Nfs and Kerberos a bernie howto

This is the ugly truth on getting Nfsv4 to work with kerberos
The following should also work with Nfs v3 however there is a bug with the rpc.gssd implementation on the Linux I use. Basically the problem is when building kerberos rpc.gssd it assumes you are using Nfsv4 I have filed a bug report here:
# in the following kerberos setup replace YOUR.REALM with your
# kerberos realm name
# replace clientname.domainname.local with your linux client fqdn
# replace osxclientname.domainname.local with your osx client fqdn
# replace servername with your server name
# replace username with the user you use across the network

Step1. on the linux client and server:
USE="kerberos -nonfsv4" emerge -av =net-fs/nfs-utils-1.1.0-r1

Step2. on osx and linux client and server:
#download k5start
# and build kstart this will install in /usr/local/bin/
# eg:
cd /var/tmp
tar -xzvf kstart-3.10.tar.gz && cd kstart-3.10
./configure && make && make install

Step3a. The linux server
create a /etc/krb5.conf for your realm (see docs)
mine looks like:

# /etc/krb5.conf start by Bernard Edlington,
# copyright 2008 Nexus International LLC
default_realm = YOUR.REALM
kdc_timesync = 1
forwardable = true
proxiable = true

kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/krb5adm.log
default = FILE:/var/log/krb5lib.log

profile = /etc/kdc.conf

kdc = servername.domainname.local
admin_server = servername.domainname.local
default_domain = domainname.local

.domainname.local = YOUR.REALM
domainname.local = YOUR.REALM

krb4_convert = false
krb4_get_tickets = false

# /etc/krb5.conf end by Bernard Edlington,
# copyright 2008 Nexus International LLC
# check that /etc/gssapi_mech.conf file exists
# do the following if nonexistatnt
sudo echo "/usr/lib/ mechglue_internal_krb5_init" \
>> /etc/gssapi_mech.conf

sudo echo "*/admin@YOUR.REALM *" >>/var/lib/krb5kdc/kadm5.acl
sudo kdb5_util create -r YOUR.REALM -s
sudo kadmin.local
addprinc nexus/admin
addprinc -randkey kiprop/servername.domainname.local
addprinc -randkey changepw/servername.domainname.local
addprinc -randkey nfs/servername.domainname.local
ktadd -k /etc/krb5.keytab kadmin/servername.domainname.local
ktadd -k /etc/krb5.keytab changepw/servername.domainname.local
ktadd -k /etc/krb5.keytab kiprop/servername.domainname.local
ktadd -k /etc/krb5.keytab nfs/servername.domainname.local
# start em up gentoo style
sudo /etc/init.d/mit-krb5k start
sudo /etc/init.d/mit-krb5kadmind start
sudo /etc/init.d/rpc.gssd start
# add it to the default runlevels gentoo style
sudo rc-update add mit-krb5kdc default
sudo rc-update add mit-krb5kadmind default
sudo rc-update add rpc.gssd default

Step3b Nfsv4 on the Linux server

# see the great howto

Step4a kerberos linux client - host based
# this is good for a startup implementation
#scp /etc/gssapi_mech.conf and krb.conf from the server
sudo kadmin -p nexus/admin
addprinc -randkey host/clientname.domainname.local@YOUR.REALM
ktadd -k /etc/krb5.keytab host/clientname.domainname.local
# start em up gentoo style
rc-update add rpc.gssd default
# add it to the default runlevels gentoo style
/etc/init.d/rpc.gssd start

Step4b Nfsv4 linux client - host based quick mount
sudo mount -t nfs4 -o sec=krb5 servername:/bar /mnt/tmp1/

Step4c Nfsv4 linux client - host based long term mount
sudo KRB5CCNAME="FILE:/tmp/service.tkt" \
/usr/local/bin/k5start -b -k /tmp/service.tkt \
-f /etc/krb5.keytab -K 10 -l 10h host/clientname.domainname.local \
`sh -c 'mount -t nfs4 -o sec=krb5 servername:/bar /mnt/tmp1/'`

Step5a kerberos linux client - user based
# this is good for a paranoid user who only wants tickets when logged in.
#scp /etc/gssapi_mech.conf and krb.conf from the server
sudo kadmin -p nexus/admin
addprinc username
addprinc -randkey nfs/clientname.domainname.local
ktadd -k /etc/krb5.keytab nfs/clientname.domainname.local
# start em up gentoo style
sudo rc-update add rpc.gssd default
# add it to the default runlevels gentoo style
sudo /etc/init.d/rpc.gssd start

Step5b Nfsv4 linux client - user based
mount -t nfs4 -o sec=krb5 servername:/foo /mnt/tmp2/

Step6a Kerberos OSX client inital setup
# on osx client
# download Rick Macklem's brilliant Nfsv4 creation
# from
# eg:
# wget
# tar -xzvf leopard-client.tar.gz && cd leopard-client
# view the readme there, everything is explained crystal clear.
# next scp krb.conf from the server
# I copy it to its default location which should be /etc/ (Are you listening APPLE?)
# then I Delete the Apple default location: rm /Library/Preferences/
# then ln -s /etc/krb.conf /Library/Preferences/
# one large problem I had is that the command domain name does not return the fqdn
# to fix this place the ip address then the fqdn then the hostname in that order as
# the first entry in /etc/hosts then reboot.
# eg.
# foobar.local.home foobar

# I like Apple however there is a reason why we have default paths and that is
# so an admin from another os can easily admin.
# Do this too many times Apple and we wont want to admin your boxes
# Better still have links to the native paths like I do.

Step6b Kerberos & Nfsv4 OSX client - user based
kadmin -p nexus/admin
addprinc username
mount -t newnfs -o -4,-T,-Skrb5 servername:/foo /mnt/tmp/

Step6a Kerberos & Nfsv4 OSX client - host based
sudo kadmin -p nexus/admin
addprinc -randkey host/osxclientname.domainname.local
ktadd -k /etc/krb5.keytab host/osxclientname.domainname.local
# the following will refresh the ticket every 10 hours it is a pity Apple's gssd
# implementation is not up to scratch though because this would be best as a
# startup item, that way the machine could farm out processes using nfs to
# users on the lan and be secure at the same time.
sudo /usr/local/bin/k5start -f /etc/krb5.keytab -K 10 -l 10h \
host/osxclientname.domainname.local sh -c 'mount -t newnfs \
-o -4,-T,-Skrb5 servername:/bar /mnt/tmp/'

One Comment

  • July 12, 2008 at 6:48 AM | Permalink