Enduser doc kerberos

From Linux NFS

Revision as of 23:20, 2 June 2005 by 80.58.3.107 (Talk)
Jump to: navigation, search

Kerberos 5 setup for NFSv4

This page is from The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

  • We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.
  • Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
kadmin: addprinc -randkey nfs/myclient.mydomain
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  1. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
  2. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases caracters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
Personal tools