From 06333c5258f73e4b31401067752325f4858b18bd Mon Sep 17 00:00:00 2001 From: Bruno Raoult Date: Sat, 19 Feb 2022 22:16:58 +0100 Subject: [PATCH] test verbatim/code --- nfsv4-kerberos-debian.org | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/nfsv4-kerberos-debian.org b/nfsv4-kerberos-debian.org index 8d6d100..30c74b0 100644 --- a/nfsv4-kerberos-debian.org +++ b/nfsv4-kerberos-debian.org @@ -10,9 +10,9 @@ /You should have received a copy of the GNU Free Documentation License along with this document./ -/If not, see [[[[https://www.gnu.org/licenses/fdl-1.3-standalone.html]]][this page]]./ +/If not, see [[https://www.gnu.org/licenses/fdl-1.3-standalone.html][this page]]./ -/SPDX-License-Identifier: [[[[https://spdx.org/licenses/GFDL-1.3-or-later.html]]][GFDL-1.3-or-later]]/ +/SPDX-License-Identifier: [[https://spdx.org/licenses/GFDL-1.3-or-later.html][GFDL-1.3-or-later]]/ #+END_QUOTE * Table of Contents :TOC: @@ -22,7 +22,7 @@ with this document./ * Introduction If you share some files between your machines, your choice was probably -[[[[https://en.wikipedia.org/wiki/Server_Message_Block]]][SMB/CIFS]], as it +[[https://en.wikipedia.org/wiki/Server_Message_Block][SMB/CIFS]], as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...). However, there are some limitations that you may find unacceptable (the loss @@ -32,9 +32,22 @@ Another option (at least on GNU/Linux) could be [[https://github.com/libfuse/ssh and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people. -But here I will explain how to share +This document is about a third solution : NFSv4 coupled with Kerberos +security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...). + +* Pre-requisites +- NTP :: All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps. +- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]]. + A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]]. + +* Kerberos (V5) +There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years. + +It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation. + +** We will use the following conventions : +toto =verbatim= or ~code~. -* Kerberos ** Server side For resilience reasons, I will use two kb ** Client side @@ -46,6 +59,9 @@ For resilience reasons, I will use two kb #+BEGIN_VERSE zobi zoba titi toto +* Sources +Kerberos setup: +- --prout #+END_VERSE