Re: NFS4 and Kerberos (next steps)
Hi Mike,
On Tue, Jan 11, 2011 at 11:20:15PM +0100, Mike Gabriel wrote:
> On So 09 Jan 2011 10:29:52 CET "Andreas B. Mundt" wrote:
> >On Sat, Jan 08, 2011 at 11:41:42PM +0100, Mike Gabriel wrote:
> >[...]
> >>Here is what I will do next:
> >>
> >>1)
> >>
> >> o I have a Debian server setup in the cloud for my ,,company''
> >>with a working
> >> NFSv4+Kerberos server setup
> >> o I have installed a Debian SID in the cloud today that I will
> >>integrate as
> >> NFSv4 client with sec=krb5p
> >> o I will document all steps needed, this would be pure Debian then...
> >
> >OK.
>
> here are the test results for attaching a new NFS4+Krb5 client to a
> working server:
>
> o standard Debian squeeze install
> o extra packages: nfs-common krb5-user libnss-ldapd nslcd
> o during install of the above packages...
> - libnss/LDAP gets configured
> - use LDAP for libnss services: passwd, group (not shadow)
> - libpam/LDAP gets configured (not needed for pure NFSv4+Krb5)
> - krb5.conf gets configured
> o krb5.conf
> - add ,,allow_weak_crypt = true'' under [libdefaults]
> - add ,,default_domain'' option to the realm definition (section
> [realms]):
> <quote>
> INTERN = {
> kdc = tjener.intern
> default_domain = intern
> admin_server = tjener.intern
> }
> </quote>
> - add domain2realm mapping to section [domain_realm]
> <quote>
> .intern = INTERN
> intern = INTERN
> </quote>
> - add section ,,logging'' (I quite like that):
> <quote>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> </quote>
OK, so far it looks like we do the same ...
> o /etc/default/nfs-common:
> <quote>
> NEED_IDMAPD=yes
> NEED_GSSD=yes
> </quote>
^^^^^^^^^^^^
That's the stuff we will see with the next d-e-c package upload.
> o idmapd.conf: replace line
> <quote>
> Domain = localdomain
> </quote>
> for Skolelinux replace with domain name ,,intern''
> <quote>
> Domain = intern
> </quote>
^^^^^^^^^^^^^
Not yet imlemented iirc, is this really needed?
> o Make sure time between KDC and NFS client is in sync (ntp)!
> o DNS Resolve of NFS Client FQDN:
>
> ;; ANSWER SECTION:
> dhcp001.intern. 83684 IN A 10.0.2.101
>
> o Reverse DNS Resolve of NFS Client IP
>
> 101.2.0.10.in-addr.arpa domain name pointer dhcp001.intern.
>
> o For the KDC server / NFS Server DNS (Rev)Resolve must function in the same
> way...
>
> These were the preparations... Now we come to the mount process and
> its preparations...
>
>
> ALL STEPS TAKE PLACE ON THE CLIENT AS USER ROOT
>
> 1.
> make sure NFS idmapd has read its new config:
> /etc/init.d/nfs-common restart
>
> 2.
> create and add the NFS service principal to local krb5.keytab file
> (on the client dhcp001.intern), on my server I have a Kerberos
> policy called ,,service''...
>
> kinit admin/admin
> kadmin -q "add_principal -policy service -randkey nfs/dhcp001.intern"
> kadmin -q "ktadd -k /etc/krb5.keytab nfs/dhcp001.intern"
>
> -> ein host/dhcp001.intern principal wird nicht benötigt!!!
>
> -> kadmin unterstützt die Option ,,-t keytabfile''. Damit könnte man
> die Passwortabfrage von kadmin umgehen.
>
> 3.
> Als root ein Testmount:
> mount -tnfs4 -o sec=krb5p tjener.intern:/skole/tjener/home0 /mnt
>
> 4.
> Try
>
> ls -al /mnt -> should show home directories (with correct user id and group
> id mapppings)
> cd /mnt/<user> -> will fail... (Access denied)
>
> Then do (as root...):
>
> su - <user>
> kinit <user>
>
> Now try (as <user>, still in su shell):
>
> cd /mnt/<user> -> should work
> ls -al /mnt/<user> -> should also work
>
Ok, that's where I'm currently stuck. I think this procedure works
already here (but have to check systematically again).
What makes problems right now afaics is:
1) the combination with the automounter (worked/stopped working,
strange things, not clear what changed, etc. => check
systematically, only gave it a first try so far).
2) login from kdm/gdm: The home dir is mounted (automounter) but
not writable yet (not the case for sec=sys), so for (sec=krb5X)
processes that try to write files complain and the user logging
in is logged out again immediately. I tried to modify the
configuration of kdm/Xsession to write files to other
directories, but it did not help so far: Error: cannot create
~/.dbus .... or something like that was the last issue iirc.
I am busy the next days, don't know when I can continue testing.
>
> Factors that do and do not matter with MIT Kerberos5:
> -----------------------------------------------------
>
> o /etc/hostname can contain a string that is different from the DNS hostname
> o no host/<dnsname> host principal keytab file is needed on the client
> o but a nfs/<dnsname> service principal keytab file is obligatory on the
> client
> o even with libnss-ldap(d) the idmapd RPC process is needed
> o the portmapper can be restricted to localhost, rpc.statd is not needed any
> more for NFSv4
Great! If anybody knows about the bits that seem to go wrong, let
me/us know.
Best regards,
Andi
Reply to: