Hi Andi, On So 09 Jan 2011 10:29:52 CET "Andreas B. Mundt" wrote:
Hi Mike, On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote: [...]Here is what I will do next: 1) o I have a Debian server setup in the cloud for my ,,company'' with a working NFSv4+Kerberos server setupo I have installed a Debian SID in the cloud today that I will integrate asNFSv4 client with sec=krb5p o I will document all steps needed, this would be pure Debian then...OK.
here are the test results for attaching a new NFS4+Krb5 client to a working server:
o standard Debian squeeze install o extra packages: nfs-common krb5-user libnss-ldapd nslcd o during install of the above packages... - libnss/LDAP gets configured - use LDAP for libnss services: passwd, group (not shadow) - libpam/LDAP gets configured (not needed for pure NFSv4+Krb5) - krb5.conf gets configured o krb5.conf - add ,,allow_weak_crypt = true'' under [libdefaults] - add ,,default_domain'' option to the realm definition (section [realms]): <quote> INTERN = { kdc = tjener.intern default_domain = intern admin_server = tjener.intern } </quote> - add domain2realm mapping to section [domain_realm] <quote> .intern = INTERN intern = INTERN </quote> - add section ,,logging'' (I quite like that): <quote> [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log </quote> o /etc/default/nfs-common: <quote> NEED_IDMAPD=yes NEED_GSSD=yes </quote> o idmapd.conf: replace line <quote> Domain = localdomain </quote> for Skolelinux replace with domain name ,,intern'' <quote> Domain = intern </quote> o Make sure time between KDC and NFS client is in sync (ntp)! o DNS Resolve of NFS Client FQDN: ;; ANSWER SECTION: dhcp001.intern. 83684 IN A 10.0.2.101 o Reverse DNS Resolve of NFS Client IP 101.2.0.10.in-addr.arpa domain name pointer dhcp001.intern. o For the KDC server / NFS Server DNS (Rev)Resolve must function in the same way...These were the preparations... Now we come to the mount process and its preparations...
ALL STEPS TAKE PLACE ON THE CLIENT AS USER ROOT 1. make sure NFS idmapd has read its new config: /etc/init.d/nfs-common restart 2.create and add the NFS service principal to local krb5.keytab file (on the client dhcp001.intern), on my server I have a Kerberos policy called ,,service''...
kinit admin/admin kadmin -q "add_principal -policy service -randkey nfs/dhcp001.intern" kadmin -q "ktadd -k /etc/krb5.keytab nfs/dhcp001.intern" -> ein host/dhcp001.intern principal wird nicht benötigt!!!-> kadmin unterstützt die Option ,,-t keytabfile''. Damit könnte man die Passwortabfrage von kadmin umgehen.
3. Als root ein Testmount: mount -tnfs4 -o sec=krb5p tjener.intern:/skole/tjener/home0 /mnt 4. Try ls -al /mnt -> should show home directories (with correct user id and group id mapppings) cd /mnt/<user> -> will fail... (Access denied) Then do (as root...): su - <user> kinit <user> Now try (as <user>, still in su shell): cd /mnt/<user> -> should work ls -al /mnt/<user> -> should also work Factors that do and do not matter with MIT Kerberos5: ----------------------------------------------------- o /etc/hostname can contain a string that is different from the DNS hostname o no host/<dnsname> host principal keytab file is needed on the client o but a nfs/<dnsname> service principal keytab file is obligatory on the client o even with libnss-ldap(d) the idmapd RPC process is needed o the portmapper can be restricted to localhost, rpc.statd is not needed any more for NFSv4 Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpdNRA6dNxZC.pgp
Description: Digitale PGP-Unterschrift