90 lines
3.4 KiB
Org Mode
90 lines
3.4 KiB
Org Mode
#+TITLE: NFSv4 with Kerberos on Debian from scratch
|
|
#+OPTIONS: toc:nil
|
|
#+TODO: TODO STARTED DONE
|
|
#+EXCLUDE_TAGS: noexport
|
|
|
|
#+BEGIN_QUOTE
|
|
/Copyright (C) 2022 Bruno Raoult ("br")/
|
|
/Licensed under the GNU Free Documentation License v1.3 or later./
|
|
/Some rights reserved. See COPYING./
|
|
|
|
/You should have received a copy of the GNU Free Documentation License along
|
|
with this document./
|
|
/If not, see [[https://www.gnu.org/licenses/fdl-1.3-standalone.html][this page]]./
|
|
|
|
/SPDX-License-Identifier: [[https://spdx.org/licenses/GFDL-1.3-or-later.html][GFDL-1.3-or-later]]/
|
|
#+END_QUOTE
|
|
|
|
* Table of Contents :TOC:
|
|
|
|
**** Table of Contents
|
|
#+TOC: headlines 3
|
|
|
|
* Introduction
|
|
If you share some files between your machines, your choice was probably
|
|
[[https://en.wikipedia.org/wiki/Server_Message_Block][SMB/CIFS]], as it
|
|
is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...).
|
|
|
|
However, there are some limitations that you may find unacceptable (the loss
|
|
of uid/gid/permissions being really a blocking point for me).
|
|
|
|
Another option (at least on GNU/Linux) could be [[https://github.com/libfuse/sshfs][sshfs]]: It is simple to use,
|
|
and requires no special settings but an ssh access to server. It could be the
|
|
ideal sharing system for many people.
|
|
|
|
This document is about a third solution : NFSv4 coupled with Kerberos
|
|
security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...).
|
|
|
|
* Pre-requisites
|
|
- NTP :: All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps.
|
|
- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]].
|
|
A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]].
|
|
|
|
* Kerberos (V5)
|
|
There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years.
|
|
|
|
It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
|
|
|
|
** We will use the following conventions :
|
|
toto =verbatim= or ~code~.
|
|
|
|
** Server side
|
|
For resilience reasons, I will use two kb
|
|
** Client side
|
|
** Testing
|
|
* NFSv4
|
|
** Server side
|
|
** Client side
|
|
** Testing
|
|
#+BEGIN_VERSE
|
|
zobi zoba
|
|
titi toto
|
|
* Sources
|
|
Kerberos setup:
|
|
-
|
|
|
|
--prout
|
|
#+END_VERSE
|
|
#+CAPTION: and _multiple_
|
|
#+CAPTION: lines of *captions*!
|
|
#+ATTR_HTML: :class a b
|
|
#+ATTR_HTML: :id it :class c d
|
|
#+BEGIN_SRC sh
|
|
echo "a bash source block with custom html attributes"
|
|
#+END_SRC
|
|
|
|
#+BEGIN_EXPORT html
|
|
<style>
|
|
.verse-block p { white-space: pre; color: red;}
|
|
.verse-block p + p { padding-left: 2em; }
|
|
</style>
|
|
#+END_EXPORT
|
|
|
|
#+BEGIN_VERSE
|
|
Great clouds overhead
|
|
Tiny black birds rise and fall
|
|
Snow covers Emacs
|
|
|
|
---AlexSchroeder
|
|
#+END_VERSE
|