bruno/test-repo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
654ce9b0097540d763f93581591879295513daee
test-repo/nfsv4-kerberos-debian.org
Bruno Raoult 654ce9b009 tables tests
2022-02-20 00:06:10 +01:00

3.9 KiB
Raw Blame History

NFSv4 with Kerberos on Debian from scratch

Copyright (C) 2022 Bruno Raoult ("br") Licensed under the GNU Free Documentation License v1.3 or later. Some rights reserved. See COPYING.

You should have received a copy of the GNU Free Documentation License along with this document. If not, see this page.

SPDX-License-Identifier: GFDL-1.3-or-later

Table of Contents   TOC

Table of Contents

Introduction

If you share some files between your machines, your choice was probably SMB/CIFS, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, …).

However, there are some limitations that you may find unacceptable (the loss of uid/gid/permissions being really a blocking point for me).

Another option (at least on GNU/Linux) could be sshfs: It is simple to use, and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people.

This document is about a third solution : NFSv4 coupled with Kerberos security, on a Debian based system (Debian, Ubuntu, etc…).

Pre-requisites

NTP
All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps.
DNS server (optional)
Kerberos may, in some configurations make use of some DNS records such as SRV or TXT. A lightweight DNS server like dnsmasq is sufficient, and will avoid the administration of a full-fledged server such as bind.

Kerberos (V5)

There are basically two major implementations of Kerberos v5 on GNU/Linux: The original MIT one, and the Heimdal one. There was also a GNU implementation (Shishi), but developement looks stalled for 10+ years.

It appears that the MIT implementation may have some export restrictions due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "un-regulated" implementation.

Naming

We will use the following conventions :

Name Value Comment
Domain name .lan Typical hostname: machine.lan
Kerberos realm LAN Always capital
Kerberos KDC 1 kdc1.lan Key Distribution Center
Kerberos KDC 2 kdc2.lan
Kerberos admin server kadmin.lan
Table 1: Kerberos hosts naming

Server side

For resilience reasons, I will use two kb

Client side

Testing

NFSv4

Server side

Client side

Testing

zobi zoba titi toto

Sources

Kerberos setup:

prout

echo "a bash source block with custom html attributes"
and multiple lines of captions!
<style> .verse-block p { white-space: pre; color: red;} .verse-block p + p { padding-left: 2em; } </style>

Great clouds overhead Tiny black birds rise and fall Snow covers Emacs

—AlexSchroeder