Kerberized NFS SetUp and Control Commands

J. Bruce Fields bfields at fieldses.org
Wed May 30 14:27:45 EDT 2007 

On Wed, May 30, 2007 at 09:56:29AM +0200, Le Rouzic wrote:
> For those who fight regularly to install a kerberized nfs, you can find 
> at http://nfsv4.bullopensource.org/
> three commands to facilitate and controlling the setup of a linux 
> kerberized NFS environmment:
> 
>         - krbkdcsv  to setup a Kerberos KDC and a Kerberos 
> administration Server
>         - krbnfssv  to setup a Kerberos NFS Server
>          -krbnfscl  to setup a Kerberos NFS Client

Thanks!  It's good to have people looking at how we can make this easier
to set up.

> First, krbkdcsv has to be run on the machine choiced to be the Kerberos 
> KDC and a Kerberos administration Server.
> After, krbnfssv is run on the machine choiced to be the Kerberos NFS Server.
> Then, krbnfscl is run on the machine to the Kerberos NFS Client.

I assume the three work just as well on their own.  (For example, in the
(probably typical) case that someone already has a kerberos server set
up, can they just ignore krbkdcsv?)

> Now the kerberized nfs mount  can be done.
> 
> Parameters are interactively asked when not given in the command line.

Users shouldn't have to know any of those parameters.  For example, in
the case of krb5nfssv, if krb5.conf is in a standard location, then
krbnfssv should be able to find it there on its own.  It can then answer
the rest of the questions from FinalizeStartConfiguration() by reading
krb5.conf.  (Can't the standard krb5 libraries do all of this?)

The script may require some customization for different distributions
(Fedora, Debian, or whatever), but that should be done by the
distributor, not the end user.

> Those commands do the setup and also some controls about frequent 
> kerberos and nfs errors
> happening during a kerberos nfs configuration:
>          - check client and server hosts are fully qualified name
>          - check REALM is UPPER CASE
>          - check time is synchronised (<300s) with the KDC Server machine

Is there a better way to do that than ssh'ing to the KDC?  Maybe we
should just insist people use ntp, and check whether ntp is installed
and working?

--b.

More information about the NFSv4 mailing list