How (not?) to: setting up Kerberized NFSv4
Here are my notes on setting up Kerberized NFSv4 in Debian-edu Squeeze
(I tested with alpha0). Unfortunately, they don't work - the mount
simply hangs with no error message in the log either on client or
server. I've observed the same both on Debian Squeeze and Ubuntu 10.04.
Does anybody know what might be wrong?
-- On tjener:
Add to /etc/exports:
/skole/tjener/home0 *(rw,async,no_subtree_check,sec=krb5,fsid=0)
# vim /etc/default/nfs-kernel-server
NEED_SVCGSSD=yes
# vim /etc/idmapd.conf
Domain = intern
No need to edit /etc/default/nfs-common, idmapd is started if
/etc/exports exists.
# kadmin
kadmin: addprinc -randkey nfs/klient.intern
A nfs/tjener.intern principal already exists and does not need to be
created.
# vim /etc/krb5.conf
somewhere in section [libdefaults]:
allow_weak_crypto = true
# invoke-rc.d krb5-kdc restart
# invoke-rc.d nfs-common restart
# invoke-rc.d nfs-kernel-server restart
-- On ltspserver or workstation:
# kadmin
kadmin: ktadd nfs/klient.intern
# vim /etc/krb5.conf
somewhere in section [libdefaults]:
allow_weak_crypto = true
# vim /etc/default/nfs-common
NEED_IDMAPD=yes
NEED_GSSD=yes
# vim /etc/idmapd.conf
Domain = intern
# invoke-rc.d nfs-common restart
Try mounting. Note that tjener.intern:/ is not a typo - fsid=0 in
/etc/exports declares that home0 is the root of the exported tree.
# mount -t nfs4 -o sec=krb5 tjener.intern:/ /mnt/
See also:
http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
https://help.ubuntu.com/community/NFSv4Howto#NFSv4%20with%20Kerberos
Reply to: