Enduser doc kerberos

From Linux NFS

(Difference between revisions)
Jump to: navigation, search
m (Warnings)
(rewrite page)
Line 3: Line 3:
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
-
* We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.  This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC.
+
To use Kerberos with NFS you need to setup the server and the client on your realm.
-
* Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab.  Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
+
-
# kadmin.local
+
We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and serverThis [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC.
-
  kadmin.local: addprinc -randkey nfs/myclient.mydomain
+
-
kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
+
-
# Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
+
 
-
# Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.
+
=== Server Setup ===
 +
The server needs to be identified to the KDC with a principal of
 +
nfs/<fqdn>@REALM
 +
 
 +
On the nfs-server you can run kadmin and authenticate as kadmin/admin:
 +
# kadmin
 +
kadmin: addprinc -randkey nfs/myclient.mydomain
 +
kadmin: ktadd nfs/myclient.mydomain
 +
 
 +
On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :
 +
NEED_SVCGSSD=yes
 +
 
 +
If your REALM is not the same as your lowercased dns domain you can add:
 +
  Local-Realm = <REALM>
 +
to the [General] section of /etc/idmapd.conf
 +
 
 +
In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771
 +
You should edit /etc/krb5.conf and put the following in the [libdefaults] section:
 +
  allow_weak_crypto=true
 +
 
 +
Restart nfs-kernel-server and nfs-common
 +
 
 +
=== Client Setup ===
 +
The client does not need an nfs/<fqdn>@REALM principal (or even a host/<fqdn>@REALM principal).
 +
 
 +
It does need the id-mapper daemon and the gssapi daemon running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:
 +
  NEED_IDMAPD=yes
 +
  NEED_GSSD=yes
 +
 
 +
(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:
 +
  allow_weak_crypto=true
 +
 
 +
Restart nfs-common
 +
 
 +
=== Mounting ===
 +
NFSv4 can use Kerberos security to provide:
 +
* authentication
 +
* integrity
 +
* privacy
 +
 
 +
These are specified on the client side using:
 +
* sec=krb5
 +
* sec=krb5i
 +
* sec=krb5p
 +
respectively. eg:
 +
mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/
 +
 
 +
 
 +
== External Links ==
 +
krb5/nfs constraint to -e des-cbc-crc:norma is not needed:
 +
  http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html
 +
 
 +
Explanation of enctypes:
 +
  http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf
 +
 
 +
From the Debian NEWS.Debian.gz referenced above
 +
  (1.8+dfsg~alpha1-1
 +
 +
  This version of MIT Kerberos disables DES and 56-bit RC4 by default.
 +
  These encryption types are generally regarded as weak; defeating them
 +
  is well within the expected resources of some attackers.  However,
 +
  some applications, such as OpenAFS or Kerberized NFS, still rely on
 +
  DES.  To re-enable DES support add allow_weak_crypto=true to the
 +
  libdefaults section of /etc/krb5.conf
 +
 +
  Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 201
== Warnings ==
== Warnings ==

Revision as of 14:02, 23 May 2010

Contents

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

To use Kerberos with NFS you need to setup the server and the client on your realm.

We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.


Server Setup

The server needs to be identified to the KDC with a principal of

nfs/<fqdn>@REALM

On the nfs-server you can run kadmin and authenticate as kadmin/admin:

# kadmin
kadmin: addprinc -randkey nfs/myclient.mydomain
kadmin: ktadd nfs/myclient.mydomain

On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :

NEED_SVCGSSD=yes

If your REALM is not the same as your lowercased dns domain you can add:

 Local-Realm = <REALM>

to the [General] section of /etc/idmapd.conf

In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771 You should edit /etc/krb5.conf and put the following in the [libdefaults] section:

 allow_weak_crypto=true

Restart nfs-kernel-server and nfs-common

Client Setup

The client does not need an nfs/<fqdn>@REALM principal (or even a host/<fqdn>@REALM principal).

It does need the id-mapper daemon and the gssapi daemon running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:

 NEED_IDMAPD=yes
 NEED_GSSD=yes

(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:

 allow_weak_crypto=true

Restart nfs-common

Mounting

NFSv4 can use Kerberos security to provide:

  • authentication
  • integrity
  • privacy

These are specified on the client side using:

  • sec=krb5
  • sec=krb5i
  • sec=krb5p

respectively. eg:

mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/


External Links

krb5/nfs constraint to -e des-cbc-crc:norma is not needed:

 http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html

Explanation of enctypes:

 http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf

From the Debian NEWS.Debian.gz referenced above

 (1.8+dfsg~alpha1-1

 This version of MIT Kerberos disables DES and 56-bit RC4 by default.
 These encryption types are generally regarded as weak; defeating them
 is well within the expected resources of some attackers.  However,
 some applications, such as OpenAFS or Kerberized NFS, still rely on
 DES.  To re-enable DES support add allow_weak_crypto=true to the
 libdefaults section of /etc/krb5.conf

 Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 201

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases characters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine

FAQ

  • Problem: Mounting a nfs volume gives an error message and the syslog or dmesg shows
 "RPC: Couldn't create auth handle (flavor 390003)"
  • Solution: Try 'modprobe rpcsec_gss_krb5' on the client
  • Problem: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
  • Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.
  • Problem: Mounting gives permission denied. Starting rpc.gssd with verbose output (-vv) gives failed credentials for hostname of server (not FQDN). Nslookup gives FQDN for reverse-lookup. dig -x <IP> gives only hostname (probably BIND9 configuration problem).
  • Solution: Create entries with FQDN /etc/hosts (or solve BIND9 configuration problem. How?).
Personal tools