bruno/test-repo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

test verbatim/code

Browse Source
This commit is contained in:
Bruno Raoult
2022-02-19 22:16:58 +01:00
parent 00528341fe
commit 06333c5258
1 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
nfsv4-kerberos-debian.org
View File

@@ -10,9 +10,9 @@
/You should have received a copy of the GNU Free Documentation License along /You should have received a copy of the GNU Free Documentation License along
with this document./ with this document./
/If not, see [[[[https://www.gnu.org/licenses/fdl-1.3-standalone.html]]][this page]]./ /If not, see [[https://www.gnu.org/licenses/fdl-1.3-standalone.html][this page]]./
/SPDX-License-Identifier: [[[[https://spdx.org/licenses/GFDL-1.3-or-later.html]]][GFDL-1.3-or-later]]/ /SPDX-License-Identifier: [[https://spdx.org/licenses/GFDL-1.3-or-later.html][GFDL-1.3-or-later]]/
#+END_QUOTE #+END_QUOTE
* Table of Contents :TOC: * Table of Contents :TOC:
@@ -22,7 +22,7 @@ with this document./
* Introduction * Introduction
If you share some files between your machines, your choice was probably If you share some files between your machines, your choice was probably
[[[[https://en.wikipedia.org/wiki/Server_Message_Block]]][SMB/CIFS]], as it [[https://en.wikipedia.org/wiki/Server_Message_Block][SMB/CIFS]], as it
is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...). is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...).
However, there are some limitations that you may find unacceptable (the loss However, there are some limitations that you may find unacceptable (the loss
@@ -32,9 +32,22 @@ Another option (at least on GNU/Linux) could be [[https://github.com/libfuse/ssh
and requires no special settings but an ssh access to server. It could be the and requires no special settings but an ssh access to server. It could be the
ideal sharing system for many people. ideal sharing system for many people.
But here I will explain how to share This document is about a third solution : NFSv4 coupled with Kerberos
security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...).
* Pre-requisites
- NTP :: All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps.
- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]].
A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]].
* Kerberos (V5)
There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years.
It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
** We will use the following conventions :
toto =verbatim= or ~code~.
* Kerberos
** Server side ** Server side
For resilience reasons, I will use two kb For resilience reasons, I will use two kb
** Client side ** Client side
@@ -46,6 +59,9 @@ For resilience reasons, I will use two kb
#+BEGIN_VERSE #+BEGIN_VERSE
zobi zoba zobi zoba
titi toto titi toto
* Sources
Kerberos setup:
-
--prout --prout
#+END_VERSE #+END_VERSE