===== What is this about? =====
Setting up 2 linux systems in a simple server/client configuration, to use nfs4 exports with kerberos.
===== setup rhel6 kdc =====
yum -y install krb5-workstation krb5-server
# create /etc/krb5.conf :
-------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FLUXCOIL.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# allow_weak_crypto = true
[realms]
FLUXCOIL.NET = {
kdc = rhel6u2c.fluxcoil.net
admin_server = rhel6u2c.fluxcoil.net
}
[domain_realm]
.fluxcoil.net = FLUXCOIL.NET
fluxcoil.net = FLUXCOIL.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-------------------------------------------
# create /var/kerberos/krb5kdc/kdc.conf :
-------------------------------------------
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
FLUXCOIL.NET = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
# note that des is only here because some clients support nothing else
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
-------------------------------------------
# create /var/kerberos/krb5kdc/kadm5.acl :
-------------------------------------------
*/admin@FLUXCOIL.NET *
-------------------------------------------
# create /etc/gssapi_mech.conf :
-------------------------------------------
# library initialization function
# ================================ ==========================
# The MIT K5 gssapi library, use special function for initialization.
libgssapi_krb5.so.2 mechglue_internal_krb5_init
#
-------------------------------------------
# initialize the kerberos database
kdb5_util -r FLUXCOIL.NET create -s
# add the first user
kadmin.local -q "addprinc root/admin"
# start services
chkconfig kadmin on
chkconfig krb5kdc on
service kadmin start
service krb5kdc start
# add host principal, for ssh or replication required.
# the nfs principal is required for the nfs services later, in this
# example rhe KDC will also offer the nfs export.
kadmin
> kadmin: addprinc -randkey host/rhel6u2c.fluxcoil.net
> kadmin: ktadd host/rhel6u2c.fluxcoil.net
> kadmin: addprinc -randkey nfs/rhel6u2c.fluxcoil.net
> kadmin: ktadd -e des3-hmac-sha1:normal nfs/rhel6u2c.fluxcoil.net
===== setup the export on rhel6 =====
# now prepare the nfs export.
# create a nfsv4root and bindmount the real data there
mkdir -m 1777 /mnt/nfsv4root
mkdir /mnt/nfsv4root/store
mount -n --bind /realpath /mnt/nfsv4root/store
# ensure SECURE_NFS="yes" is set in /etc/sysconfig/nfs
grep SECURE_NFS /etc/sysconfig/nfs
# create /etc/idmapd.conf
# configure the export
cat >/etc/exports<
===== setup rhel5 client =====
yum -y install krb5-workstation krb5-libs pam_krb5 cyrus-sasl-gssapi
# now open firewall ports, copy /etc/krb5.conf to the client
scp rhel6u2c:/etc/krb5.conf .
# generate principal for the client and fill it into keytab
kadmin
> kadmin: addprinc -randkey nfs/rhel5u8b.fluxcoil.net
> kadmin: ktadd -e des-cbc-crc:normal nfs/rhel5u8b.fluxcoil.net
# Depending on the nfs-utils/kernel versions different encoding types are supported.
# rhel5u3: des-cbc-crc:normal only?
# rhel5u8: aes256-cts:normal / aes128-cts:normal / des3-hmac-sha1:normal also supported
vi /etc/sysconfig/nfs
# make sure that RPCGSSDARGS="-vvv" is set for debugging - disable this later
# now start the daemons
service portmap restart
service rpcidmapd start
service rpcgssd start
tail -f /var/log/messages &
# now mounting should work:
mount -t nfs4 -o sec=krb5 rhel6u2c.fluxcoil.net:/ /mnt/tmp
===== setup sles client =====
zypper install krb5
# create principal host/ instead of nfs/