6.5 KiB
NFSv4 with Kerberos on Debian from scratch
This document will (hopefully) allow you to setup a kerberized NFSv4 server on Debian 11/Ubuntu 22.04.
Copyright (C) 2022 Bruno Raoult ("br") Licensed under the GNU Free Documentation License v1.3 or later. Some rights reserved. See COPYING.
You should have received a copy of the GNU Free Documentation License along with this document. If not, see this page.
SPDX-License-Identifier: GFDL-1.3-or-later
foo
Introduction
dd
If you share some files between your machines, your choice was probably SMB/CIFS, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...).
However, there are some limitations that you may find unacceptable: the loss of uid/gid/permissions and the lack of symbolic/hard links for SMB.
Another option (at least on GNU/Linux) could be SSHFS: It is simple to use, and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people.
What I dislike here is the need for an ssh access. No, I don't plan to give an ssh access to my servers ;-)
This document is about a third solution : NFSv4 coupled with Kerberos security, on a https://www.debian.org/][Debian based system (Debian, https://ubuntu.com/][Ubuntu, etc...).
- Pre-requisites
- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as https://en.wikipedia.org/wiki/SRV_record][SRV or https://en.wikipedia.org/wiki/TXT_record][TXT. A lightweight DNS server like https://dnsmasq.org/][dnsmasq is sufficient, and will avoid the administration of a full-fledged server such as https://www.isc.org/bind/][bind.
- Kerberos (V5) There are basically two major implementations of https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5 on GNU/Linux: The original http://web.mit.edu/kerberos/www/][MIT one, and the https://github.com/heimdal/heimdal][Heimdal one. There was also a GNU implementation (http://www.gnu.org/software/shishi/][Shishi), but developement looks stalled for 10+ years.
It appears that the MIT implementation may have some https://web.mit.edu/kerberos/dist/index.html][export restrictions due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
** Naming We will use the following conventions : #+CAPTION: Table 1: Local names | Name | Value | Comment | |-----------------------+-----------------+---------------------------------| | Kerberos realm | =LAN= | Always capital | | Local DNS name | =lan= | Typical hostname: machine.lan | | Kerberos KDC 1 | =kdc1.lan= | Primary Key Distribution Center | | Kerberos KDC 2 | =kdc2.lan= | Secondary KDC | | Kerberos admin server | =kadmin.lan= | Administrative server | | Kerberos client 1 | =kclient1.lan= | Test client 1 | | Kerberos client 2 | =kclient2.lan= | Test client 2 | | Kerberos credentials | =krb5/password= | Kerberos admin login/password |
** Packages installation On server side, install the necessary packages with : #+BEGIN_SRC sh $ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm #+END_SRC And on client(s), install the following : #+BEGIN_SRC sh $ sudo apt-get install krb5-config heimdal-clients #+END_SRC On your desktop, you may also want to install some documentation with: #+BEGIN_SRC $ sudo apt-get install heimdal-docs #+END_SRC The above package does not include "real" heimdal docs, I did not find it on Ubuntu 22.04 repositories. I managed to install full html documentation with : #+BEGIN_SRC git clone https://github.com/heimdal/heimdal.git cd heimdal autoreconf -f -i sh autogen.sh ./configure make html cd doc/heimdal.html sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/ #+END_SRC
The krb5-config package installation will ask you some questions, just fill with the information from Table 1 :
- Default Kerberos version 5 realm:
LAN - Kerberos servers for your realm:
kdc1.lan kdc2.lan - Administrative server for your Kerberos realm:
kadmin.lan
After this initial configutation, /etc/krb5.conf should contain something like :
#+BEGIN_SRC conf
[libdefaults]
default_realm = LAN
kdc_timesync = true
forwardable = true
proxiable = true
[realms] LAN = { kdc = kdc1.lan kdc = kdc2.lan admin_server = kadmin.lan }
[domain_realm] lan = LAN .lan = LAN #+END_SRC
** test #+BEGIN_SRC conf [libdefaults] default_realm = LAN [realms] LAN = { kdc = kdc1.lan kdc = kdc2.lan admin_server = kadmin.lan } #+END_SRC
** Server side *** Heimdal Kerberos installation ** Client side heimdal-docs heimdal-clients ** Testing
- NFSv4 ** Server side ** Client side ** Testing #+BEGIN_VERSE zobi zoba titi toto
- Sources Kerberos setup:
heimdal-docspackage documentation : run$ info heimdal- http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian
- http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server
- https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS
- https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04
- https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs
- https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions
--prout #+END_VERSE #+CAPTION: and multiple #+CAPTION: lines of captions! #+ATTR_HTML: :class a b #+ATTR_HTML: :id it :class c d #+BEGIN_SRC sh echo "a bash source block with custom html attributes" #+END_SRC
#+BEGIN_EXPORT html
<style> .verse-block p { white-space: pre; color: red;} .verse-block p + p { padding-left: 2em; } </style>#+END_EXPORT
#+BEGIN_VERSE Great clouds overhead Tiny black birds rise and fall Snow covers Emacs
---AlexSchroeder #+END_VERSE