bruno/test-repo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

org->md migration finished

Browse Source
This commit is contained in:
Bruno Raoult
2022-08-16 19:09:27 +02:00
parent 51f02467a0
commit e68e39a5c2
1 changed files with 68 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
nfsv4-kerberos-debian.md
View File

@@ -11,10 +11,14 @@ This document will (hopefully) allow you to setup a kerberized NFSv4 server on D
> >
> SPDX-License-Identifier: [GFDL-1.3-or-later](https://spdx.org/licenses/GFDL-1.3-or-later.html) > SPDX-License-Identifier: [GFDL-1.3-or-later](https://spdx.org/licenses/GFDL-1.3-or-later.html)
foo <!-- markdown-toc start - Don't edit this section. Run M-x markdown-toc-refresh-toc -->
**Table of Contents**
- [Introduction](#introduction)
<!-- markdown-toc end -->
## Introduction ## Introduction
### dd
If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block), If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block),
as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android,
...). ...).
@@ -28,64 +32,66 @@ ideal sharing system for many people.
What I dislike here is the need for an `ssh` access. No, I don't plan to give an ssh access to **my** servers ;-) What I dislike here is the need for an `ssh` access. No, I don't plan to give an ssh access to **my** servers ;-)
This document is about a third solution : NFSv4 coupled with Kerberos This document is about a third solution : NFSv4 coupled with Kerberos
security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...). security, on a [Debian](https://www.debian.org/)-based system (Debian, [Ubuntu](https://ubuntu.com/), etc...).
* Pre-requisites ## Pre-requisites
- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps. - [**`NTP`**](https://en.wikipedia.org/wiki/Network_Time_Protocol) : All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]]. - [**`DNS server`**](https://en.wikipedia.org/wiki/Domain_Name_System) (optional) : Kerberos may, in some configurations make use of some DNS records such as [SRV](https://en.wikipedia.org/wiki/SRV_record) or [TXT](https://en.wikipedia.org/wiki/TXT_record).
A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]]. A lightweight DNS server like [dnsmasq](https://dnsmasq.org/) is sufficient, and will avoid the administration of a full-fledged server such as [bind](https://www.isc.org/bind/).
* Kerberos (V5) ## Kerberos (V5)
There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years. There are basically two major implementations of [Kerberos V5](https://datatracker.ietf.org/doc/html/rfc4120) on GNU/Linux: The original [MIT](https://web.mit.edu/kerberos/www/) one, and the [Heimdal](https://github.com/heimdal/heimdal) one. There was also a GNU implementation [Shishi](http://www.gnu.org/software/shishi/), but developement looks stalled for 10+ years.
It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation. It appears that the MIT implementation may have some [export restrictions](https://web.mit.edu/kerberos/dist/index.html) due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. This document will use the "_un-regulated_" implementation.
** Naming ### Naming
We will use the following conventions : We will use the following conventions :
#+CAPTION: Table 1: Local names #+CAPTION: Table 1: Local names
| Name | Value | Comment | | Name | Value | Comment |
|-----------------------+-----------------+---------------------------------| |:----------------------+:----------------+:--------------------------------|
| Kerberos realm | =LAN= | Always capital | | Kerberos realm | `LAN` | Always capital |
| Local DNS name | =lan= | Typical hostname: machine.lan | | Local DNS name | `lan` | Typical hostname: machine.lan |
| Kerberos KDC 1 | =kdc1.lan= | Primary Key Distribution Center | | Kerberos KDC 1 | `kdc1.lan` | Primary Key Distribution Center |
| Kerberos KDC 2 | =kdc2.lan= | Secondary KDC | | Kerberos KDC 2 | `kdc2.lan` | Secondary KDC |
| Kerberos admin server | =kadmin.lan= | Administrative server | | Kerberos admin server | `kadmin.lan` | Administrative server |
| Kerberos client 1 | =kclient1.lan= | Test client 1 | | Kerberos client 1 | `kclient1.lan` | Test client 1 |
| Kerberos client 2 | =kclient2.lan= | Test client 2 | | Kerberos client 2 | `kclient2.lan` | Test client 2 |
| Kerberos credentials | =krb5/password= | Kerberos admin login/password | | Kerberos credentials | `krb5/password` | Kerberos admin login/password |
** Packages installation ### Packages installation
On server side, install the necessary packages with : On server side, install the necessary packages with :
#+BEGIN_SRC sh ```
$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm $ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm
#+END_SRC ```
And on client(s), install the following : And on client(s), install the following :
#+BEGIN_SRC sh
```
$ sudo apt-get install krb5-config heimdal-clients $ sudo apt-get install krb5-config heimdal-clients
#+END_SRC
On your desktop, you may also want to install some documentation with: ```
#+BEGIN_SRC On your desktop, you may also want to install Heimdal [`info`](https://en.wikipedia.org/wiki/Info_(Unix)) documentation with:
```
$ sudo apt-get install heimdal-docs $ sudo apt-get install heimdal-docs
#+END_SRC ```
The above package does not include "real" heimdal docs, I did not find it on Ubuntu 22.04 repositories. I managed to install full html documentation with : Or, if you prefer HTML, you can install the documentation from source with the following commands :
#+BEGIN_SRC ```
git clone https://github.com/heimdal/heimdal.git $ git clone https://github.com/heimdal/heimdal.git
cd heimdal $ cd heimdal
autoreconf -f -i $ autoreconf -f -i
sh autogen.sh $ sh autogen.sh
./configure $ ./configure
make html $ make html
cd doc/heimdal.html $ cd doc/heimdal.html
sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/ $ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
#+END_SRC ```
The ~krb5-config~ package installation will ask you some questions, just fill with the information from Table 1 : The `krb5-config` package installation will ask you some questions, just fill with the information from Table 1 :
- Default Kerberos version 5 realm: ~LAN~ - Default Kerberos version 5 realm: `LAN`
- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~ - Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan`
- Administrative server for your Kerberos realm: ~kadmin.lan~ - Administrative server for your Kerberos realm: `kadmin.lan`
After this initial configutation, ~/etc/krb5.conf~ should contain something like : After this initial configuration, `/etc/krb5.conf` should contain something like :
#+BEGIN_SRC conf ```
[libdefaults] [libdefaults]
default_realm = LAN default_realm = LAN
kdc_timesync = true kdc_timesync = true
@@ -102,64 +108,21 @@ After this initial configutation, ~/etc/krb5.conf~ should contain something like
[domain_realm] [domain_realm]
lan = LAN lan = LAN
.lan = LAN .lan = LAN
#+END_SRC ```
### Server side
** test ### Client side
#+BEGIN_SRC conf ### Testing
[libdefaults] ## NFSv4
default_realm = LAN ### Server side
[realms] ### Client side
LAN = { ### Testing
kdc = kdc1.lan ## Sources
kdc = kdc2.lan Kerberos :
admin_server = kadmin.lan - ~heimdal-docs~ package documentation : run `$ info heimdal` or, if you installed HTML documentation, visit [its index page](file:///usr/share/doc/heimdal-docs/heimdal.html/index.html).
} - [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml).
#+END_SRC - [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html)
- [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html)
** Server side - [Setup (MIT) Kerberos Server and Client on Ubuntu 20.04](https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/)
*** Heimdal Kerberos installation - [MIT Kerberos Documentation: Installing KDCs](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html)
** Client side - [MIT Kerberos Documentation: Realm configuration decisions](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames)
heimdal-docs heimdal-clients
** Testing
* NFSv4
** Server side
** Client side
** Testing
#+BEGIN_VERSE
zobi zoba
titi toto
* Sources
Kerberos setup:
- ~heimdal-docs~ package documentation : run ~$ info heimdal~
- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]]
- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]]
- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]]
- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]]
- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]]
- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]]
--prout
#+END_VERSE
#+CAPTION: and _multiple_
#+CAPTION: lines of *captions*!
#+ATTR_HTML: :class a b
#+ATTR_HTML: :id it :class c d
#+BEGIN_SRC sh
echo "a bash source block with custom html attributes"
#+END_SRC
#+BEGIN_EXPORT html
<style>
.verse-block p { white-space: pre; color: red;}
.verse-block p + p { padding-left: 2em; }
</style>
#+END_EXPORT
#+BEGIN_VERSE
Great clouds overhead
Tiny black birds rise and fall
Snow covers Emacs
---AlexSchroeder
#+END_VERSE