIN.EU
You should check that weak encryption types are not enabled with `list -e`.
Create client entry
kdc:/root# kadmin.local kadmin: addprinc -randkey nfs/client.coincoin.eu WARNING: no policy specified for nfs/client.coincoin.eu@COINCOIN.EU; defaulting to no policy Principal "nfs/client.coincoin.eu@COINCOIN.EU" created.
Start services
- /etc/init.d/nfs-common start
- /etc/init.d/nfs-kernel-server start
Client
Packages
- linux-image-2.6 >= 2.6.35
- version nfs-common >= 1.2.3
client:~# apt-get install -t linux-image-2.6 client:~# reboot
client:~# apt-get install -t unstable nfs-client
Configuration
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
/etc/fstab
kdc.coincoin.eu:/Documents /mnt/Documents nfs4 sec=krb5p,rw,hard,rsize=32768,wsize=32768,noexec,nosuid,auto 0 0
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
/etc/default/nfs-common
[...] # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Start services
client:~# /etc/init.d/nfs-common restart
Create keytab
client:~# kadmin -p superuser Authenticating as principal superuser with password. Password for superuser@COINCOIN.EU: ktadd -k /etc/krb5.keytab nfs/client.coincoin.eu
Check configuration
verify enctypes
klist -e
Ticket cache: FILE:/tmp/krb5cc_1000_6gVtAq
Default principal: plop@COINCOIN.EU
Valid starting Expires Service principal
03/30/11 18:32:59 03/31/11 04:32:59 krbtgt/COINCOIN.EU@COINCOIN.EU
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
03/30/11 21:31:05 03/31/11 04:32:59 nfs/kdc.coincoin.eu@COINCOIN.EU
renew until 03/31/11 18:34:25, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
