kerberized NFS
Rick Macklem
rmacklem at uoguelph.ca
Fri Jan 27 23:52:26 UTC 2012
Giulio Ferro wrote:
> I'm trying to setup a kerberized NFS system made of a server and a
> client (both freebsd 9 amd64 stable)
>
> I've tried to follow this howto:
> http://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup
>
> But couldn't get much out of it.
>
> First question : is this howto still valid or something more recent
> should be followed? I've searched with Google but I've come up empty.
>
It's all there is. I don't think anything has changed since it was
written. (I haven't had a kerberos setup for about 2 years, so I know
I haven't changed anything recently.)
It was a google wiki, since I hoped others would add to it, but I don't
think that has happened?
> I've set up kerberos heimdal, created the dns entries for both
> client and server, set up krb5.keytab and copied it to client, set
> up nfs4 according to man nfsv4:
>
> (server)
> cat /etc/exports
> V4: /usr/src -sec=krb5:krb5i:krb5p
>
The V4: line doesn't export any file system. It only defines
where the root of the directory tree is for NFSv4 and what
authentication can be used for "system operations" which do
not take any file handle and, therefore, aren't tied to any
server file system.
For example, the above would need to be something like:
V4: /usr/src -sec=krb5:krb5i:krb5p
/usr/src -sec=krb5:krb5i:krb5p <host or network or nothing to
export it to a world>
- If /usr/src is not the root of a file system on the server,
it is less confusing to export the root of the file system,
such as "/usr" or "/".
> and then tried to mount it from the client:
>
> mount_nfs -o ntfsv4,sec=krb5i,gssname=nfs
> nfsinternal1.dcssrl.it:/usr/src /usr/src
>
To make the "gssname" case work, you need a couple of things:
- You need the patch it refers to applied to the client's kernel,
so it can handle "host based initiator credentials". After
applying the patch, you also need to have an entry in the
client's /etc/keytab that looks like:
nfs/client-host.dnsdomain at YOUR.REALM
Without the above, the client can only do an NFSv4 mount as a
user (not root) that has a valid credential. For example:
- non-root mounts enabled via
# sysctl vfs.usermount=1
- then a user logs in
- gets a kerberos TGT via "kinit"
- then does a mount command that looks like:
% mount -t nfs -o nfsv4,sec=krb5i <server>:/path
- this mount breaks if this user's TGT expires, so it either
must be maintained via some utility (there are a couple out
there, but I can't remember the name of one offhand) or
manually by doing "kinit" again before it expires
- this user must umount the file system when done with it
(I know, it would be nice if the host based initiator cred. worked,
"out of the box", but the patch is ugly and the reviewer understandably
didn't agree with it. However, I don't know how to do it another way
for the version of Heimdal in FreeBSD. There is a bug that has apparently
been fixed for newer Heimdal releases, where it gets confused w.r.t.
encryption type for the keytab entry unless it is forced to one
encryption type only.)
Also, you need the following in the server's /etc/rc.conf:
nfsv4_server_enable="YES"
gssd_enable="YES"
and in the client:
nfsuserd_enable="YES"
gssd_enable="YES"
Finally, I'd suggest that you get NFSv4 mounts over "sys" working first
and then you can try Kerberos.
> but it failed with :
> [tcp] nfsinternal1.dcssrl.it:/usr/src: Permission denied
>
> Can you point me to something that I might have got wrong?
>
> Thanks in advance.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list