This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
Next it’s time to finally get files moving between the servers. For this we use NFSv4 that supports kerberos out-of-the-box also in Ubuntu. This part is based on the newest Lucid packages in the repositories, which should be pretty close to alpha 3 now.
The following documents were used to get the configuration working:
- MIT Kerberos manual: Hostnames for KDCs
- Doug Potter: Kerberos/LDAP/NFSv4 HOWTO
The goal of the setup is to have a single file server that shares the following directories to clients over NFSv4 with kerberos authentication:
The server will not allow root to access other users’ files which makes it possible to export the shares in potentially hostile environments as the compromise of a single client host does not expose all contents of the file server.
The following packages are needed on the server:
Unlike NFSv3, NFSv4 uses a separate directory structure to share the directories. The actual content is mounted with mount –bind under this directory. Here we place the directories under /export:
Then we instruct in /etc/fstab that /home should be mounted under /export/home. The following should be added in bottom of /etc/fstab:
After this /export/home can be mounted with the following command and it is also automatically mounted when the system boots:
Next configure the exports in /etc/exports to be exported to all nfs4 clients using kerberos:
Next configure NFS to use kerberos:
idmapd.conf needs to configured with proper Domain name for user/group name mappings:
The NFS server version in Lucid supports only DES encryption which is not enabled by default. There is more information available in the bug reports:
For now DES can be enabled with the following settings:
Next we need to create kerberos principals for the server and the clients. In this example all the principals are created on the server and copied to the clients. It is also possible to use kadmin remotely from the client machines.
Now copy the client1.keytab and client2.keytab to /etc/krb5.keytab on the client machines and make them only readable by root.
The server should now be ready after restarting the services:
The server functionality can be tested by trying to mount one of the exported shares locally:
The following packages are needed on the client machines:
To avoid having to configure the kerberos server settings on each client separately, one can use DNS to store the settings as described in the previous posting.
/etc/default/nfs-common – idmapd and gssd need to be enabled
/etc/idmapd.conf – Domain must match the name defined on the server for user and group name mapping to work
After configuration nfs-common needs to be restarted (modules need to be loaded if they haven’t been loaded automatically):
Mounting the share should now work with mount command:
If there are problems, restarting the client machine may help as sometimes picking up the kerberos setting hasn’t worked for me. I’m probably missing some service that requires restarting..
At this point we have no kerberos ticket, so the user should not be able to enter his own home directory:
After getting the ticket it should work:
Root squash should also prevent root from entering directories for other users on the client machine:
Now give it a reboot and try again. Everything should be now working.