Kerberized NFS SetUp and Control Commands

Le Rouzic aime.le-rouzic at bull.net
Fri Jun 1 07:23:11 EDT 2007 

J. Bruce Fields a écrit :

>On Wed, May 30, 2007 at 09:56:29AM +0200, Le Rouzic wrote:
>  
>
>>For those who fight regularly to install a kerberized nfs, you can find 
>>at http://nfsv4.bullopensource.org/
>>three commands to facilitate and controlling the setup of a linux 
>>kerberized NFS environmment:
>>
>>        - krbkdcsv  to setup a Kerberos KDC and a Kerberos 
>>administration Server
>>        - krbnfssv  to setup a Kerberos NFS Server
>>         -krbnfscl  to setup a Kerberos NFS Client
>>    
>>
>
>Thanks!  It's good to have people looking at how we can make this easier
>to set up.
>
>  
>
>>First, krbkdcsv has to be run on the machine choiced to be the Kerberos 
>>KDC and a Kerberos administration Server.
>>After, krbnfssv is run on the machine choiced to be the Kerberos NFS Server.
>>Then, krbnfscl is run on the machine to the Kerberos NFS Client.
>>    
>>
>
>I assume the three work just as well on their own.  (For example, in the
>(probably typical) case that someone already has a kerberos server set
>up, can they just ignore krbkdcsv?)
>  
>
    I plan to do some tests to confirm it.

>>Now the kerberized nfs mount  can be done.
>>
>>Parameters are interactively asked when not given in the command line.
>>    
>>
>
>Users shouldn't have to know any of those parameters.  For example, in
>the case of krb5nfssv, if krb5.conf is in a standard location, then
>krbnfssv should be able to find it there on its own.  It can then answer
>the rest of the questions from FinalizeStartConfiguration() by reading
>krb5.conf.  (Can't the standard krb5 libraries do all of this?)
>  
>
   In a first step, I wanted to force the parameters to make 
informations visible
  for a better control of the operation.
   For a larger exploitation,I will follow your suggestions.

>The script may require some customization for different distributions
>(Fedora, Debian, or whatever), but that should be done by the
>distributor, not the end user.
>
>  
>
>>Those commands do the setup and also some controls about frequent 
>>kerberos and nfs errors
>>happening during a kerberos nfs configuration:
>>         - check client and server hosts are fully qualified name
>>         - check REALM is UPPER CASE
>>         - check time is synchronised (<300s) with the KDC Server machine
>>    
>>
>
>Is there a better way to do that than ssh'ing to the KDC?  Maybe we
>should just insist people use ntp, and check whether ntp is installed
>and working?
>  
>
   I wanted to signal first the error about the clock
    even when ntp is not used.
   I will have a look to improve by testing ntp.

>--b.
>
>  
>
   Thanks for your remarks.
   Cheers


-- 
-----------------------------------------------------------------
Company : Bull, Architect of an Open World TM (www.bull.com)
Name    : Aime Le Rouzic 
Mail    : Bull - BP 208 - 38432 Echirolles Cedex - France
E-Mail  : aime.le-rouzic at bull.net
Phone   : 33 (4) 76.29.75.51
Fax     : 33 (4) 76.29.75.18
-----------------------------------------------------------------

More information about the NFSv4 mailing list