From 51f02467a005bc7112a2fcd52761462fda4a1843 Mon Sep 17 00:00:00 2001
From: Bruno Raoult <braoult@gmail.com>
Date: Tue, 16 Aug 2022 17:25:26 +0200
Subject: [PATCH] dirty start org->md migration

---
 nfsv4-kerberos-debian.md | 165 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
 create mode 100644 nfsv4-kerberos-debian.md

diff --git a/nfsv4-kerberos-debian.md b/nfsv4-kerberos-debian.md
new file mode 100644
index 0000000..7fe6acc
--- /dev/null
+++ b/nfsv4-kerberos-debian.md
@@ -0,0 +1,165 @@
+# NFSv4 with Kerberos on Debian from scratch
+
+This document will (hopefully) allow you to setup a kerberized NFSv4 server on Debian 11/Ubuntu 22.04.
+
+> Copyright (C) 2022 Bruno Raoult ("br")
+> Licensed under the GNU Free Documentation License v1.3 or later.
+> Some rights reserved. See COPYING.
+>
+> You should have received a copy of the GNU Free Documentation License along with this document.
+> If not, see [this page](https://www.gnu.org/licenses/fdl-1.3-standalone.html).
+>
+> SPDX-License-Identifier: [GFDL-1.3-or-later](https://spdx.org/licenses/GFDL-1.3-or-later.html)
+
+foo
+
+## Introduction
+### dd
+If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block),
+as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android,
+...).
+
+However, there are some limitations that you may find unacceptable: the loss of uid/gid/permissions and the lack of symbolic/hard links for `SMB`.
+
+Another option (at least on GNU/Linux) could be [SSHFS](https://github.com/libfuse/sshfs): It is simple to use,
+and requires no special settings but an ssh access to server. It could be the
+ideal sharing system for many people.
+
+What I dislike here is the need for an `ssh` access. No, I don't plan to give an ssh access to **my** servers ;-)
+
+This document is about a third solution : NFSv4 coupled with Kerberos
+security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...).
+
+* Pre-requisites
+- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
+- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]].
+  A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]].
+
+* Kerberos (V5)
+There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years.
+
+It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
+
+** Naming
+We will use the following conventions :
+#+CAPTION: Table 1: Local names
+| Name                  | Value           | Comment                         |
+|-----------------------+-----------------+---------------------------------|
+| Kerberos realm        | =LAN=           | Always capital                  |
+| Local DNS name        | =lan=           | Typical hostname: machine.lan   |
+| Kerberos KDC 1        | =kdc1.lan=      | Primary Key Distribution Center |
+| Kerberos KDC 2        | =kdc2.lan=      | Secondary KDC                   |
+| Kerberos admin server | =kadmin.lan=    | Administrative server           |
+| Kerberos client 1     | =kclient1.lan=  | Test client 1                   |
+| Kerberos client 2     | =kclient2.lan=  | Test client 2                   |
+| Kerberos credentials  | =krb5/password= | Kerberos admin login/password   |
+
+** Packages installation
+On server side, install the necessary packages with :
+#+BEGIN_SRC sh
+$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm
+#+END_SRC
+And on client(s), install the following :
+#+BEGIN_SRC sh
+$ sudo apt-get install krb5-config heimdal-clients
+#+END_SRC
+On your desktop, you may also want to install some documentation with:
+#+BEGIN_SRC
+$ sudo apt-get install heimdal-docs
+#+END_SRC
+The above package does not include "real" heimdal docs, I did not find it on Ubuntu 22.04 repositories. I managed to install full html documentation with :
+#+BEGIN_SRC
+git clone https://github.com/heimdal/heimdal.git
+cd heimdal
+autoreconf -f -i
+sh autogen.sh
+./configure
+make html
+cd doc/heimdal.html
+sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
+#+END_SRC
+
+The ~krb5-config~ package installation will ask you some questions, just fill with the information from Table 1 :
+- Default Kerberos version 5 realm: ~LAN~
+- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~
+- Administrative server for your Kerberos realm: ~kadmin.lan~
+
+After this initial configutation, ~/etc/krb5.conf~ should contain something like :
+#+BEGIN_SRC conf
+[libdefaults]
+	default_realm = LAN
+	kdc_timesync = true
+	forwardable = true
+	proxiable = true
+
+[realms]
+	LAN = {
+		kdc = kdc1.lan
+		kdc = kdc2.lan
+		admin_server = kadmin.lan
+	}
+
+[domain_realm]
+    lan  = LAN
+	.lan = LAN
+#+END_SRC
+
+** test
+#+BEGIN_SRC conf
+[libdefaults]
+	default_realm = LAN
+[realms]
+	LAN = {
+		kdc = kdc1.lan
+		kdc = kdc2.lan
+		admin_server = kadmin.lan
+	}
+#+END_SRC
+
+** Server side
+*** Heimdal Kerberos installation
+** Client side
+heimdal-docs heimdal-clients
+** Testing
+* NFSv4
+** Server side
+** Client side
+** Testing
+#+BEGIN_VERSE
+zobi zoba
+titi toto
+* Sources
+Kerberos setup:
+- ~heimdal-docs~ package documentation : run ~$ info heimdal~
+- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]]
+- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]]
+- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]]
+- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]]
+- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]]
+- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]]
+
+
+--prout
+#+END_VERSE
+#+CAPTION: and _multiple_
+#+CAPTION: lines of *captions*!
+#+ATTR_HTML: :class a b
+#+ATTR_HTML: :id it :class c d
+#+BEGIN_SRC sh
+echo "a bash source block with custom html attributes"
+#+END_SRC
+
+#+BEGIN_EXPORT html
+<style>
+.verse-block p { white-space: pre; color: red;}
+.verse-block p + p { padding-left: 2em; }
+</style>
+#+END_EXPORT
+
+#+BEGIN_VERSE
+Great clouds overhead
+Tiny black birds rise and fall
+Snow covers Emacs
+
+---AlexSchroeder
+#+END_VERSE