For a while, I've been working on setting up a nice, multi-user, multi-workstation environment to use at home. I'll work on a sub-component of the overall setup with virtual machines until I'm comfortable that I know what software needs to be installed and how to configure it.
One sub-component is Kerberized NFS. I searched for tutorials, guides, walkthroughs, and HowTos online. None of them were step-by-step. So this is an attempt to create one easy-to-follow resource to get going. I make no guarantees that this is the "best" install, the "minimal" install, or any other kind of install. It worked for me using three virtual machines.
The steps assume a few things:
- You are working from a Debian squeeze distro (6.0.3)
- You have a working KDC.
- You have a working DNS system that allows forward and reverse IP address lookups
- The KDC, NFS server, and NFS client are all separate machines
- The commands will be executed in a root terminal
If you do not have a KDC, I found an excellent guide to setting one up on a Debian squeeze system at this link:
Kerberos Master on Debian squeeze
If you do not have a working forward/reverse DNS system in place, I wrote another message with a base configuration allowing for dynamic DNS updates through a DHCP server--all on a local server. That message can be found
here
Most of the commands are provided in a way that they
could be copy-pasted directly into a root terminal. However, the commands need to be modified to match any configuration changes you make for your particular system. I'll do my best to highlight those settings to bring them to your attention; so you are aware that a change may be required.
Lastly, before I get into the commands, I would like to point out something that seems to be hit-or-miss when searching for this information online. Apparently, the stock kernel in Debian squeeze (2.6.32-5 at the time of this writing) does not allow for any NFS encryption types other than basic DES. This is unfortunate. However, it appears that kernel 2.6.38 and later
do allow for stronger encryption types in NFS. The 2.6.38 kernel is available for stable releases (such as squeeze) through
Debian backports. I have not taken the opportunity to install the newer kernel yet. So these instructions use the limited DES-only approach. I may come back at a later date to update them with the steps for the backport option.
========================
Kerberos KDC
========================
(1) Make sure that you have "allow_weak_crypto = true" in your [libdefaults] section of /etc/krb5.conf. See step (3) in the NFS server setup for an example of what I mean. To be honest, I'm not entirely certain it's necessary to have this on the KDC, but I have not experimented to know for certain yet.
========================
Kerberized NFSv4 Server Setup (starting from a fresh Debian 6.0.3 install)
========================
(1) Install Kerberos support
Code:
/usr/bin/apt-get install krb5-config krb5-user
(2) Answer the configuration questions. Specifically, you'll be identifying your Kerberos realm (which I will refer to as
KERB.REALM), the name of your KDC (which I will refer to as
kerberos1.kerb.domain), and your Kerberos admin server (which I will refer to as
kadmin1.kerb.domain)
(3) Replace the Debian-supplied /etc/krb5.conf file (it contains information about lots of Kerberos realms that are not necessary) and replace it with a minimal config.
Code:
/bin/mv /etc/krb5.conf /etc/krb5.conf.orig
/bin/cat << EOF > /etc/krb5.conf
[libdefaults]
default_realm = KERB.REALM
forwardable = true
proxiable = true
allow_weak_crypto = true
[realms]
KERB.REALM = {
kdc = kerberos1.kerb.domain
admin_server = kadmin1.kerb.domain
}
EOF
(4) Create a Kerberos host principal and a Kerberos service principal. Create a normal set of encryption keys for the host, but restrict the service key to DES only (see kernel discussion above). Substitute your administrator principal for the
admin I use below. Also, substitute the domain name for your NFS server when you see
krbnfs1.kerb.domain below.
Code:
kadmin -p admin
Password for admin@KERB.REALM: <enter password>
kadmin: addprinc -randkey host/krbnfs1.kerb.domain
<output>
kadmin: ktadd host/krbnfs1.kerb.domain
<output>
kadmin: addprinc -randkey nfs/krbnfs1.kerb.domain
<output>
kadmin: ktadd -e des-cbc-crc:normal nfs/krbnfs1.kerb.domain
<output>
kadmin: quit
(5) Install kernel NFS support and common NFS files
Code:
/usr/bin/apt-get -y install nfs-kernel-server nfs-common
(6) Enable SVCGSSD in nfs-kernel-server configuration
Code:
/bin/sed -i.original_install 's@^\(NEED_SVCGSSD\).*@\1=yes@' /etc/default/nfs-kernel-server
(7) Disable statd, enable idmapd, and enable gssd in the NFS common configs
Code:
/bin/sed -i.original_install 's@^\(NEED_STATD\).*@\1=no@ ; s@^\(NEED_\(IDMAPD\|GSSD\)\).*@\1=yes@' /etc/default/nfs-common
(8) Configure the domain name in idmapd.conf. Replace
kerb.domain with your DNS domain.
Code:
/bin/sed -i.original_install 's@^\(Domain\).*@\1 = kerb.domain@' /etc/idmapd.conf
(9) Make sure that hostname returns a fully qualified domain name. That is, if you execute
hostname -f on the command line and you do not get a domain component (e.g. "nfsclient1" instead of "nfsclient1.kerb.domain"), then you need to correct that. A common reason is that the /etc/hosts file contains a line with "127.0.0.1 nfsclient1 localhost.localdomain localhost" or similar.
Remove the reference to "nfsclient1" (or your equivalent) from /etc/hosts (which makes you completely dependent on DNS)
or move the entry to a a new line in /etc/hosts with the IP address of the machine and the fully qualified domain (e.g. "192.168.1.123 nfsclient1.kerb.domain nfsclient1")
(10) Restart nfs-kernel-server and nfs-common for the configuration changes to take effect
Code:
/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart
(11) Create the share directory. Obviously, replace
/export/sharedata with whatever directory you wish to share.
Code:
mkdir -p /export/sharedata
(12) List the shares inside /etc/exports.
PLEASE NOTE: there are three levels of encryption protection: gss/krb5, gss/krb5i, and gss/krb5p. Also, the "gss/krb5( ... )" format is listed as deprecated. The man page for exports (
man exports) discusses the three krb5 types and indicates that the "sec=" option should be used instead of the deprecated form. I use the deprecated format here because I'm too lazy to go back and re-verify things with the sec option at the moment.
Code:
/bin/cat << EOF >> /etc/exports
/export gss/krb5p(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/sharedata gss/krb5p(rw,sync,no_subtree_check)
EOF
(13) Publish the newly-defined exports into the server's internal tables
Code:
/usr/sbin/exportfs -a
========================
Kerberized NFSv4 Client Setup (starting from a fresh Debian 6.0.3 install)
========================
(1), (2), and (3) are the same as for the server setup above. Please follow those steps and return here to continue.
(4) Create a Kerberos host principal and a Kerberos service principal. Create a normal set of encryption keys for the host, but restrict the service key to DES only (see kernel discussion above). Substitute your administrator principal for the
admin I use below. Also, substitute the domain name for your NFS client when you see
nfsclient1.kerb.domain below.
Code:
kadmin -p admin
Password for admin@KERB.REALM: <enter password>
kadmin: addprinc -randkey host/nfsclient1.kerb.domain
<output>
kadmin: ktadd host/nfsclient1.kerb.domain
<output>
kadmin: addprinc -randkey nfs/nfsclient1.kerb.domain
<output>
kadmin: ktadd -e des-cbc-crc:normal nfs/nfsclient1.kerb.domain
<output>
kadmin: quit
(5) Install common NFS framework
Code:
/usr/bin/apt-get install nfs-common
(6) Disable statd, enable idmapd, and enable gssd in the NFS common configs
Code:
/bin/sed -i.original_install 's@^\(NEED_STATD\).*@\1=no@ ; s@^\(NEED_\(IDMAPD\|GSSD\)\).*@\1=yes@' /etc/default/nfs-common
(7) Configure the domain name in idmapd.conf. Replace
kerb.domain with your DNS domain.
Code:
/bin/sed -i.original_install 's@^\(Domain\).*@\1 = kerb.domain@' /etc/idmapd.conf
(8) Restart nfs-common for the configuration changes to take effect
Code:
/etc/init.d/nfs-common restart
(9) Make sure that hostname returns a fully qualified domain name. That is, if you execute
hostname -f on the command line and you do not get a domain component (e.g. "nfsclient1" instead of "nfsclient1.kerb.domain"), then you need to correct that. A common reason is that the /etc/hosts file contains a line with "127.0.0.1 nfsclient1 localhost.localdomain localhost" or similar.
Remove the reference to "nfsclient1" (or your equivalent) from /etc/hosts (which makes you completely dependent on DNS)
or move the entry to a a new line in /etc/hosts with the IP address of the machine and the fully qualified domain (e.g. "192.168.1.123 nfsclient1.kerb.domain nfsclient1")
(10) Obtain a Kerberos TGT by authenticating as a known user principal. Substitute a user principal you have created in place of
myuser below.
Code:
/usr/bin/kinit -p myuser
Password for myuser@KERB.REALM: <enter password>
(11) Make a mountpoint for the share
(12) Mount the share
PLEASE NOTE: You will need to make sure that the security chosen for the share matches the security used in the mount command (e.g. krb5, krb5i, or krb5p).
Code:
/bin/mount -t nfs4 -o sec=krb5p krbnfs1.kerb.domain:/sharedata nfstest
========================
If Things Go Wrong
========================
If the mount fails with a permission denied or some other such message. You can enable rpc.gssd debug messages by executing the following on the NFS
client:
(1) Enable verbose debug messages
Code:
echo "RPCGSSDOPTS=\"-vvvv\"" >> /etc/default/nfs-common
(2) Restart nfs-common
Code:
/etc/init.d/nfs-common restart
(3) Retry the mount. The debug messages will be located in /var/log/syslog. If the messages are not clear, try searching for them with Google.
(4) Once you resolve the problem, do not forget to remove the "RPCGSSDOPTS" line entirely from /etc/defaults/nfs-common (and restart nfs-common afterward)
Good luck!
