dirty start org->md migration
This commit is contained in:
165
nfsv4-kerberos-debian.md
Normal file
165
nfsv4-kerberos-debian.md
Normal file
@@ -0,0 +1,165 @@
|
||||
# NFSv4 with Kerberos on Debian from scratch
|
||||
|
||||
This document will (hopefully) allow you to setup a kerberized NFSv4 server on Debian 11/Ubuntu 22.04.
|
||||
|
||||
> Copyright (C) 2022 Bruno Raoult ("br")
|
||||
> Licensed under the GNU Free Documentation License v1.3 or later.
|
||||
> Some rights reserved. See COPYING.
|
||||
>
|
||||
> You should have received a copy of the GNU Free Documentation License along with this document.
|
||||
> If not, see [this page](https://www.gnu.org/licenses/fdl-1.3-standalone.html).
|
||||
>
|
||||
> SPDX-License-Identifier: [GFDL-1.3-or-later](https://spdx.org/licenses/GFDL-1.3-or-later.html)
|
||||
|
||||
foo
|
||||
|
||||
## Introduction
|
||||
### dd
|
||||
If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block),
|
||||
as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android,
|
||||
...).
|
||||
|
||||
However, there are some limitations that you may find unacceptable: the loss of uid/gid/permissions and the lack of symbolic/hard links for `SMB`.
|
||||
|
||||
Another option (at least on GNU/Linux) could be [SSHFS](https://github.com/libfuse/sshfs): It is simple to use,
|
||||
and requires no special settings but an ssh access to server. It could be the
|
||||
ideal sharing system for many people.
|
||||
|
||||
What I dislike here is the need for an `ssh` access. No, I don't plan to give an ssh access to **my** servers ;-)
|
||||
|
||||
This document is about a third solution : NFSv4 coupled with Kerberos
|
||||
security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...).
|
||||
|
||||
* Pre-requisites
|
||||
- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
|
||||
- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]].
|
||||
A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]].
|
||||
|
||||
* Kerberos (V5)
|
||||
There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years.
|
||||
|
||||
It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
|
||||
|
||||
** Naming
|
||||
We will use the following conventions :
|
||||
#+CAPTION: Table 1: Local names
|
||||
| Name | Value | Comment |
|
||||
|-----------------------+-----------------+---------------------------------|
|
||||
| Kerberos realm | =LAN= | Always capital |
|
||||
| Local DNS name | =lan= | Typical hostname: machine.lan |
|
||||
| Kerberos KDC 1 | =kdc1.lan= | Primary Key Distribution Center |
|
||||
| Kerberos KDC 2 | =kdc2.lan= | Secondary KDC |
|
||||
| Kerberos admin server | =kadmin.lan= | Administrative server |
|
||||
| Kerberos client 1 | =kclient1.lan= | Test client 1 |
|
||||
| Kerberos client 2 | =kclient2.lan= | Test client 2 |
|
||||
| Kerberos credentials | =krb5/password= | Kerberos admin login/password |
|
||||
|
||||
** Packages installation
|
||||
On server side, install the necessary packages with :
|
||||
#+BEGIN_SRC sh
|
||||
$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm
|
||||
#+END_SRC
|
||||
And on client(s), install the following :
|
||||
#+BEGIN_SRC sh
|
||||
$ sudo apt-get install krb5-config heimdal-clients
|
||||
#+END_SRC
|
||||
On your desktop, you may also want to install some documentation with:
|
||||
#+BEGIN_SRC
|
||||
$ sudo apt-get install heimdal-docs
|
||||
#+END_SRC
|
||||
The above package does not include "real" heimdal docs, I did not find it on Ubuntu 22.04 repositories. I managed to install full html documentation with :
|
||||
#+BEGIN_SRC
|
||||
git clone https://github.com/heimdal/heimdal.git
|
||||
cd heimdal
|
||||
autoreconf -f -i
|
||||
sh autogen.sh
|
||||
./configure
|
||||
make html
|
||||
cd doc/heimdal.html
|
||||
sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
|
||||
#+END_SRC
|
||||
|
||||
The ~krb5-config~ package installation will ask you some questions, just fill with the information from Table 1 :
|
||||
- Default Kerberos version 5 realm: ~LAN~
|
||||
- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~
|
||||
- Administrative server for your Kerberos realm: ~kadmin.lan~
|
||||
|
||||
After this initial configutation, ~/etc/krb5.conf~ should contain something like :
|
||||
#+BEGIN_SRC conf
|
||||
[libdefaults]
|
||||
default_realm = LAN
|
||||
kdc_timesync = true
|
||||
forwardable = true
|
||||
proxiable = true
|
||||
|
||||
[realms]
|
||||
LAN = {
|
||||
kdc = kdc1.lan
|
||||
kdc = kdc2.lan
|
||||
admin_server = kadmin.lan
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
lan = LAN
|
||||
.lan = LAN
|
||||
#+END_SRC
|
||||
|
||||
** test
|
||||
#+BEGIN_SRC conf
|
||||
[libdefaults]
|
||||
default_realm = LAN
|
||||
[realms]
|
||||
LAN = {
|
||||
kdc = kdc1.lan
|
||||
kdc = kdc2.lan
|
||||
admin_server = kadmin.lan
|
||||
}
|
||||
#+END_SRC
|
||||
|
||||
** Server side
|
||||
*** Heimdal Kerberos installation
|
||||
** Client side
|
||||
heimdal-docs heimdal-clients
|
||||
** Testing
|
||||
* NFSv4
|
||||
** Server side
|
||||
** Client side
|
||||
** Testing
|
||||
#+BEGIN_VERSE
|
||||
zobi zoba
|
||||
titi toto
|
||||
* Sources
|
||||
Kerberos setup:
|
||||
- ~heimdal-docs~ package documentation : run ~$ info heimdal~
|
||||
- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]]
|
||||
- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]]
|
||||
- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]]
|
||||
- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]]
|
||||
- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]]
|
||||
- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]]
|
||||
|
||||
|
||||
--prout
|
||||
#+END_VERSE
|
||||
#+CAPTION: and _multiple_
|
||||
#+CAPTION: lines of *captions*!
|
||||
#+ATTR_HTML: :class a b
|
||||
#+ATTR_HTML: :id it :class c d
|
||||
#+BEGIN_SRC sh
|
||||
echo "a bash source block with custom html attributes"
|
||||
#+END_SRC
|
||||
|
||||
#+BEGIN_EXPORT html
|
||||
<style>
|
||||
.verse-block p { white-space: pre; color: red;}
|
||||
.verse-block p + p { padding-left: 2em; }
|
||||
</style>
|
||||
#+END_EXPORT
|
||||
|
||||
#+BEGIN_VERSE
|
||||
Great clouds overhead
|
||||
Tiny black birds rise and fall
|
||||
Snow covers Emacs
|
||||
|
||||
---AlexSchroeder
|
||||
#+END_VERSE
|
||||
Reference in New Issue
Block a user