#+TITLE: NFSv4 with Kerberos on Debian from scratch #+OPTIONS: toc:nil #+TODO: TODO STARTED DONE #+EXCLUDE_TAGS: noexport #+BEGIN_QUOTE /Copyright (C) 2022 Bruno Raoult ("br")/ /Licensed under the GNU Free Documentation License v1.3 or later./ /Some rights reserved. See COPYING./ /You should have received a copy of the GNU Free Documentation License along with this document./ /If not, see [[https://www.gnu.org/licenses/fdl-1.3-standalone.html][this page]]./ /SPDX-License-Identifier: [[https://spdx.org/licenses/GFDL-1.3-or-later.html][GFDL-1.3-or-later]]/ #+END_QUOTE * Table of Contents :TOC: **** Table of Contents #+TOC: headlines 3 * Introduction If you share some files between your machines, your choice was probably [[https://en.wikipedia.org/wiki/Server_Message_Block][SMB/CIFS]], as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...). However, there are some limitations that you may find unacceptable (the loss of uid/gid/permissions being really a blocking point for me). Another option (at least on GNU/Linux) could be [[https://github.com/libfuse/sshfs][sshfs]]: It is simple to use, and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people. This document is about a third solution : NFSv4 coupled with Kerberos security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...). * Pre-requisites - NTP :: All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps. - DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]]. A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]]. * Kerberos (V5) There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years. It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation. ** Naming We will use the following conventions : #+CAPTION: Table 1: Kerberos hosts naming | Name | Value | Comment | |-----------------------+--------------+-------------------------------| | Domain name | =.lan= | Typical hostname: machine.lan | | Kerberos realm | =LAN= | Always capital | | Kerberos KDC 1 | =kdc1.lan= | Key Distribution Center | | Kerberos KDC 2 | =kdc2.lan= | | | Kerberos admin server | =kadmin.lan= | | ** Server side For resilience reasons, I will use two kb ** Client side ** Testing * NFSv4 ** Server side ** Client side ** Testing #+BEGIN_VERSE zobi zoba titi toto * Sources Kerberos setup: - --prout #+END_VERSE #+CAPTION: and _multiple_ #+CAPTION: lines of *captions*! #+ATTR_HTML: :class a b #+ATTR_HTML: :id it :class c d #+BEGIN_SRC sh echo "a bash source block with custom html attributes" #+END_SRC #+BEGIN_EXPORT html #+END_EXPORT #+BEGIN_VERSE Great clouds overhead Tiny black birds rise and fall Snow covers Emacs ---AlexSchroeder #+END_VERSE