NFS Howto Submissions nfs krb5
From Linux NFS
(→Requirements) |
(→Requirements) |
||
Line 15: | Line 15: | ||
Is ok. Whereas this: | Is ok. Whereas this: | ||
<pre> | <pre> | ||
- | [cmsmith@ | + | [cmsmith@client ~]$ cat /etc/hosts |
# Do not remove the following line, or various programs | # Do not remove the following line, or various programs | ||
# that require network functionality will fail. | # that require network functionality will fail. | ||
- | 127.0.0.1 localhost.localdomain | + | 127.0.0.1 localhost.localdomain client localhost |
</pre> | </pre> | ||
is not. | is not. |
Revision as of 16:22, 11 April 2006
Contents |
Kerberos and NFS
Kerberos can be used to provide both mutual authentication (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the RPCSEC_GSS security flavor of ONC RPC protocol, defined by RFC 1831 and RFC 2203. This subsection of NFS Howto: Security attempts to provide a complete and accurate cookbook configuration guide for how to get Kerberos validation / authentication working with NFSv3/NFSv4 mount points.
Requirements
- /etc/services should have entries in it for port 2049 for both TCP and UDP NFS. This should be present in virtually every modern version of Linux, but it warrants mentioning.
- A working Kerberos realm for all of your NFS clients and server to authenticate against.
- A working NTP configuration on all hosts participating in your Kerberos realm. This will insure that the system clocks on your machines are set to matching times.
- Proper forward/reverse name FQDN/IP resolution must be working in DNS, or, at a minimum, the /etc/hosts file must contain this information. The machine's hostname must also not be included on the localhost line, aka:
[cmsmith@client ~]$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.161.131.10 client.netapp.com client
Is ok. Whereas this:
[cmsmith@client ~]$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain client localhost
is not.
Kerberos Configuration
Verify that the client has a working Kerberos configuration
Generate NFS Machine Credentials for the Kerberos Client
Add the NFS Machine Credentials to both the Kerberos Client and Server
NFSv3 Specifics
NFSv4 Specifics
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.) We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add only this type of key.
kadmin: addprinc -randkey nfs/myclient.mydomain kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server. Things to be aware of when using Kerberos: