Enduser doc kerberos

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
(Kerberos 5 setup for NFSv4)
(Kerberos 5 setup for NFSv4: added details)
Line 3: Line 3:
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
-
* We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.
+
* We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.  This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC.
-
* Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
+
* Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab.  The location /etc/krb5.keytab is specified as ''admin_keytab'' in kdc.conf. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
-
  kadmin: addprinc -randkey nfs/myclient.mydomain
+
  # kadmin.local
-
  kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
+
kadmin.local: addprinc -randkey nfs/myclient.mydomain
 +
  kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
-
# Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
+
# Now copy the new keytab /tmp/keytab to /etc/krb5.keytab, or where specified by ''admin_keytab'', on the client.
# Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.
# Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Revision as of 21:16, 24 February 2006

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

  • We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
  • Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. The location /etc/krb5.keytab is specified as admin_keytab in kdc.conf. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
# kadmin.local
kadmin.local: addprinc -randkey nfs/myclient.mydomain
kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  1. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab, or where specified by admin_keytab, on the client.
  2. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases caracters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
Personal tools