test-repo/nfsv4-kerberos-debian.md

NFSv4 with Kerberos on Debian from scratch

This document will (hopefully) allow you to setup a kerberized NFSv4 server on Debian 11/Ubuntu 22.04.

Copyright (C) 2022 Bruno Raoult ("br") Licensed under the GNU Free Documentation License v1.3 or later. Some rights reserved. See COPYING.

You should have received a copy of the GNU Free Documentation License along with this document. If not, see this page.

SPDX-License-Identifier: GFDL-1.3-or-later

Table of Contents

- [Introduction](#introduction)

Introduction

If you share some files between your machines, your choice was probably SMB/CIFS, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, ...).

However, there are some limitations that you may find unacceptable: the loss of uid/gid/permissions and the lack of symbolic/hard links for SMB.

Another option (at least on GNU/Linux) could be SSHFS: It is simple to use, and requires no special settings but an ssh access to server. It could be the ideal sharing system for many people.

What I dislike here is the need for an ssh access. No, I don't plan to give an ssh access to my servers ;-)

This document is about a third solution : NFSv4 coupled with Kerberos security, on a Debian-based system (Debian, Ubuntu, etc...).

Pre-requisites

• NTP : All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
• DNS server (optional) : Kerberos may, in some configurations make use of some DNS records such as SRV or TXT. A lightweight DNS server like dnsmasq is sufficient, and will avoid the administration of a full-fledged server such as bind.

Kerberos (V5)

There are basically two major implementations of Kerberos V5 on GNU/Linux: The original MIT one, and the Heimdal one. There was also a GNU implementation Shishi, but developement looks stalled for 10+ years.

It appears that the MIT implementation may have some export restrictions due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. This document will use the "un-regulated" implementation.

Naming

We will use the following conventions : #+CAPTION: Table 1: Local names | Name | Value | Comment | |:----------------------+:----------------+:--------------------------------| | Kerberos realm | LAN | Always capital | | Local DNS name | lan | Typical hostname: machine.lan | | Kerberos KDC 1 | kdc1.lan | Primary Key Distribution Center | | Kerberos KDC 2 | kdc2.lan | Secondary KDC | | Kerberos admin server | kadmin.lan | Administrative server | | Kerberos client 1 | kclient1.lan | Test client 1 | | Kerberos client 2 | kclient2.lan | Test client 2 | | Kerberos credentials | krb5/password | Kerberos admin login/password |

Packages installation

On server side, install the necessary packages with :

$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm

And on client(s), install the following :

$ sudo apt-get install krb5-config heimdal-clients

On your desktop, you may also want to install Heimdal info documentation with:

$ sudo apt-get install heimdal-docs

Or, if you prefer HTML, you can install the documentation from source with the following commands :

$ git clone https://github.com/heimdal/heimdal.git
$ cd heimdal
$ autoreconf -f -i
$ sh autogen.sh
$ ./configure
$ make html
$ cd doc/heimdal.html
$ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/

The krb5-config package installation will ask you some questions, just fill with the information from Table 1 :

• Default Kerberos version 5 realm: LAN
• Kerberos servers for your realm: kdc1.lan and kdc2.lan
• Administrative server for your Kerberos realm: kadmin.lan

After this initial configuration, /etc/krb5.conf should contain something like :

[libdefaults]
	default_realm = LAN
	kdc_timesync = true
	forwardable = true
	proxiable = true

[realms]
	LAN = {
		kdc = kdc1.lan
		kdc = kdc2.lan
		admin_server = kadmin.lan
	}

[domain_realm]
    lan  = LAN
	.lan = LAN

Server side

Client side

Testing

NFSv4

Server side

Client side

Testing

Sources

Kerberos :

• heimdal-docs package documentation : run $ info heimdal or, if you installed HTML documentation, visit its index page.
• Heimdal setup on Debian.
• Debian/Ubuntu Linux with Active Directory Kerberos Server
• Principal names and DNS
• Setup (MIT) Kerberos Server and Client on Ubuntu 20.04
• MIT Kerberos Documentation: Installing KDCs
• MIT Kerberos Documentation: Realm configuration decisions