bruno/test-repo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
06333c5258f73e4b31401067752325f4858b18bd
test-repo/nfsv4-kerberos-debian.org
Bruno Raoult 06333c5258 test verbatim/code
2022-02-19 22:16:58 +01:00

3.4 KiB
Raw Blame History

NFSv4 with Kerberos on Debian from scratch

Copyright (C) 2022 Bruno Raoult ("br") Licensed under the GNU Free Documentation License v1.3 or later. Some rights reserved. See COPYING.

You should have received a copy of the GNU Free Documentation License along with this document. If not, see this page.

SPDX-License-Identifier: GFDL-1.3-or-later

Table of Contents   TOC

Table of Contents

Introduction

If you share some files between your machines, your choice was probably SMB/CIFS, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, …).

However, there are some limitations that you may find unacceptable (the loss of uid/gid/permissions being really a blocking point for me).

Another option (at least on GNU/Linux) could be sshfs: It is simple to use, and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people.

This document is about a third solution : NFSv4 coupled with Kerberos security, on a Debian based system (Debian, Ubuntu, etc…).

Pre-requisites

NTP
All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps.
DNS server (optional)
Kerberos may, in some configurations make use of some DNS records such as SRV or TXT. A lightweight DNS server like dnsmasq is sufficient, and will avoid the administration of a full-fledged server such as bind.

Kerberos (V5)

There are basically two major implementations of Kerberos v5 on GNU/Linux: The original MIT one, and the Heimdal one. There was also a GNU implementation (Shishi), but developement looks stalled for 10+ years.

It appears that the MIT implementation may have some export restrictions due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "un-regulated" implementation.

We will use the following conventions :

toto verbatim or code.

Server side

For resilience reasons, I will use two kb

Client side

Testing

NFSv4

Server side

Client side

Testing

zobi zoba titi toto

Sources

Kerberos setup:

prout

echo "a bash source block with custom html attributes"
and multiple lines of captions!
<style> .verse-block p { white-space: pre; color: red;} .verse-block p + p { padding-left: 2em; } </style>

Great clouds overhead Tiny black birds rise and fall Snow covers Emacs

—AlexSchroeder