143 lines
6.3 KiB
Org Mode
143 lines
6.3 KiB
Org Mode
#+TITLE: NFSv4 with Kerberos on Debian from scratch
|
|
#+OPTIONS: toc:nil
|
|
#+TODO: TODO STARTED DONE
|
|
#+EXCLUDE_TAGS: noexport
|
|
|
|
#+BEGIN_QUOTE
|
|
/Copyright (C) 2022 Bruno Raoult ("br")/
|
|
/Licensed under the GNU Free Documentation License v1.3 or later./
|
|
/Some rights reserved. See COPYING./
|
|
|
|
/You should have received a copy of the GNU Free Documentation License along
|
|
with this document./
|
|
/If not, see [[https://www.gnu.org/licenses/fdl-1.3-standalone.html][this page]]./
|
|
|
|
/SPDX-License-Identifier: [[https://spdx.org/licenses/GFDL-1.3-or-later.html][GFDL-1.3-or-later]]/
|
|
#+END_QUOTE
|
|
|
|
* Table of Contents
|
|
**** Table of Contents
|
|
#+TOC: headlines 3
|
|
|
|
* Introduction
|
|
If you share some files between your machines, your choice was probably
|
|
[[https://en.wikipedia.org/wiki/Server_Message_Block][SMB/CIFS]], as it
|
|
is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...).
|
|
|
|
However, there are some limitations that you may find unacceptable (the loss
|
|
of uid/gid/permissions being really a blocking point for me).
|
|
|
|
Another option (at least on GNU/Linux) could be [[https://github.com/libfuse/sshfs][sshfs]]: It is simple to use,
|
|
and requires no special settings but an ssh access to server. It could be the
|
|
ideal sharing system for many people.
|
|
|
|
This document is about a third solution : NFSv4 coupled with Kerberos
|
|
security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...).
|
|
|
|
* Pre-requisites
|
|
- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
|
|
- DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]].
|
|
A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]].
|
|
-
|
|
|
|
* Kerberos (V5)
|
|
There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years.
|
|
|
|
It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation.
|
|
|
|
** Naming
|
|
:PROPERTIES:
|
|
:custom_id: table-1
|
|
:END:
|
|
We will use the following conventions :
|
|
#+CAPTION: Table 1: Local names
|
|
| Name | Value | Comment |
|
|
|-----------------------+-----------------+---------------------------------|
|
|
| Kerberos realm | =LAN= | Always capital |
|
|
| Local DNS name | =lan= | Typical hostname: machine.lan |
|
|
| Kerberos KDC 1 | =kdc1.lan= | Primary Key Distribution Center |
|
|
| Kerberos KDC 2 | =kdc2.lan= | Secondary KDC |
|
|
| Kerberos admin server | =kadmin.lan= | Administrative server |
|
|
| Kerberos client 1 | =kclient1.lan= | Test client 1 |
|
|
| Kerberos client 2 | =kclient2.lan= | Test client 2 |
|
|
| Kerberos credentials | =krb5/password= | Kerberos admin login/password |
|
|
|
|
** Packages installation
|
|
On server side, install the necessary packages with :
|
|
#+BEGIN_SRC bashsession
|
|
$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm
|
|
#+END_SRC
|
|
And on client(s), install instead ~krb5-config~ and ~heimdal-clients~ packages :
|
|
#+BEGIN_SRC bashsession
|
|
br@lorien:~$ sudo apt-get install krb5-config heimdal-clients
|
|
#+END_SRC
|
|
On your desktop, you may also want to install Heimdal documentation :
|
|
#+BEGIN_SRC bashsession
|
|
br@lorien:/etc$ sudo apt-get install heimdal-docs
|
|
#+END_SRC
|
|
|
|
The ~krb5-config~ package installation will ask you some questions, you can just answer with the information from [[#table-1][Table 1]] (we will change configuration manually after that):
|
|
- Default Kerberos version 5 realm: ~LAN~
|
|
- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~
|
|
- Administrative server for your Kerberos realm: ~kadmin.lan~
|
|
|
|
After this initial configutation, edit ~/etc/krb5.conf~, clean up everything and add a domain_realm section for your local network. You should end up with something similar to :
|
|
|
|
#+BEGIN_SRC docker
|
|
[libdefaults]
|
|
default_realm = LAN
|
|
kdc_timesync = true
|
|
forwardable = true
|
|
proxiable = true
|
|
|
|
[realms]
|
|
LAN = {
|
|
kdc = kdc1.lan
|
|
kdc = kdc2.lan
|
|
admin_server = kadmin.lan
|
|
}
|
|
|
|
[domain_realm]
|
|
.lan = LAN
|
|
|
|
#+END_SRC
|
|
|
|
** Kerberos database initialization
|
|
It is possible installation process may have created files in ~/var/lib/heimdal-kdc~, manual is unclear. To be on secure side, we remove everything before going further :
|
|
|
|
#+BEGIN_SRC conf
|
|
[libdefaults]
|
|
default_realm = LAN
|
|
[realms]
|
|
LAN = {
|
|
kdc = kdc1.lan
|
|
kdc = kdc2.lan
|
|
admin_server = kadmin.lan
|
|
}
|
|
#+END_SRC
|
|
#+BEGIN_SRC conf
|
|
foo bar
|
|
line 2
|
|
third line
|
|
#+END_SRC
|
|
|
|
** Server side
|
|
*** Heimdal Kerberos installation
|
|
** Client side
|
|
heimdal-docs heimdal-clients
|
|
** Testing
|
|
* NFSv4
|
|
** Server side
|
|
** Client side
|
|
** Testing
|
|
* Sources
|
|
Kerberos setup:
|
|
- ~info heimdal~ (documentation from heimdal-docs)
|
|
- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]]
|
|
- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]]
|
|
- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]]
|
|
- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]]
|
|
- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]]
|
|
- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]]
|
|
- [[https://www.linuxfromscratch.org/blfs/view/6.3/postlfs/heimdal.html][Beyond Linux From Scratch - Heimdal]]
|