260 lines
11 KiB
Markdown
260 lines
11 KiB
Markdown
# NFSv4 with Kerberos on Debian from scratch
|
|
|
|
This document will (hopefully) allow you to setup a kerberized NFSv4 server on Debian 11/Ubuntu 22.04.
|
|
|
|
> Copyright (C) 2022 Bruno Raoult ("br")
|
|
> Licensed under the GNU Free Documentation License v1.3 or later.
|
|
> Some rights reserved. See COPYING.
|
|
>
|
|
> You should have received a copy of the GNU Free Documentation License along with this document.
|
|
> If not, see [this page](https://www.gnu.org/licenses/fdl-1.3-standalone.html).
|
|
>
|
|
> SPDX-License-Identifier: [GFDL-1.3-or-later](https://spdx.org/licenses/GFDL-1.3-or-later.html)
|
|
|
|
<!-- markdown-toc start - Don't edit this section. Run M-x markdown-toc-refresh-toc -->
|
|
**Table of Contents**
|
|
|
|
- [Introduction](#introduction)
|
|
- [Pre-requisites](#pre-requisites)
|
|
- [Kerberos (V5)](#kerberos-v5)
|
|
- [Naming](#naming)
|
|
- [Packages installation](#packages-installation)
|
|
- [Configuration](#configuration)
|
|
- [Client and server (krb5.conf)](#client-and-server-krb5conf)
|
|
- [Server only](#server-only)
|
|
- [Heimdal kdc configuration file (kdc.conf)](#heimdal-kdc-configuration-file-kdcconf)
|
|
- [Access-control lists (kadmind.acl)](#access-control-lists-kadmindacl)
|
|
- [Master key](#master-key)
|
|
- [Database initialization](#database-initialization)
|
|
- [Client side](#client-side)
|
|
- [Testing](#testing)
|
|
- [NFSv4](#nfsv4)
|
|
- [Server side](#server-side)
|
|
- [Client side](#client-side-1)
|
|
- [Testing](#testing-1)
|
|
- [Sources](#sources)
|
|
|
|
<!-- markdown-toc end -->
|
|
|
|
**TODO**
|
|
> glossary
|
|
|
|
|
|
|
|
## Introduction
|
|
If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block),
|
|
as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android,
|
|
...).
|
|
|
|
However, there are some limitations that you may find unacceptable: the loss of uid/gid/permissions and the lack of symbolic/hard links for `SMB`.
|
|
|
|
Another option (at least on GNU/Linux) could be [SSHFS](https://github.com/libfuse/sshfs): It is simple to use,
|
|
and requires no special settings but an ssh access to server. It could be the
|
|
ideal sharing system for many people.
|
|
|
|
What I dislike here is the need for an `ssh` access. No, I don't plan to give an ssh access to **my** servers ;-)
|
|
|
|
This document is about a third solution : NFSv4 coupled with Kerberos
|
|
security, on a [Debian](https://www.debian.org/)-based system (Debian, [Ubuntu](https://ubuntu.com/), etc...).
|
|
|
|
## Pre-requisites
|
|
- [**`NTP`**](https://en.wikipedia.org/wiki/Network_Time_Protocol) : All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
|
|
- [**`DNS server`**](https://en.wikipedia.org/wiki/Domain_Name_System) (optional) : Kerberos may, in some configurations make use of some DNS records such as [SRV](https://en.wikipedia.org/wiki/SRV_record) or [TXT](https://en.wikipedia.org/wiki/TXT_record).
|
|
A lightweight DNS server like [dnsmasq](https://dnsmasq.org/) is sufficient, and will avoid the administration of a full-fledged server such as [bind](https://www.isc.org/bind/).
|
|
|
|
## Kerberos (V5)
|
|
There are basically two major implementations of [Kerberos V5](https://datatracker.ietf.org/doc/html/rfc4120) on GNU/Linux: The original [MIT](https://web.mit.edu/kerberos/www/) one, and the [Heimdal](https://github.com/heimdal/heimdal) one. There was also a GNU implementation [Shishi](http://www.gnu.org/software/shishi/), but developement looks stalled for 10+ years.
|
|
|
|
It appears that the MIT implementation may have some [export restrictions](https://web.mit.edu/kerberos/dist/index.html) due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. This document will use the "_un-regulated_" implementation.
|
|
|
|
### Naming
|
|
We will use the following conventions :
|
|
|
|
| Name | Value | Comment |
|
|
|:----------------------|:----------------|:--------------------------------|
|
|
| Kerberos realm | `LAN` | Always capital |
|
|
| Local DNS name | `lan` | Typical hostname: machine.lan |
|
|
| Kerberos KDC 1 | `kdc1.lan` | Primary Key Distribution Center |
|
|
| Kerberos KDC 2 | `kdc2.lan` | Secondary KDC |
|
|
| Kerberos admin server | `kadmin.lan` | Administrative server |
|
|
| Kerberos client 1 | `kclient1.lan` | Test client 1 |
|
|
| Kerberos client 2 | `kclient2.lan` | Test client 2 |
|
|
| Kerberos credentials | `krb5/password` | Kerberos admin login/password |
|
|
|
|
### Packages installation
|
|
On server side, install the necessary packages with :
|
|
```
|
|
$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm heimdal-docs
|
|
```
|
|
And on client(s), install the following :
|
|
```
|
|
$ sudo apt-get install krb5-config heimdal-clients heimdal-docs
|
|
```
|
|
The `krb5-config` package installation will ask you some questions, just fill with the information from table above :
|
|
- Default Kerberos version 5 realm: `LAN`
|
|
- Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan`
|
|
- Administrative server for your Kerberos realm: `kadmin.lan`
|
|
|
|
After this initial configuration, `/etc/krb5.conf` will have been created with some default value, which can look-like :
|
|
```
|
|
[libdefaults]
|
|
default_realm = LAN
|
|
kdc_timesync = true
|
|
forwardable = true
|
|
proxiable = true
|
|
|
|
[realms]
|
|
LAN = {
|
|
kdc = kdc1.lan
|
|
kdc = kdc2.lan
|
|
admin_server = kadmin.lan
|
|
}
|
|
|
|
[domain_realm]
|
|
lan = LAN
|
|
.lan = LAN
|
|
```
|
|
**Note about documentation**: The `heimdal-docs` package will install [`GNU info`](https://en.wikipedia.org/wiki/Info_(Unix)).
|
|
If you want HTML documentation, you will have to manually build it from source with the following commands :
|
|
```
|
|
$ git clone https://github.com/heimdal/heimdal.git
|
|
$ cd heimdal
|
|
$ autoreconf -f -i
|
|
$ sh autogen.sh
|
|
$ ./configure
|
|
$ make html
|
|
$ cd doc/heimdal.html
|
|
$ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
|
|
```
|
|
### Configuration
|
|
#### Client and server (krb5.conf)
|
|
The `/etc/krb5.conf` can be changed at any time, and we will immediately make some changes with some sane defaults (see `krb5.conf(5)` for more details) :
|
|
```
|
|
[appdefaults]
|
|
# for testing purpose, short lifetime
|
|
ticket_lifetime = 30m
|
|
renew_lifetime = 1h
|
|
|
|
[libdefaults]
|
|
default_realm = LAN
|
|
kdc_timesync = true
|
|
forwardable = true
|
|
proxiable = true
|
|
|
|
#ticket_lifetime = 2 days
|
|
#renew_lifetime = 10 days
|
|
# for testing purpose, short lifetime
|
|
ticket_lifetime = 30m
|
|
renew_lifetime = 1h
|
|
|
|
allow_weak_crypto = false
|
|
|
|
default_keytab_name = FILE:/var/lib/heimdal-lan.keytab
|
|
|
|
# Use DNS SRV records to lookup KDC services location.
|
|
dns_lookup_kdc = false
|
|
# Use DNS TXT records to lookup domain to realm mappings.
|
|
dns_lookup_realm = false
|
|
|
|
# required when using basic authentication with Apache2's
|
|
# mod_auth_kerb module (`Request is a replay' errors);
|
|
# `0' for MIT library and `false' for Heimdal library
|
|
kdc_timesync = false
|
|
|
|
[realms]
|
|
LAN = {
|
|
kdc = kdc1.lan
|
|
kdc = kdc2.lan
|
|
admin_server = kadmin.lan
|
|
}
|
|
|
|
[domain_realm]
|
|
lan = LAN
|
|
.lan = LAN
|
|
|
|
[logging]
|
|
# will default to /var/log/heimdal-kdc.log
|
|
# If you change destination, don't forget /etc/logrotate.d
|
|
kdc = SYSLOG:DEBUG:AUTH
|
|
admin_server = SYSLOG:DEBUG:AUTH
|
|
default = SYSLOG:DEBUG:AUTH
|
|
```
|
|
### Server only
|
|
#### Heimdal kdc configuration file (kdc.conf)
|
|
`/etc/heimdal-kdc/kdc.conf` (see `kdc(8)` for details) is the Heimdal KDC configuration file. In this file, we just setup the `[kdc]` section as below. Note that I prefer to use an `sqlite` database, simply because many tools allow to browse/edit the content.
|
|
```
|
|
$ grep -vE '(\#|^$)' kdc.conf
|
|
[kdc]
|
|
database = {
|
|
dbname = sqlite:/var/lib/heimdal-kdc/heimdal-lan.sqlite3
|
|
acl_file = /etc/heimdal-kdc/kadmind.acl
|
|
mkey_file = /var/lib/heimdal-kdc/m-key
|
|
}
|
|
addresses = 0.0.0.0
|
|
```
|
|
#### Access-control lists (kadmind.acl)
|
|
`/etc/heimdal-kdc/kadmind.acl` is the file giving access to non-local administration (i.e. when using `kadmin` without `-l` option). See `kadmind(8)` for syntax details. To get a simple administration, we give full admin rights to `bruno/admin@LAN` principal, and allow any principal in admin
|
|
```
|
|
bruno/admin@LAN all
|
|
*/admin@LAN add,get-keys host/*@LAN
|
|
```
|
|
#### Master key
|
|
**Note**: A master key is mainly necessary if you store the database in a shared location (think about backups), to make brute-force attacks more difficult. For testing purpose, you may skip this section.
|
|
|
|
First, we will Use`kstash(1)` to give a master key to the database (we don't need to remember it). You should use the same `mkey-file` as the one specified in `[kdc]` section above.
|
|
```
|
|
$ sudo kstash --random-key -k /var/lib/heimdal-kdc/m-key
|
|
```
|
|
#### Database initialization
|
|
The four `kadmin` commands below will initialize `LAN` realm, create a `bruno/admin` principal, and list the known principals :
|
|
```
|
|
$ sudo kadmin -l
|
|
kadmin> init LAN
|
|
Realm max ticket life [unlimited]:
|
|
Realm max renewable ticket life [unlimited]:
|
|
```
|
|
Add a user
|
|
```
|
|
kadmin> add bruno/admin
|
|
Max ticket life [1 day]:
|
|
Max renewable life [1 week]:
|
|
Principal expiration time [never]:
|
|
Password expiration time [never]:
|
|
Attributes []:
|
|
Policy [default]:
|
|
bruno/admin@LAN's Password:
|
|
Verify password - bruno/admin@LAN's Password:
|
|
```
|
|
|
|
```
|
|
kadmin> get -s *
|
|
Principal Expiration PW-exp PW-change Max life Max renew
|
|
krbtgt/LAN never never 2022-08-17 unlimited unlimited
|
|
kadmin/changepw never never 2022-08-17 5 minutes 5 minutes
|
|
kadmin/admin never never 2022-08-17 1 hour 1 hour
|
|
changepw/kerberos never never 2022-08-17 1 hour 1 hour
|
|
kadmin/hprop never never 2022-08-17 1 hour 1 hour
|
|
WELLKNOWN/ANONYMOUS never never 2022-08-17 1 hour 1 hour
|
|
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L never never 2022-08-17 1 hour 1 hour
|
|
default never never 2022-08-17 1 day 1 week
|
|
bruno/admin never never 2022-08-17 1 day 1 week
|
|
```
|
|
Then, TODO...
|
|
### Client side
|
|
### Testing
|
|
## NFSv4
|
|
### Server side
|
|
### Client side
|
|
### Testing
|
|
## Sources
|
|
Kerberos :
|
|
- `heimdal-docs` package documentation :
|
|
- info help: `$ info heimdal`
|
|
- HTML documentation (if installed as above): You will find it in `/usr/share/doc/heimdal-docs/heimdal.html/index.html`
|
|
- [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml).
|
|
- [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html)
|
|
- [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html)
|
|
- [Setup (MIT) Kerberos Server and Client on Ubuntu 20.04](https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/)
|
|
- [MIT Kerberos Documentation: Installing KDCs](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html)
|
|
- [MIT Kerberos Documentation: Realm configuration decisions](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames)
|