Enduser doc kerberos
From Linux NFS
(Difference between revisions)
(→Kerberos 5 setup for NFSv4) |
(→Kerberos 5 setup for NFSv4: added details) |
||
| Line 3: | Line 3: | ||
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.) | The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.) | ||
| - | * We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. | + | * We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC. |
| - | * Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key. | + | * Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. The location /etc/krb5.keytab is specified as ''admin_keytab'' in kdc.conf. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key. |
| - | kadmin: addprinc -randkey nfs/myclient.mydomain | + | # kadmin.local |
| - | kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain | + | kadmin.local: addprinc -randkey nfs/myclient.mydomain |
| + | kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain | ||
| - | # Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client. | + | # Now copy the new keytab /tmp/keytab to /etc/krb5.keytab, or where specified by ''admin_keytab'', on the client. |
# Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server. | # Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server. | ||
Revision as of 21:16, 24 February 2006
Kerberos 5 setup for NFSv4
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
- We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
- Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. The location /etc/krb5.keytab is specified as admin_keytab in kdc.conf. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
# kadmin.local kadmin.local: addprinc -randkey nfs/myclient.mydomain kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
- Now copy the new keytab /tmp/keytab to /etc/krb5.keytab, or where specified by admin_keytab, on the client.
- Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.
Warnings
Some warnings about Kerberos:
- The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
- The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
- Use only down cases caracters for machines names in kerberos and in the DNS.
- Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
