LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > LinuxQuestions.org Member Success Stories
User Name
Password
LinuxQuestions.org Member Success Stories Just spent four hours configuring your favorite program? Just figured out a Linux problem that has been stumping you for months?
Post your Linux Success Stories here.

Notices

Reply
 
Search this Thread
Old 01-04-2012, 06:19 PM   #1
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
Kerberized NFSv4 - Debian 6.0.3


For a while, I've been working on setting up a nice, multi-user, multi-workstation environment to use at home. I'll work on a sub-component of the overall setup with virtual machines until I'm comfortable that I know what software needs to be installed and how to configure it.

One sub-component is Kerberized NFS. I searched for tutorials, guides, walkthroughs, and HowTos online. None of them were step-by-step. So this is an attempt to create one easy-to-follow resource to get going. I make no guarantees that this is the "best" install, the "minimal" install, or any other kind of install. It worked for me using three virtual machines.

The steps assume a few things:
  • You are working from a Debian squeeze distro (6.0.3)
  • You have a working KDC.
  • You have a working DNS system that allows forward and reverse IP address lookups
  • The KDC, NFS server, and NFS client are all separate machines
  • The commands will be executed in a root terminal

If you do not have a KDC, I found an excellent guide to setting one up on a Debian squeeze system at this link: Kerberos Master on Debian squeeze

If you do not have a working forward/reverse DNS system in place, I wrote another message with a base configuration allowing for dynamic DNS updates through a DHCP server--all on a local server. That message can be found here

Most of the commands are provided in a way that they could be copy-pasted directly into a root terminal. However, the commands need to be modified to match any configuration changes you make for your particular system. I'll do my best to highlight those settings to bring them to your attention; so you are aware that a change may be required.

Lastly, before I get into the commands, I would like to point out something that seems to be hit-or-miss when searching for this information online. Apparently, the stock kernel in Debian squeeze (2.6.32-5 at the time of this writing) does not allow for any NFS encryption types other than basic DES. This is unfortunate. However, it appears that kernel 2.6.38 and later do allow for stronger encryption types in NFS. The 2.6.38 kernel is available for stable releases (such as squeeze) through Debian backports. I have not taken the opportunity to install the newer kernel yet. So these instructions use the limited DES-only approach. I may come back at a later date to update them with the steps for the backport option.

========================
Kerberos KDC
========================
(1) Make sure that you have "allow_weak_crypto = true" in your [libdefaults] section of /etc/krb5.conf. See step (3) in the NFS server setup for an example of what I mean. To be honest, I'm not entirely certain it's necessary to have this on the KDC, but I have not experimented to know for certain yet.




========================
Kerberized NFSv4 Server Setup (starting from a fresh Debian 6.0.3 install)
========================
(1) Install Kerberos support
Code:
/usr/bin/apt-get install krb5-config krb5-user
(2) Answer the configuration questions. Specifically, you'll be identifying your Kerberos realm (which I will refer to as KERB.REALM), the name of your KDC (which I will refer to as kerberos1.kerb.domain), and your Kerberos admin server (which I will refer to as kadmin1.kerb.domain)

(3) Replace the Debian-supplied /etc/krb5.conf file (it contains information about lots of Kerberos realms that are not necessary) and replace it with a minimal config.
Code:
/bin/mv /etc/krb5.conf /etc/krb5.conf.orig
/bin/cat << EOF > /etc/krb5.conf
[libdefaults]
        default_realm = KERB.REALM
        forwardable = true
        proxiable = true
        allow_weak_crypto = true

[realms]
        KERB.REALM = {
                kdc = kerberos1.kerb.domain
                admin_server = kadmin1.kerb.domain
        }
EOF
(4) Create a Kerberos host principal and a Kerberos service principal. Create a normal set of encryption keys for the host, but restrict the service key to DES only (see kernel discussion above). Substitute your administrator principal for the admin I use below. Also, substitute the domain name for your NFS server when you see krbnfs1.kerb.domain below.
Code:
kadmin -p admin
Password for admin@KERB.REALM: <enter password>
kadmin: addprinc -randkey host/krbnfs1.kerb.domain
<output>
kadmin: ktadd host/krbnfs1.kerb.domain
<output>
kadmin: addprinc -randkey nfs/krbnfs1.kerb.domain
<output>
kadmin: ktadd -e des-cbc-crc:normal nfs/krbnfs1.kerb.domain
<output>
kadmin: quit
(5) Install kernel NFS support and common NFS files
Code:
/usr/bin/apt-get -y install nfs-kernel-server nfs-common
(6) Enable SVCGSSD in nfs-kernel-server configuration
Code:
/bin/sed -i.original_install 's@^\(NEED_SVCGSSD\).*@\1=yes@' /etc/default/nfs-kernel-server
(7) Disable statd, enable idmapd, and enable gssd in the NFS common configs
Code:
/bin/sed -i.original_install 's@^\(NEED_STATD\).*@\1=no@ ; s@^\(NEED_\(IDMAPD\|GSSD\)\).*@\1=yes@' /etc/default/nfs-common
(8) Configure the domain name in idmapd.conf. Replace kerb.domain with your DNS domain.
Code:
/bin/sed -i.original_install 's@^\(Domain\).*@\1 = kerb.domain@' /etc/idmapd.conf
(9) Make sure that hostname returns a fully qualified domain name. That is, if you execute hostname -f on the command line and you do not get a domain component (e.g. "nfsclient1" instead of "nfsclient1.kerb.domain"), then you need to correct that. A common reason is that the /etc/hosts file contains a line with "127.0.0.1 nfsclient1 localhost.localdomain localhost" or similar. Remove the reference to "nfsclient1" (or your equivalent) from /etc/hosts (which makes you completely dependent on DNS) or move the entry to a a new line in /etc/hosts with the IP address of the machine and the fully qualified domain (e.g. "192.168.1.123 nfsclient1.kerb.domain nfsclient1")

(10) Restart nfs-kernel-server and nfs-common for the configuration changes to take effect
Code:
/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart
(11) Create the share directory. Obviously, replace /export/sharedata with whatever directory you wish to share.
Code:
mkdir -p /export/sharedata
(12) List the shares inside /etc/exports.
PLEASE NOTE: there are three levels of encryption protection: gss/krb5, gss/krb5i, and gss/krb5p. Also, the "gss/krb5( ... )" format is listed as deprecated. The man page for exports (man exports) discusses the three krb5 types and indicates that the "sec=" option should be used instead of the deprecated form. I use the deprecated format here because I'm too lazy to go back and re-verify things with the sec option at the moment.
Code:
/bin/cat << EOF >> /etc/exports
/export            gss/krb5p(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/sharedata  gss/krb5p(rw,sync,no_subtree_check)
EOF
(13) Publish the newly-defined exports into the server's internal tables
Code:
/usr/sbin/exportfs -a



========================
Kerberized NFSv4 Client Setup (starting from a fresh Debian 6.0.3 install)
========================

(1), (2), and (3) are the same as for the server setup above. Please follow those steps and return here to continue.

(4) Create a Kerberos host principal and a Kerberos service principal. Create a normal set of encryption keys for the host, but restrict the service key to DES only (see kernel discussion above). Substitute your administrator principal for the admin I use below. Also, substitute the domain name for your NFS client when you see nfsclient1.kerb.domain below.
Code:
kadmin -p admin
Password for admin@KERB.REALM: <enter password>
kadmin: addprinc -randkey host/nfsclient1.kerb.domain
<output>
kadmin: ktadd host/nfsclient1.kerb.domain
<output>
kadmin: addprinc -randkey nfs/nfsclient1.kerb.domain
<output>
kadmin: ktadd -e des-cbc-crc:normal nfs/nfsclient1.kerb.domain
<output>
kadmin: quit
(5) Install common NFS framework
Code:
/usr/bin/apt-get install nfs-common
(6) Disable statd, enable idmapd, and enable gssd in the NFS common configs
Code:
/bin/sed -i.original_install 's@^\(NEED_STATD\).*@\1=no@ ; s@^\(NEED_\(IDMAPD\|GSSD\)\).*@\1=yes@' /etc/default/nfs-common
(7) Configure the domain name in idmapd.conf. Replace kerb.domain with your DNS domain.
Code:
/bin/sed -i.original_install 's@^\(Domain\).*@\1 = kerb.domain@' /etc/idmapd.conf
(8) Restart nfs-common for the configuration changes to take effect
Code:
/etc/init.d/nfs-common restart
(9) Make sure that hostname returns a fully qualified domain name. That is, if you execute hostname -f on the command line and you do not get a domain component (e.g. "nfsclient1" instead of "nfsclient1.kerb.domain"), then you need to correct that. A common reason is that the /etc/hosts file contains a line with "127.0.0.1 nfsclient1 localhost.localdomain localhost" or similar. Remove the reference to "nfsclient1" (or your equivalent) from /etc/hosts (which makes you completely dependent on DNS) or move the entry to a a new line in /etc/hosts with the IP address of the machine and the fully qualified domain (e.g. "192.168.1.123 nfsclient1.kerb.domain nfsclient1")

(10) Obtain a Kerberos TGT by authenticating as a known user principal. Substitute a user principal you have created in place of myuser below.
Code:
/usr/bin/kinit -p myuser
Password for myuser@KERB.REALM: <enter password>
(11) Make a mountpoint for the share
Code:
/bin/mkdir nfstest
(12) Mount the share
PLEASE NOTE: You will need to make sure that the security chosen for the share matches the security used in the mount command (e.g. krb5, krb5i, or krb5p).
Code:
/bin/mount -t nfs4 -o sec=krb5p krbnfs1.kerb.domain:/sharedata nfstest



========================
If Things Go Wrong
========================
If the mount fails with a permission denied or some other such message. You can enable rpc.gssd debug messages by executing the following on the NFS client:

(1) Enable verbose debug messages
Code:
echo "RPCGSSDOPTS=\"-vvvv\"" >> /etc/default/nfs-common
(2) Restart nfs-common
Code:
/etc/init.d/nfs-common restart
(3) Retry the mount. The debug messages will be located in /var/log/syslog. If the messages are not clear, try searching for them with Google.

(4) Once you resolve the problem, do not forget to remove the "RPCGSSDOPTS" line entirely from /etc/defaults/nfs-common (and restart nfs-common afterward)

Good luck!

Last edited by Dark_Helmet; 01-05-2012 at 12:25 AM.
 
Old 03-18-2012, 08:05 AM   #2
sebp
LQ Newbie
 
Registered: Mar 2012
Posts: 1

Rep: Reputation: Disabled
I had been pulling my hair for days trying to get this whole thing working as expected, and your post got me back on the right path.
Thank you so much, sir!


Some comments/feedback on your procedure:

========================
Kerberos KDC
========================
(1) The "allow_weak_crypto = true" directive in /etc/krb5.conf seems to be mandatory on both the client and the server (I have tested all possible combinations using my squeeze server and wheezy client, and this is the only one that worked)

=============================
Kerberized NFSv4 Server Setup
=============================
(12) Here's a working /etc/exports file using the recommended sec option:
Code:
/export                 *(sec=krb5p,rw,sync,fsid=root,no_subtree_check,crossmnt)
/export/myshare         *(sec=krb5p,rw,sync,no_subtree_check)
=============================
Kerberized NFSv4 Client Setup
=============================
(10) Not needed to mount the share (but will be to access its content).


========================
If Things Go Wrong
========================
From my experience, as long as it's not totally clear to somebody how Kerberos works, it's easy to mess things in the /etc/krb5.keytab files on either the server or the client side, which would make the process fail somewhere.

Here's what the keytab file should look like on both machines (replace client.domain.tld with your client's FQDN, server.domain.tld with your server's FQDN, and REALM with your Kerberos realm):

At the client side:
Code:
root@client:~# klist -ke /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/client.domain.tld@REALM (aes256-cts-hmac-sha1-96) 
   4 host/client.domain.tld@REALM (arcfour-hmac) 
   4 host/client.domain.tld@REALM (des3-cbc-sha1) 
   4 host/client.domain.tld@REALM (des-cbc-crc) 
   2 nfs/client.domain.tld@REALM (des-cbc-crc)
At the server side:
Code:
root@server:~# klist -ke /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 host/server.domain.tld@REALM (aes256-cts-hmac-sha1-96) 
   4 host/server.domain.tld@REALM (arcfour-hmac) 
   4 host/server.domain.tld@REALM (des3-cbc-sha1) 
   4 host/server.domain.tld@REALM (des-cbc-crc) 
   2 nfs/server.domain.tld@REALM (des-cbc-crc)
If you find other entries than the "nfs/* (des-cbc-crc)" for the NFS service, or some "host/*" entries for the server in the client's file, or vice-versa, it will probably fail.

Troubleshooting this situation is pretty easy, though: just delete the /etc/krb5.keytab file, and recreate it using kadmin.
Code:
root@machine:~# rm /etc/krb5.keytab
root@machine:~# kadmin -p root/admin
Authenticating as principal root/admin@REALM with password.
Password for root/admin@REALM: 
kadmin:  ktadd -k /etc/krb5.keytab host/machine.domain.tld
Entry for principal host/machine.domain.tld with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/machine.domain.tld with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/machine.domain.tld with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/machine.domain.tld with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal nfs/machine.domain.tld
Entry for principal nfs/machine.domain.tld with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/keytab.
kadmin:  quit
Thanks again for your work, it was really valuable!

Last edited by sebp; 03-18-2012 at 08:16 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
General questions about Debian + LDAP + NFSv4 + Kerberos besson3c Linux - Server 0 01-02-2012 02:56 AM
Does NFSv4 serve only files which are at least readable? (was: NFSv4 and SUID mount) Reuti Linux - Server 1 08-05-2011 04:13 PM
NFSv4 kerberized: (only) root has no permissions bilkes Linux - Enterprise 0 11-21-2007 04:31 PM
kerberized ssh window client can't authenticate to kerberized Linux SSH server celeron Linux - Software 0 04-11-2007 05:36 AM
Forwarding tickets via Kerberized SSH nilecirb Linux - Security 1 03-11-2007 01:48 AM


All times are GMT -5. The time now is 05:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration