Enduser doc kerberos

From Linux NFS

Revision as of 23:33, 9 July 2007 by Trondmy (Talk | contribs)
Jump to: navigation, search

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

  • We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
  • Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
# kadmin.local
kadmin.local: addprinc -randkey nfs/myclient.mydomain
kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
  1. Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
  2. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.

Warnings

Some warnings about Kerberos:

  1. The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
  2. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
  3. Use only down cases caracters for machines names in kerberos and in the DNS.
  4. Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine

FAQ

  • Problem: Mounting a nfs volume gives an error message and the syslog or dmesg shows
 "RPC: Couldn't create auth handle (flavor 390003)"
  • Solution: Try 'modprobe rpcsec_gss_krb5' on the client
  • Problem: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
  • Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.
Personal tools