User Tools

Site Tools


Sidebar

software:nfs:00_kdc_and_kerberos

What is this about?

Setting up 2 linux systems in a simple server/client configuration, to use nfs4 exports with kerberos.

setup rhel6 kdc

yum -y install krb5-workstation krb5-server

# create /etc/krb5.conf :
-------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FLUXCOIL.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
# allow_weak_crypto = true

[realms]
 FLUXCOIL.NET = {
  kdc = rhel6u2c.fluxcoil.net
  admin_server = rhel6u2c.fluxcoil.net
 }

[domain_realm]
 .fluxcoil.net = FLUXCOIL.NET
 fluxcoil.net = FLUXCOIL.NET

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}
-------------------------------------------

# create /var/kerberos/krb5kdc/kdc.conf :
-------------------------------------------
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 FLUXCOIL.NET = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  # note that des is only here because some clients support nothing else
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
-------------------------------------------

# create /var/kerberos/krb5kdc/kadm5.acl :
-------------------------------------------
*/admin@FLUXCOIL.NET    *
-------------------------------------------

# create /etc/gssapi_mech.conf :
-------------------------------------------
# library                              initialization function
# ================================    ==========================
# The MIT K5 gssapi library, use special function for initialization.
libgssapi_krb5.so.2          mechglue_internal_krb5_init
#
-------------------------------------------

# initialize the kerberos database
kdb5_util -r FLUXCOIL.NET create -s

# add the first user
kadmin.local -q "addprinc root/admin"

# start services
chkconfig kadmin on
chkconfig krb5kdc on
service kadmin start
service krb5kdc start

# add host principal, for ssh or replication required.
# the nfs principal is required for the nfs services later, in this
# example rhe KDC will also offer the nfs export.
kadmin
> kadmin: addprinc -randkey host/rhel6u2c.fluxcoil.net
> kadmin: ktadd  host/rhel6u2c.fluxcoil.net
> kadmin: addprinc -randkey nfs/rhel6u2c.fluxcoil.net
> kadmin: ktadd -e des3-hmac-sha1:normal nfs/rhel6u2c.fluxcoil.net

setup the export on rhel6

# now prepare the nfs export.
# create a nfsv4root and bindmount the real data there
mkdir -m 1777 /mnt/nfsv4root
mkdir /mnt/nfsv4root/store
mount -n --bind /realpath /mnt/nfsv4root/store

# ensure SECURE_NFS="yes" is set in /etc/sysconfig/nfs
grep SECURE_NFS /etc/sysconfig/nfs

# create /etc/idmapd.conf

# configure the export
cat >/etc/exports<<EOT
/mnt/nfsv4root       gss/krb5(sync,rw,fsid=0,insecure,no_subtree_check,anonuid=65534,anongid=65534)
/mnt/nfsv4root/store gss/krb5(sync,rw,nohide,insecure,no_subtree_check,anonuid=65534,anongid=65534)
EOT

service rpcbind restart
service nfs restart
service rpcsvcgssd restart

tail -f /var/log/messages &

setup rhel5 client

yum -y install krb5-workstation krb5-libs pam_krb5 cyrus-sasl-gssapi

# now open firewall ports, copy /etc/krb5.conf to the client
scp rhel6u2c:/etc/krb5.conf .

# generate principal for the client and fill it into keytab
kadmin
> kadmin: addprinc -randkey nfs/rhel5u8b.fluxcoil.net
> kadmin: ktadd -e des-cbc-crc:normal nfs/rhel5u8b.fluxcoil.net

# Depending on the nfs-utils/kernel versions different encoding types are supported.
# rhel5u3: des-cbc-crc:normal only?
# rhel5u8: aes256-cts:normal / aes128-cts:normal / des3-hmac-sha1:normal also supported

vi /etc/sysconfig/nfs
# make sure that RPCGSSDARGS="-vvv" is set for debugging - disable this later

# now start the daemons
service portmap restart
service rpcidmapd start
service rpcgssd start

tail -f /var/log/messages &

# now mounting should work:
mount -t nfs4 -o sec=krb5 rhel6u2c.fluxcoil.net:/ /mnt/tmp

setup sles client

zypper install krb5

# create principal host/<hostname> instead of nfs/<hostname>
software/nfs/00_kdc_and_kerberos.txt ยท Last modified: 2021/03/23 12:22 (external edit)