[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NFS4 and Kerberos (next steps)

Hi Mike,

On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote:
[...]
> Here is what I will do next:
> 
> 1)
> 
>   o I have a Debian server setup in the cloud for my ,,company''
> with a working
>     NFSv4+Kerberos server setup
>   o I have installed a Debian SID in the cloud today that I will integrate as
>     NFSv4 client with sec=krb5p
>   o I will document all steps needed, this would be pure Debian then...

OK.
 
> 2)
> 
>   o I will install a squeeze TJENER and a squeeze Debian Edu client and I will
>     take a look at the NFSv4+Kerberos setup in particular
>   o I will test the already present NFSv4 and Kerberos stuff (not for all
>     services, only for the core stuff: PAM, libnss, autofs, ...)
>   o I will try to manually configure the steps needed for finishing what might
>     be missing and document those.
>   o I will also post aspects that I would approach differently

Great!

> Concerning NFSv4+Krb5 I would like to focus on the basic service
> level for now and I will add test modifications to LDAP by hand. If
> the needed fixes and modifications or extensions and the workflow
> during installation starts cristalizing out I think then we should
> take a look at Gosa and maybe CipUX integration.
> 
> Does this make sense? Any other suggestions/recommendations/preferences?
 
That's fantastic news! Let me just add what I did so far to give
you another idea of the status here:

I played a bit with the system yesterday. Beside the commited changes
I tested the kerberized services ldap (ldapwhoami -Y GSSAPI), exim and
dovecot (by sending/receiving mail). They still seem to work, at least
on tjener itself: I got a ldap/tjener.intern, smtp/tjener.intern and
imap/tjener.intern service ticket. I was also able to mount the NFS4
share with krb5p enabled (by adding "tjener:/ /mnt nfs4 user,sec=krb5p
0 0" to fstab and doing the usual manual mount as unprivileged user). 
Great stuff: The directory is mounted (service no ticket yet), but as
soon as I access it, the nfs/tjener.intern ticket is there :).

After that, I thought how to improve adding machines in GOsa, it would
be good to find the MAC of new machines automatically. This is
implemented in gosa-si (with a service daemon (?)), but we do not have
that in Debian yet. However, the sitesummary program also collects
information about the machines in the net
(see /var/lib/sitesummary/entries/), and perhaps it's possible to use
that (I guess with gosa-si there is a ou=incomming in ldap which can
be used, but if we want to do something like that perhaps let's better
ask the GOsa people how it is intended to work.)

Ok. I'm just installing a workstation to check if things work there
too. 

Happy testing,
best regards,

     Andi
Reply to: