Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
Hi Mike,
On Thu, Jan 06, 2011 at 02:16:53AM +0100, Mike Gabriel wrote:
> [...]
> On Mi 05 Jan 2011 19:10:24 CET Petter Reinholdtsen wrote:
>
> >[Andreas B. Mundt]
> >>I tried to find the reason for these corresponding A-records,
> [...]
>
> Kerberos demands a correct ReverseDNS setup. It can handle multiple
> A-Records for the same IP. Important is that the host principal's IP
> correctly reverse-resolve to the hostname used in the Kerberos host
> principal.
>
> For a correctly working NFS4+Kerberos setup you need (it's quite a
> while ago that I set up my NFS4, so some things might be
> inaccurate):
> [...]
>
> I am really interested in NFSv4+Kerberos5 integration in Skolelinux.
> So if I can be of any help, let me know.
>
Many thanks for your input and your interest. It would be great if you
could help with the Kerberos integration. To give you a starting point,
let me outline from my point of view what has been done so far, what
the current status is, and what needs (or should) to be done.
The KDC is set up during installation by kerberos-kdc-init:
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/kerberos-kdc-init>
which is called after the ldap tree has been initialized (we use ldap
as KDC data base):
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/ldap-tools/ldap-debian-edu-install>
User principals are created by gosa-create:
<URL:http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/share/debian-edu-config/tools/gosa-create>
With this setup, users are authenticated to the system via a Kerberos
TGT, which works. Further more, services like imap (dovecot), exim
and ldap were kerberized. (It seems that this has been broken in the
meantime).
My hope was, that by using Kerberos in combination with nfs4, the
machine management would simplify and we could get rid of IP- and
netgroup based "security". (Which would also resolve the need for very
special administrative tools). However, things got stuck before that
point for several reasons and we now have an even more complicated
system which is neither fish nor fowl.
We want kerberos, but we don't want to get rid of old structures. So
we open one more field of activity, split forces and everybody
maintains and improves what he knows or prefers or whatever, thereby,
from time to time, breaking the stuff of the colleague. Perhaps we can
(and should) improve that point too.
However, to come back to the issue, the next step concerning kerberos
would be to switch to nfs4. Even if we don't use kerberos immediately,
(start with sec=sys), it would help implementing the kerberos
part, because you would not need to implement nfs4 before you can
start trying the kerberos stuff).
If things work manually, how can it be implemented during
installation and for diskless workstations? It would be nice not to
create principals by hand, the same applies to the distribution of
keytabs.
Perhaps it's possible to avoid host principals and allow a user with a
valid TGT to mount his home directory. That would be a nice thing
which would simplify things a lot. Imagine you plug in a machine into
the skole-net. There is no need to add it to the network manually, but
the machine can access services and data only if a valid Kerberos TGT
is presented. Is something like that possible in a secure way?
Best regards,
Andi
Reply to: