Enduser doc kerberos

From Linux NFS

(Difference between revisions)

Latest revision as of 09:42, 7 June 2010

Kerberos 5 setup for NFSv4

The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)

To use Kerberos with NFS you need to setup the server and the client on your realm.

We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.

Server Setup

The server needs to be identified to the KDC with a principal of

nfs/<fqdn>@REALM

On the nfs-server you can run kadmin and authenticate as kadmin/admin:

# kadmin
kadmin: addprinc -randkey nfs/myclient.mydomain
kadmin: ktadd nfs/myclient.mydomain

On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :

NEED_SVCGSSD=yes

check /etc/idmapd.conf
In the [General] section the Domain value should be the real value of your domain. The value "localdomain" is not a key meaning "your local domain" it is a misguided attempt at documentation!

 Domain = your-domain.com

If your REALM is not the same as your lowercased dns domain you can add:

 Local-Realm = <REALM>

(This is not documented)

In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771 You should edit /etc/krb5.conf and put the following in the [libdefaults] section:

 allow_weak_crypto=true

This is a WIP and may be resolved around 2.6.35+

Restart nfs-kernel-server and nfs-common

Client Setup

The client must present some kind of principal at mount time. This can be a user or an entry in the keytab; either a host/<fqdn>@REALM principal or an nfs/<fqdn>@REALM principal

Both the id-mapper daemon and the gssapi daemon should be running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:

 NEED_IDMAPD=yes
 NEED_GSSD=yes

Under Debian you may find adding debug options in /etc/defaults/nfs-common helps:

 RPCGSSDOPTS="-vvv -rrr"

(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:

 allow_weak_crypto=true

check /etc/idmapd.conf
Same as the server... if you get user-id mapping issues check this is correct.

Restart nfs-common

Mounting

NFSv4 can use Kerberos security to provide:

authentication
integrity
privacy

These are specified on the client side using:

sec=krb5
sec=krb5i
sec=krb5p

respectively. eg:

mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/

See Exporting Directories section for more details on the exports file syntax.

External Links

The constraint to use -e des-cbc-crc:normal for keytab entries for nfs/<fqdn> principals is not needed:

 http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html

Explanation of enctypes:

 http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf

From the Debian NEWS.Debian.gz referenced above

 (1.8+dfsg~alpha1-1

 This version of MIT Kerberos disables DES and 56-bit RC4 by default.
 These encryption types are generally regarded as weak; defeating them
 is well within the expected resources of some attackers.  However,
 some applications, such as OpenAFS or Kerberized NFS, still rely on
 DES.  To re-enable DES support add allow_weak_crypto=true to the
 libdefaults section of /etc/krb5.conf

 Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 2010

Warnings

Some warnings about Kerberos:

The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be included on the localhost line.
Do not us uppercase characters for machine names in Kerberos and/or the host naming solution DNS. This is not a good solution fpr NFS Kerberos only
At present NFS using Kerberos authentication is not able to work with multiple network interfaces on the same machine

FAQ

Issue: Mounting a nfs volume gives an error message and the syslog or dmesg shows

 "RPC: Couldn't create auth handle (flavor 390003)"

Solution: Try 'modprobe rpcsec_gss_krb5' on the client

Issue: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".

Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.

Issue: Mounting gives permission denied. Starting rpc.gssd with verbose output (-vv) gives failed credentials for hostname of server (not FQDN). Nslookup gives FQDN for reverse-lookup. dig -x <IP> gives only hostname (probably BIND9 configuration problem).

Solution: Create entries with FQDN /etc/hosts (or solve BIND9 configuration problem. How?).

Enduser doc kerberos

From Linux NFS

Latest revision as of 09:42, 7 June 2010

Contents

Kerberos 5 setup for NFSv4

Server Setup

Client Setup

Mounting

External Links

Warnings

FAQ

Views

Personal tools

Navigation

Search

Toolbox

@@ Line 1: / Line 1: @@
-[http://people.msoe.edu/~millerni/forums.php?show=topic&id=109&forum=13 cheap levitra] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=127&forum=13 cheap pharmacy online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=361 free real ringtones] [http://wc1.worldcrossing.com/WebX/.1de609df cheap ambien] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=98&forum=13 cheap diethylpropion] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=158&forum=13 xanax online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=172 lorazepam online] [http://wc1.worldcrossing.com/WebX/.1de609ff free real ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=220 free punk ringtones] [http://wc1.worldcrossing.com/WebX/.1de609dc buy albuterol] [http://wc1.worldcrossing.com/WebX/.1de60a2e xanax online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=156 fioricet online] [http://wc1.worldcrossing.com/WebX/.1de60a10 cheap didrex] [http://wc1.worldcrossing.com/WebX/.1de60a35 verizon ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=176 buy ultracet] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=356 tracfone ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=92&forum=13 cheap clomid] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=344 ativan online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=155 xanax online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=178 buy nexium] [http://wc1.worldcrossing.com/WebX/.1de60a04 free sonyericsson ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=182 cheap clomid] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=82&forum=13 adipex online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=343 cialis] [http://news.engin.brown.edu/forums/thread-view.asp?tid=170 hydrocodone online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=169 levitra online] [http://wc1.worldcrossing.com/WebX/.1de609f3 midi ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=111&forum=13 order lisinopril] [http://news.engin.brown.edu/forums/thread-view.asp?tid=224 free wwe ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=153 phentermine online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=147&forum=13 tracfone ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=181 sildenafil online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=212 verizon ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=223 free midi ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=335 buy phentermine] [http://wc1.worldcrossing.com/WebX/.1de60a00 cheap rivotril] [http://wc1.worldcrossing.com/WebX/.1de60a0a vicodin] [http://news.engin.brown.edu/forums/thread-view.asp?tid=187 celexa online] [http://wc1.worldcrossing.com/WebX/.1de609eb free funny ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=197 cheap flexeril] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=105&forum=13 cheap hoodia] [http://news.engin.brown.edu/forums/thread-view.asp?tid=188 cheap tenuate] [http://news.engin.brown.edu/forums/thread-view.asp?tid=180 buy prozac] [http://wc1.worldcrossing.com/WebX/.1de60a05 sprint ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f9 norco online] [http://wc1.worldcrossing.com/WebX/.1de609f2 meridia online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=145&forum=13 free sprint ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=96&forum=13 diazepam online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=338 fioricet] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=358 free mp3 ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a21 buy paxil] [http://wc1.worldcrossing.com/WebX/.1de60a31 buy zanaflex] [http://wc1.worldcrossing.com/WebX/.1de609de cheap alprazolam] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=141&forum=13 soma online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=342 diazepam online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=157&forum=13 wwe ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=161&forum=13 zoloft] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=112&forum=13 lorazepam online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=124&forum=13 online norco] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=355 free free ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=88&forum=13 cheap carisoprodol] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=360 free qwest ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=167 cheap clonazepam] [http://wc1.worldcrossing.com/WebX/.1de60a0e celexa online] [http://wc1.worldcrossing.com/WebX/.1de609e4 clonazepam online] [http://wc1.worldcrossing.com/WebX/.1de60a17 lipitor online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=123&forum=13 nokia ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=184 cheap lisinopril] [http://wc1.worldcrossing.com/WebX/.1de60a24 propecia online] [http://wc1.worldcrossing.com/WebX/.1de609f8 nokia ringtones] [http://wc1.worldcrossing.com/WebX/.1de609fd punk ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=154 carisoprodol online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=339 ultram online] [http://wc1.worldcrossing.com/WebX/.1de60a34 free sony ericsson ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=202 free tracfone ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=199 cheap zyban] [http://news.engin.brown.edu/forums/thread-view.asp?tid=198 hoodia online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=332 cheap tramadol] [http://wc1.worldcrossing.com/WebX/.1de60a1d free cingular ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=107&forum=13 free jazz ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=219 free alltel ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=101&forum=13 cheap flexeril] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=359 nextel ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a15 kyocera ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=363 samsung ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=117&forum=13 free motorola ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=346 cheap meridia] [http://wc1.worldcrossing.com/WebX/.1de60a30 xenical online] [http://wc1.worldcrossing.com/WebX/.1de60a03 free sony ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=168 paxil online] [http://wc1.worldcrossing.com/WebX/.1de60a01 sagem ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=160 buy ativan] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=136&forum=13 cheap rivotril] [http://wc1.worldcrossing.com/WebX/.1de609fb cheap ortho] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=89&forum=13 celexa online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=139&forum=13 sharp ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=163 adipex online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=125&forum=13 cheap ortho] [http://wc1.worldcrossing.com/WebX/.1de609ee hydrocodone] [http://news.engin.brown.edu/forums/thread-view.asp?tid=177 propecia online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=91&forum=13 free cingular ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f7 free nextel ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=215 sagem ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=347 adipex] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=132&forum=13 free punk ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=97&forum=13 buy didrex] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=144&forum=13 free sonyericsson ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=179 cheap didrex] [http://news.engin.brown.edu/forums/thread-view.asp?tid=158 diazepam online] [http://wc1.worldcrossing.com/WebX/.1de60a25 samsung ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a26 sharp ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=162 meridia online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=217 free mono ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=152 valium online] [http://wc1.worldcrossing.com/WebX/.1de609ec hgh online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=205 nextel ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=357 funny ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=191 lortab online] [http://wc1.worldcrossing.com/WebX/.1de60a2b but ultracet] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=153&forum=13 buy viagra] [http://news.engin.brown.edu/forums/thread-view.asp?tid=183 albuterol] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=349 cheap vicodin] [http://wc1.worldcrossing.com/WebX/.1de60a18 motorola ringtones] [http://wc1.worldcrossing.com/WebX/.1de609f0 lorazepam online] [http://wc1.worldcrossing.com/WebX/.1de60a12 ericsson ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a19 mp3 ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=216 free sonyericsson ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=161 viagra online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=95&forum=13 cyclobenzaprine online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=192 cheap vigrx] [http://wc1.worldcrossing.com/WebX/.1de60a0d free wwe ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=185 zoloft online] [http://wc1.worldcrossing.com/WebX/.1de609e3 clomid online] [http://wc1.worldcrossing.com/WebX/.1de60a13 fioricet online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=138&forum=13 free samsung ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=83&forum=13 albuterol online] [http://wc1.worldcrossing.com/WebX/.1de60a29 buy tramadol] [http://news.engin.brown.edu/forums/thread-view.asp?tid=173 xenical online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=350 alprazolam] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=93&forum=13 cheap clonazepam] [http://news.engin.brown.edu/forums/thread-view.asp?tid=204 free mp3 ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=164 order norco] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=337 xanax] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=119&forum=13 free mtv ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=206 free qwest ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=151&forum=13 valium online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=140&forum=13 cheap sildenafil] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=162&forum=13 cheap zyban] [http://news.engin.brown.edu/forums/thread-view.asp?tid=166 alprazolam online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=353 levitra online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=333 cheap soma] [http://news.engin.brown.edu/forums/thread-view.asp?tid=189 ortho online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=159&forum=13 cheap xenical] [http://wc1.worldcrossing.com/WebX/.1de60a36 zyban online] [http://wc1.worldcrossing.com/WebX/.1de60a23 free polyphonic ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=208 motorola ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a1f cheap lisinopril] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=137&forum=13 sagem ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a1b music ringtones] [http://wc1.worldcrossing.com/WebX/.1de609e0 cheap ativan] [http://news.engin.brown.edu/forums/thread-view.asp?tid=229 free jazz ringtones] [http://wc1.worldcrossing.com/WebX/.1de609e5 free cool ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=99&forum=13 ericsson ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a07 tracfone ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=348 but norco] [http://wc1.worldcrossing.com/WebX/.1de60a09 cheap viagra] [http://news.engin.brown.edu/forums/thread-view.asp?tid=218 sony ericsson ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=121&forum=13 nexium online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=126&forum=13 paxil online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=94&forum=13 cool ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=154&forum=13 vicodin online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=108&forum=13 free kyocera ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a14 free jazz ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=210 sprint ringtones] [http://wc1.worldcrossing.com/WebX/.1de60a0f cheap cialis] [http://news.engin.brown.edu/forums/thread-view.asp?tid=175 cyclobenzaprine online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=200 free nokia ringtones] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=352 cheap paxil] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=110&forum=13 cheap lipitor] [http://wc1.worldcrossing.com/WebX/.1de609e6 buy cyclobenzaprine] [http://wc1.worldcrossing.com/WebX/.1de60a33 prozac online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=157 ultram online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=190 pharmacy online online] [http://news.engin.brown.edu/forums/thread-view.asp?tid=195 rivotril online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=143&forum=13 free sony ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=100&forum=13 buy fioricet] [http://wc1.worldcrossing.com/WebX/.1de60a06 tenuate online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=345 viagra online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=135&forum=13 free real ringtones] [http://news.engin.brown.edu/forums/thread-view.asp?tid=193 zanaflex online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=115&forum=13 free midi ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=87&forum=13 ativan online] [http://www.psfc.mit.edu/~jinseok/bbse/view.php?id=presentations&no=351 buy clonazepam] [http://wc1.worldcrossing.com/WebX/.1de60a11 buy diethylpropion] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=152&forum=13 verizon ringtones] [http://wc1.worldcrossing.com/WebX/.1de609ea free free ringtones] [http://wc1.worldcrossing.com/WebX/.1de609fa online pharmacy] [http://news.engin.brown.edu/forums/thread-view.asp?tid=151 soma online] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=102&forum=13 free free ringtones] [http://people.msoe.edu/~millerni/forums.php?show=topic&id=155&forum=13 vigrx] == Kerberos 5 setup for NFSv4 ==
+== Kerberos 5 setup for NFSv4 ==
 The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
-* We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.  This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC.
+To use Kerberos with NFS you need to setup the server and the client on your realm.
-* Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab.  Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add ONLY this type of key.
- # kadmin.local
+We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server.  This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC.
-  kadmin.local: addprinc -randkey nfs/myclient.mydomain
- kadmin.local: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
-# Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
-# Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.
+=== Server Setup ===
+The server needs to be identified to the KDC with a principal of
+ nfs/<fqdn>@REALM
+On the nfs-server you can run kadmin and authenticate as kadmin/admin:
+ # kadmin
+ kadmin: addprinc -randkey nfs/myclient.mydomain
+ kadmin: ktadd nfs/myclient.mydomain
+On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :
+ NEED_SVCGSSD=yes
+'''check /etc/idmapd.conf'''<br>
+In the [General] section the Domain value should be the real value of your domain. The value "localdomain"
+is not a key meaning "your local domain" it is a misguided attempt at documentation!
+  Domain = your-domain.com
+If your REALM is not the same as your lowercased dns domain you can add:
+  Local-Realm = <REALM>
+(This is not documented)
+In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771
+You should edit /etc/krb5.conf and put the following in the [libdefaults] section:
+  allow_weak_crypto=true
+This is a WIP and may be resolved around 2.6.35+
+Restart nfs-kernel-server and nfs-common
+=== Client Setup ===
+The client must present some kind of principal at mount time. This can be a user or an entry in the keytab;
+either a host/<fqdn>@REALM principal or an nfs/<fqdn>@REALM principal
+Both the id-mapper daemon and the gssapi daemon should be running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:
+  NEED_IDMAPD=yes
+  NEED_GSSD=yes
+Under Debian you may find adding debug options in /etc/defaults/nfs-common helps:
+  RPCGSSDOPTS="-vvv -rrr"
+(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:
+  allow_weak_crypto=true
+'''check /etc/idmapd.conf'''<br>
+Same as the server... if you get user-id mapping issues check this is correct.
+Restart nfs-common
+=== Mounting ===
+NFSv4 can use Kerberos security to provide:
+* authentication
+* integrity
+* privacy
+These are specified on the client side using:
+* sec=krb5
+* sec=krb5i
+* sec=krb5p
+respectively. eg:
+ mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/
+See [[Nfsv4_configuration#Exporting_directories|Exporting Directories section]] for more details on the exports file syntax.
+== External Links ==
+The constraint to use -e des-cbc-crc:normal for keytab entries for nfs/<fqdn> principals is not needed:
+  http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html
+Explanation of enctypes:
+  http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf
+From the Debian NEWS.Debian.gz referenced above
+  (1.8+dfsg~alpha1-1
+  This version of MIT Kerberos disables DES and 56-bit RC4 by default.
+  These encryption types are generally regarded as weak; defeating them
+  is well within the expected resources of some attackers.  However,
+  some applications, such as OpenAFS or Kerberized NFS, still rely on
+  DES.  To re-enable DES support add allow_weak_crypto=true to the
+  libdefaults section of /etc/krb5.conf
+  Sam Hartman <hartmans@debian.org>  Fri, 08 Jan 2010
 == Warnings ==
@@ Line 17: / Line 92: @@
 # The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
-# The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
+# The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be included on the localhost line.
-# Use only down cases caracters for machines names in kerberos and in the DNS.
+# Do not us uppercase characters for machine names in Kerberos and/or the host naming solution DNS. This is not a good solution fpr NFS Kerberos only
-# Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
+# At present NFS using Kerberos authentication is not able to work with multiple network interfaces on the same machine
 == FAQ ==
-* '''Problem:''' Mounting a nfs volume gives an error message and the syslog or dmesg shows
+* '''Issue:''' Mounting a nfs volume gives an error message and the syslog or dmesg shows
    "RPC: Couldn't create auth handle (flavor 390003)"
 * '''Solution:''' Try 'modprobe rpcsec_gss_krb5' on the client
-* '''Problem:''' Enabling users other than root to access the nfs4 mount, i.e. bob.  The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
+* '''Issue:''' Enabling users other than root to access the nfs4 mount, i.e. bob.  The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
 * '''Solution:'''  Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC.  Then on the client, as user bob, run kinit.
+* '''Issue:''' Mounting gives permission denied. Starting rpc.gssd with verbose output (-vv) gives failed credentials for hostname of server (not FQDN). Nslookup gives FQDN for reverse-lookup. dig -x <IP> gives only hostname (probably BIND9 configuration problem).
+* '''Solution:'''  Create entries with FQDN /etc/hosts (or solve BIND9 configuration problem. How?).