Hi Andi, On So 09 Jan 2011 10:29:52 CET "Andreas B. Mundt" wrote:
Hi Mike, On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote: [...]Here is what I will do next: 1) o I have a Debian server setup in the cloud for my ,,company'' with a working NFSv4+Kerberos server setupo I have installed a Debian SID in the cloud today that I will integrate asNFSv4 client with sec=krb5p o I will document all steps needed, this would be pure Debian then...OK.
here are the test results for attaching a new NFS4+Krb5 client to a working server:
o standard Debian squeeze install
o extra packages: nfs-common krb5-user libnss-ldapd nslcd
o during install of the above packages...
- libnss/LDAP gets configured
- use LDAP for libnss services: passwd, group (not shadow)
- libpam/LDAP gets configured (not needed for pure NFSv4+Krb5)
- krb5.conf gets configured
o krb5.conf
- add ,,allow_weak_crypt = true'' under [libdefaults]
- add ,,default_domain'' option to the realm definition (section
[realms]):
<quote>
INTERN = {
kdc = tjener.intern
default_domain = intern
admin_server = tjener.intern
}
</quote>
- add domain2realm mapping to section [domain_realm]
<quote>
.intern = INTERN
intern = INTERN
</quote>
- add section ,,logging'' (I quite like that):
<quote>
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
</quote>
o /etc/default/nfs-common:
<quote>
NEED_IDMAPD=yes
NEED_GSSD=yes
</quote>
o idmapd.conf: replace line
<quote>
Domain = localdomain
</quote>
for Skolelinux replace with domain name ,,intern''
<quote>
Domain = intern
</quote>
o Make sure time between KDC and NFS client is in sync (ntp)!
o DNS Resolve of NFS Client FQDN:
;; ANSWER SECTION:
dhcp001.intern. 83684 IN A 10.0.2.101
o Reverse DNS Resolve of NFS Client IP
101.2.0.10.in-addr.arpa domain name pointer dhcp001.intern.
o For the KDC server / NFS Server DNS (Rev)Resolve must function in the same
way...
These were the preparations... Now we come to the mount process and
its preparations...
ALL STEPS TAKE PLACE ON THE CLIENT AS USER ROOT 1. make sure NFS idmapd has read its new config: /etc/init.d/nfs-common restart 2.create and add the NFS service principal to local krb5.keytab file (on the client dhcp001.intern), on my server I have a Kerberos policy called ,,service''...
kinit admin/admin kadmin -q "add_principal -policy service -randkey nfs/dhcp001.intern" kadmin -q "ktadd -k /etc/krb5.keytab nfs/dhcp001.intern" -> ein host/dhcp001.intern principal wird nicht benötigt!!!-> kadmin unterstützt die Option ,,-t keytabfile''. Damit könnte man die Passwortabfrage von kadmin umgehen.
3.
Als root ein Testmount:
mount -tnfs4 -o sec=krb5p tjener.intern:/skole/tjener/home0 /mnt
4.
Try
ls -al /mnt -> should show home directories (with correct user id and group
id mapppings)
cd /mnt/<user> -> will fail... (Access denied)
Then do (as root...):
su - <user>
kinit <user>
Now try (as <user>, still in su shell):
cd /mnt/<user> -> should work
ls -al /mnt/<user> -> should also work
Factors that do and do not matter with MIT Kerberos5:
-----------------------------------------------------
o /etc/hostname can contain a string that is different from the DNS hostname
o no host/<dnsname> host principal keytab file is needed on the client
o but a nfs/<dnsname> service principal keytab file is obligatory on the
client
o even with libnss-ldap(d) the idmapd RPC process is needed
o the portmapper can be restricted to localhost, rpc.statd is not needed any
more for NFSv4
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0x1943CA5B
mail: m.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfbAttachment:
pgpdNRA6dNxZC.pgp
Description: Digitale PGP-Unterschrift