bruno/test-repo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
cd0c89e6853c959a6822a062c4ffd014ad6024b6
test-repo/nfsv4-kerberos-debian.org
Bruno Raoult cd0c89e685 typos
2022-06-21 21:50:45 +02:00

6.3 KiB
Raw Blame History

NFSv4 with Kerberos on Debian from scratch

Copyright (C) 2022 Bruno Raoult ("br") Licensed under the GNU Free Documentation License v1.3 or later. Some rights reserved. See COPYING.

You should have received a copy of the GNU Free Documentation License along with this document. If not, see this page.

SPDX-License-Identifier: GFDL-1.3-or-later

Table of Contents

Table of Contents

Introduction

If you share some files between your machines, your choice was probably SMB/CIFS, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, …).

However, there are some limitations that you may find unacceptable (the loss of uid/gid/permissions being really a blocking point for me).

Another option (at least on GNU/Linux) could be sshfs: It is simple to use, and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people.

This document is about a third solution : NFSv4 coupled with Kerberos security, on a Debian based system (Debian, Ubuntu, etc…).

Pre-requisites

NTP
All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
DNS server (optional)
Kerberos may, in some configurations make use of some DNS records such as SRV or TXT. A lightweight DNS server like dnsmasq is sufficient, and will avoid the administration of a full-fledged server such as bind.
?

Kerberos (V5)

There are basically two major implementations of Kerberos v5 on GNU/Linux: The original MIT one, and the Heimdal one. There was also a GNU implementation (Shishi), but developement looks stalled for 10+ years.

It appears that the MIT implementation may have some export restrictions due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "un-regulated" implementation.

Naming

We will use the following conventions :

Name Value Comment
Kerberos realm LAN Always capital
Local DNS name lan Typical hostname: machine.lan
Kerberos KDC 1 kdc1.lan Primary Key Distribution Center
Kerberos KDC 2 kdc2.lan Secondary KDC
Kerberos admin server kadmin.lan Administrative server
Kerberos client 1 kclient1.lan Test client 1
Kerberos client 2 kclient2.lan Test client 2
Kerberos credentials krb5/password Kerberos admin login/password
Table 1: Local names

Packages installation

On server side, install the necessary packages with :

$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm

And on client(s), install instead krb5-config and heimdal-clients packages :

br@lorien:~$ sudo apt-get install krb5-config heimdal-clients

On your desktop, you may also want to install Heimdal documentation :

br@lorien:/etc$ sudo apt-get install heimdal-docs

The krb5-config package installation will ask you some questions, you can just answer with the information from Table 1 (we will change configuration manually after that):

  • Default Kerberos version 5 realm: LAN
  • Kerberos servers for your realm: kdc1.lan kdc2.lan
  • Administrative server for your Kerberos realm: kadmin.lan

After this initial configutation, edit /etc/krb5.conf, clean up everything and add a domain_realm section for your local network. You should end up with something similar to :

[libdefaults]
	default_realm = LAN
	kdc_timesync = true
	forwardable = true
	proxiable = true

[realms]
	LAN = {
		kdc = kdc1.lan
		kdc = kdc2.lan
		admin_server = kadmin.lan
	}

[domain_realm]
	.lan = LAN

Kerberos database initialization

It is possible installation process may have created files in /var/lib/heimdal-kdc, manual is unclear. To be on secure side, we remove everything before going further :

[libdefaults]
	default_realm = LAN
[realms]
	LAN = {
		kdc = kdc1.lan
		kdc = kdc2.lan
		admin_server = kadmin.lan
	}
foo         bar
line        2
third       line

Server side

Heimdal Kerberos installation

Client side

heimdal-docs heimdal-clients

Testing

NFSv4

Server side

Client side

Testing

Sources

Kerberos setup: