more testing

nfsv4-kerberos-debian.org

@@ -36,7 +36,7 @@ This document is about a third solution : NFSv4 coupled with Kerberos
 security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...).
 
 * Pre-requisites
-- NTP :: All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps.
+- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
 - DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]].
   A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]].
 
@@ -46,52 +46,90 @@ There are basically two major implementations of [[https://datatracker.ietf.org/
 It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
 
 ** Naming
+:PROPERTIES:
+:custom_id: table-1
+:END:
 We will use the following conventions :
-#+CAPTION: Table 1: Kerberos hosts naming
+#+CAPTION: Table 1: Local names
-| Name                  | Value        | Comment                       |
+| Name                  | Value           | Comment                         |
-|-----------------------+--------------+-------------------------------|
+|-----------------------+-----------------+---------------------------------|
-| Domain name           | =.lan=       | Typical hostname: machine.lan |
+| Kerberos realm        | =LAN=           | Always capital                  |
-| Kerberos realm        | =LAN=        | Always capital                |
+| Local DNS name        | =lan=           | Typical hostname: machine.lan   |
-| Kerberos KDC 1        | =kdc1.lan=   | Key Distribution Center       |
+| Kerberos KDC 1        | =kdc1.lan=      | Primary Key Distribution Center |
-| Kerberos KDC 2        | =kdc2.lan=   |                               |
+| Kerberos KDC 2        | =kdc2.lan=      | Secondary KDC                   |
-| Kerberos admin server | =kadmin.lan= |                               |
+| Kerberos admin server | =kadmin.lan=    | Administrative server           |
+| Kerberos client 1     | =kclient1.lan=  | Test client 1                   |
+| Kerberos client 2     | =kclient2.lan=  | Test client 2                   |
+| Kerberos credentials  | =krb5/password= | Kerberos admin login/password   |
+
+** Packages installation
+On server side, install the necessary packages with :
+#+BEGIN_SRC sh
+sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm
+#+END_SRC
+And on client(s), install the following :
+#+BEGIN_SRC sh
+sudo apt-get install krb5-config heimdal-clients
+#+END_SRC
+On your desktop, you may also want to install some documentation with:
+#+BEGIN_SRC
+sudo apt-get install heimdal-docs
+#+END_SRC
+
+The ~krb5-config~ package installation will ask you some questions, you can just answer with the information from [[#table-1][Table 1]] (we will change configuration manually after that):
+- Default Kerberos version 5 realm: ~LAN~
+- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~
+- Administrative server for your Kerberos realm: ~kadmin.lan~
+
+After this initial configutation, edit ~/etc/krb5.conf~, clean up everything and add a section in domain_realm section for your local network. You should end up with something similar to :
+#+BEGIN_SRC conf
+[libdefaults]
+	default_realm = LAN
+	kdc_timesync = true
+	forwardable = true
+	proxiable = true
+
+[realms]
+	LAN = {
+		kdc = kdc1.lan
+		kdc = kdc2.lan
+		admin_server = kadmin.lan
+	}
+
+[domain_realm]
+	.lan = LAN
+#+END_SRC
+
+** Kerberos database initialization
+It is possible installation process may have created files in ~/var/lib/heimdal-kdc~, manual is unclear. To be on secure side, we remove everything before going further :
+
+#+BEGIN_SRC conf
+[libdefaults]
+	default_realm = LAN
+[realms]
+	LAN = {
+		kdc = kdc1.lan
+		kdc = kdc2.lan
+		admin_server = kadmin.lan
+	}
+#+END_SRC
 
 ** Server side
-For resilience reasons, I will use two kb
+*** Heimdal Kerberos installation
 ** Client side
+heimdal-docs heimdal-clients
 ** Testing
 * NFSv4
 ** Server side
 ** Client side
 ** Testing
-#+BEGIN_VERSE
-zobi zoba
-titi toto
 * Sources
 Kerberos setup:
--
+- ~info heimdal~ (documentation from heimdal-docs).
-
+- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]]
---prout
+- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]]
-#+END_VERSE
+- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]]
-#+CAPTION: and _multiple_
+- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]]
-#+CAPTION: lines of *captions*!
+- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]]
-#+ATTR_HTML: :class a b
+- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]]
-#+ATTR_HTML: :id it :class c d
+- [[https://www.linuxfromscratch.org/blfs/view/6.3/postlfs/heimdal.html][Beyond Linux From Scratch - Heimdal]]
-#+BEGIN_SRC sh
-echo "a bash source block with custom html attributes"
-#+END_SRC
-
-#+BEGIN_EXPORT html
-<style>
-.verse-block p { white-space: pre; color: red;}
-.verse-block p + p { padding-left: 2em; }
-</style>
-#+END_EXPORT
-
-#+BEGIN_VERSE
-Great clouds overhead
-Tiny black birds rise and fall
-Snow covers Emacs
-
----AlexSchroeder
-#+END_VERSE