This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
Kerberos requires every client to know where the server is located. This can be done either by using /etc/krb5.conf file or using DNS to distribute the information. Using DNS makes it easier to do changes in the network settings as not every client needs to be updated. Next we aim to minimize the amount of configuration needed for every client so configuring DNS properly is a logical first step.
The following documents were used to get the configuration working:
- MIT Kerberos manual: Hostnames for KDCs
- Doug Potter: Kerberos/LDAP/NFSv4 HOWTO
The goal of the setup is to have a single file server that shares the following directories to clients over NFSv4 with kerberos authentication:
The server will not allow root to access other users’ files which makes it possible to export the shares in potentially hostile environments as the compromise of a single client host does not expose all contents of the file server.
The domain name used is edu.example.org and the NFS server will be the same machine as the kerberos server. The names used in this example map to following IPs:
- server.edu.example.org – 10.0.0.1
- ldap.edu.example.org – 10.0.0.1
- kerberos.edu.example.org – 10.0.0.1
- client1.edu.example.org – 10.0.0.10
- client2.edu.example.org – 10.0.0.11
Before we start with the NFS setup, we need to make sure that name resolution for the server and clients works with fully qualified domain names (fqdn). Also reverse mappings need to be working for NFSv4+krb5 to work properly.
There are many DNS servers that can be used. Here we use dnsmasq:
After restarting dnsmasq and configuring it to be used in /etc/resolv.conf, it should resolve names properly both ways:
Make sure that also the client machine names resolve correctly.
In addition to having DNS server configured properly, if the /etc/hosts file has names configured, make sure that the FQDN is before the shortname, e.g.:
This makes sure that host mappings are not done from /etc/hosts using the shortname of the server.
While we are at it, let’s also add the SRV records for kerberos so that we don’t need to configure kerberos realms for every client separately:
Clients can now find the kerberos server automatically when the realm is given (e.g. kinit testuser@EDU.EXAMPLE.ORG). To set default realm, /etc/krb5.conf can be used:
Now the name server should be ready for the actual setup. The actual NFSv4+kerberos setup is described in the next part.