From e68e39a5c25488a2943389d89894510fc57d593f Mon Sep 17 00:00:00 2001 From: Bruno Raoult Date: Tue, 16 Aug 2022 19:09:27 +0200 Subject: [PATCH] org->md migration finished --- nfsv4-kerberos-debian.md | 173 +++++++++++++++------------------------ 1 file changed, 68 insertions(+), 105 deletions(-) diff --git a/nfsv4-kerberos-debian.md b/nfsv4-kerberos-debian.md index 7fe6acc..16cc974 100644 --- a/nfsv4-kerberos-debian.md +++ b/nfsv4-kerberos-debian.md @@ -11,10 +11,14 @@ This document will (hopefully) allow you to setup a kerberized NFSv4 server on D > > SPDX-License-Identifier: [GFDL-1.3-or-later](https://spdx.org/licenses/GFDL-1.3-or-later.html) -foo + +**Table of Contents** + + - [Introduction](#introduction) + + ## Introduction -### dd If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block), as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...). @@ -28,64 +32,66 @@ ideal sharing system for many people. What I dislike here is the need for an `ssh` access. No, I don't plan to give an ssh access to **my** servers ;-) This document is about a third solution : NFSv4 coupled with Kerberos -security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...). +security, on a [Debian](https://www.debian.org/)-based system (Debian, [Ubuntu](https://ubuntu.com/), etc...). -* Pre-requisites -- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps. -- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]]. - A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]]. +## Pre-requisites +- [**`NTP`**](https://en.wikipedia.org/wiki/Network_Time_Protocol) : All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps. +- [**`DNS server`**](https://en.wikipedia.org/wiki/Domain_Name_System) (optional) : Kerberos may, in some configurations make use of some DNS records such as [SRV](https://en.wikipedia.org/wiki/SRV_record) or [TXT](https://en.wikipedia.org/wiki/TXT_record). + A lightweight DNS server like [dnsmasq](https://dnsmasq.org/) is sufficient, and will avoid the administration of a full-fledged server such as [bind](https://www.isc.org/bind/). -* Kerberos (V5) -There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years. +## Kerberos (V5) +There are basically two major implementations of [Kerberos V5](https://datatracker.ietf.org/doc/html/rfc4120) on GNU/Linux: The original [MIT](https://web.mit.edu/kerberos/www/) one, and the [Heimdal](https://github.com/heimdal/heimdal) one. There was also a GNU implementation [Shishi](http://www.gnu.org/software/shishi/), but developement looks stalled for 10+ years. -It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation. +It appears that the MIT implementation may have some [export restrictions](https://web.mit.edu/kerberos/dist/index.html) due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. This document will use the "_un-regulated_" implementation. -** Naming +### Naming We will use the following conventions : #+CAPTION: Table 1: Local names | Name | Value | Comment | -|-----------------------+-----------------+---------------------------------| -| Kerberos realm | =LAN= | Always capital | -| Local DNS name | =lan= | Typical hostname: machine.lan | -| Kerberos KDC 1 | =kdc1.lan= | Primary Key Distribution Center | -| Kerberos KDC 2 | =kdc2.lan= | Secondary KDC | -| Kerberos admin server | =kadmin.lan= | Administrative server | -| Kerberos client 1 | =kclient1.lan= | Test client 1 | -| Kerberos client 2 | =kclient2.lan= | Test client 2 | -| Kerberos credentials | =krb5/password= | Kerberos admin login/password | +|:----------------------+:----------------+:--------------------------------| +| Kerberos realm | `LAN` | Always capital | +| Local DNS name | `lan` | Typical hostname: machine.lan | +| Kerberos KDC 1 | `kdc1.lan` | Primary Key Distribution Center | +| Kerberos KDC 2 | `kdc2.lan` | Secondary KDC | +| Kerberos admin server | `kadmin.lan` | Administrative server | +| Kerberos client 1 | `kclient1.lan` | Test client 1 | +| Kerberos client 2 | `kclient2.lan` | Test client 2 | +| Kerberos credentials | `krb5/password` | Kerberos admin login/password | -** Packages installation +### Packages installation On server side, install the necessary packages with : -#+BEGIN_SRC sh +``` $ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm -#+END_SRC +``` And on client(s), install the following : -#+BEGIN_SRC sh + +``` $ sudo apt-get install krb5-config heimdal-clients -#+END_SRC -On your desktop, you may also want to install some documentation with: -#+BEGIN_SRC + +``` +On your desktop, you may also want to install Heimdal [`info`](https://en.wikipedia.org/wiki/Info_(Unix)) documentation with: +``` $ sudo apt-get install heimdal-docs -#+END_SRC -The above package does not include "real" heimdal docs, I did not find it on Ubuntu 22.04 repositories. I managed to install full html documentation with : -#+BEGIN_SRC -git clone https://github.com/heimdal/heimdal.git -cd heimdal -autoreconf -f -i -sh autogen.sh -./configure -make html -cd doc/heimdal.html -sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/ -#+END_SRC +``` +Or, if you prefer HTML, you can install the documentation from source with the following commands : +``` +$ git clone https://github.com/heimdal/heimdal.git +$ cd heimdal +$ autoreconf -f -i +$ sh autogen.sh +$ ./configure +$ make html +$ cd doc/heimdal.html +$ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/ +``` -The ~krb5-config~ package installation will ask you some questions, just fill with the information from Table 1 : -- Default Kerberos version 5 realm: ~LAN~ -- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~ -- Administrative server for your Kerberos realm: ~kadmin.lan~ +The `krb5-config` package installation will ask you some questions, just fill with the information from Table 1 : +- Default Kerberos version 5 realm: `LAN` +- Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan` +- Administrative server for your Kerberos realm: `kadmin.lan` -After this initial configutation, ~/etc/krb5.conf~ should contain something like : -#+BEGIN_SRC conf +After this initial configuration, `/etc/krb5.conf` should contain something like : +``` [libdefaults] default_realm = LAN kdc_timesync = true @@ -102,64 +108,21 @@ After this initial configutation, ~/etc/krb5.conf~ should contain something like [domain_realm] lan = LAN .lan = LAN -#+END_SRC +``` +### Server side -** test -#+BEGIN_SRC conf -[libdefaults] - default_realm = LAN -[realms] - LAN = { - kdc = kdc1.lan - kdc = kdc2.lan - admin_server = kadmin.lan - } -#+END_SRC - -** Server side -*** Heimdal Kerberos installation -** Client side -heimdal-docs heimdal-clients -** Testing -* NFSv4 -** Server side -** Client side -** Testing -#+BEGIN_VERSE -zobi zoba -titi toto -* Sources -Kerberos setup: -- ~heimdal-docs~ package documentation : run ~$ info heimdal~ -- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]] -- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]] -- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]] -- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]] -- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]] -- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]] - - ---prout -#+END_VERSE -#+CAPTION: and _multiple_ -#+CAPTION: lines of *captions*! -#+ATTR_HTML: :class a b -#+ATTR_HTML: :id it :class c d -#+BEGIN_SRC sh -echo "a bash source block with custom html attributes" -#+END_SRC - -#+BEGIN_EXPORT html - -#+END_EXPORT - -#+BEGIN_VERSE -Great clouds overhead -Tiny black birds rise and fall -Snow covers Emacs - ----AlexSchroeder -#+END_VERSE +### Client side +### Testing +## NFSv4 +### Server side +### Client side +### Testing +## Sources +Kerberos : +- ~heimdal-docs~ package documentation : run `$ info heimdal` or, if you installed HTML documentation, visit [its index page](file:///usr/share/doc/heimdal-docs/heimdal.html/index.html). +- [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml). +- [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html) +- [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html) +- [Setup (MIT) Kerberos Server and Client on Ubuntu 20.04](https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/) +- [MIT Kerberos Documentation: Installing KDCs](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html) +- [MIT Kerberos Documentation: Realm configuration decisions](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames)