Enduser doc kerberos
From Linux NFS
(Difference between revisions)
Jamesfcarter (Talk | contribs) m (→Warnings) |
DavidGreaves (Talk | contribs) (rewrite page) |
||
| Line 3: | Line 3: | ||
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.) | The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.) | ||
| - | + | To use Kerberos with NFS you need to setup the server and the client on your realm. | |
| - | + | ||
| - | + | We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This [http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html Kerberos Infrastructure HOWTO] is a good reference to configure and start the Kerberos KDC. | |
| - | + | ||
| - | + | ||
| - | # | + | |
| - | + | === Server Setup === | |
| + | The server needs to be identified to the KDC with a principal of | ||
| + | nfs/<fqdn>@REALM | ||
| + | |||
| + | On the nfs-server you can run kadmin and authenticate as kadmin/admin: | ||
| + | # kadmin | ||
| + | kadmin: addprinc -randkey nfs/myclient.mydomain | ||
| + | kadmin: ktadd nfs/myclient.mydomain | ||
| + | |||
| + | On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server : | ||
| + | NEED_SVCGSSD=yes | ||
| + | |||
| + | If your REALM is not the same as your lowercased dns domain you can add: | ||
| + | Local-Realm = <REALM> | ||
| + | to the [General] section of /etc/idmapd.conf | ||
| + | |||
| + | In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771 | ||
| + | You should edit /etc/krb5.conf and put the following in the [libdefaults] section: | ||
| + | allow_weak_crypto=true | ||
| + | |||
| + | Restart nfs-kernel-server and nfs-common | ||
| + | |||
| + | === Client Setup === | ||
| + | The client does not need an nfs/<fqdn>@REALM principal (or even a host/<fqdn>@REALM principal). | ||
| + | |||
| + | It does need the id-mapper daemon and the gssapi daemon running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common: | ||
| + | NEED_IDMAPD=yes | ||
| + | NEED_GSSD=yes | ||
| + | |||
| + | (May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]: | ||
| + | allow_weak_crypto=true | ||
| + | |||
| + | Restart nfs-common | ||
| + | |||
| + | === Mounting === | ||
| + | NFSv4 can use Kerberos security to provide: | ||
| + | * authentication | ||
| + | * integrity | ||
| + | * privacy | ||
| + | |||
| + | These are specified on the client side using: | ||
| + | * sec=krb5 | ||
| + | * sec=krb5i | ||
| + | * sec=krb5p | ||
| + | respectively. eg: | ||
| + | mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/ | ||
| + | |||
| + | |||
| + | == External Links == | ||
| + | krb5/nfs constraint to -e des-cbc-crc:norma is not needed: | ||
| + | http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html | ||
| + | |||
| + | Explanation of enctypes: | ||
| + | http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf | ||
| + | |||
| + | From the Debian NEWS.Debian.gz referenced above | ||
| + | (1.8+dfsg~alpha1-1 | ||
| + | |||
| + | This version of MIT Kerberos disables DES and 56-bit RC4 by default. | ||
| + | These encryption types are generally regarded as weak; defeating them | ||
| + | is well within the expected resources of some attackers. However, | ||
| + | some applications, such as OpenAFS or Kerberized NFS, still rely on | ||
| + | DES. To re-enable DES support add allow_weak_crypto=true to the | ||
| + | libdefaults section of /etc/krb5.conf | ||
| + | |||
| + | Sam Hartman <hartmans@debian.org> Fri, 08 Jan 201 | ||
== Warnings == | == Warnings == | ||
Revision as of 14:02, 23 May 2010
Contents |
Kerberos 5 setup for NFSv4
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.)
To use Kerberos with NFS you need to setup the server and the client on your realm.
We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. This Kerberos Infrastructure HOWTO is a good reference to configure and start the Kerberos KDC.
Server Setup
The server needs to be identified to the KDC with a principal of
nfs/<fqdn>@REALM
On the nfs-server you can run kadmin and authenticate as kadmin/admin:
# kadmin kadmin: addprinc -randkey nfs/myclient.mydomain kadmin: ktadd nfs/myclient.mydomain
On Debian you should enable the nfs server gssapi daemon in /etc/defaults/nfs-kernel-server :
NEED_SVCGSSD=yes
If your REALM is not the same as your lowercased dns domain you can add:
Local-Realm = <REALM>
to the [General] section of /etc/idmapd.conf
In May 2010: according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=568771 You should edit /etc/krb5.conf and put the following in the [libdefaults] section:
allow_weak_crypto=true
Restart nfs-kernel-server and nfs-common
Client Setup
The client does not need an nfs/<fqdn>@REALM principal (or even a host/<fqdn>@REALM principal).
It does need the id-mapper daemon and the gssapi daemon running: This may be picked up by initscripts parsing /etc/fstab or forced in /etc/defaults/nfs-common:
NEED_IDMAPD=yes NEED_GSSD=yes
(May 2010): The client also needs the allow_weak_crypto in /etc/krb5.conf [libdefaults]:
allow_weak_crypto=true
Restart nfs-common
Mounting
NFSv4 can use Kerberos security to provide:
- authentication
- integrity
- privacy
These are specified on the client side using:
- sec=krb5
- sec=krb5i
- sec=krb5p
respectively. eg:
mount -t nfs4 -o sec=krb5p nfs-server.domain.com:/ /nfs4/
External Links
krb5/nfs constraint to -e des-cbc-crc:norma is not needed:
http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html
Explanation of enctypes:
http://blogs.sun.com/wfiveash/resource/krb_enctypes_so8.pdf
From the Debian NEWS.Debian.gz referenced above
(1.8+dfsg~alpha1-1 This version of MIT Kerberos disables DES and 56-bit RC4 by default. These encryption types are generally regarded as weak; defeating them is well within the expected resources of some attackers. However, some applications, such as OpenAFS or Kerberized NFS, still rely on DES. To re-enable DES support add allow_weak_crypto=true to the libdefaults section of /etc/krb5.conf Sam Hartman <hartmans@debian.org> Fri, 08 Jan 201
Warnings
Some warnings about Kerberos:
- The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case.
- The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line.
- Use only down cases characters for machines names in kerberos and in the DNS.
- Actual kerberos/NFS is not able to work with multiple network interfaces on the same machine
FAQ
- Problem: Mounting a nfs volume gives an error message and the syslog or dmesg shows
"RPC: Couldn't create auth handle (flavor 390003)"
- Solution: Try 'modprobe rpcsec_gss_krb5' on the client
- Problem: Enabling users other than root to access the nfs4 mount, i.e. bob. The syslog (/var/log/messages) on the client will show something like "WARNING: error from gss_acquire_cred for user with uid 3333 (No credentials cache found)" and "WARNING: Failed while limiting krb5 encryption types for user with uid 3333".
- Solution: Create the Kerberos principal for bob using kadmin or kadmin.local on the KDC. Then on the client, as user bob, run kinit.
- Problem: Mounting gives permission denied. Starting rpc.gssd with verbose output (-vv) gives failed credentials for hostname of server (not FQDN). Nslookup gives FQDN for reverse-lookup. dig -x <IP> gives only hostname (probably BIND9 configuration problem).
- Solution: Create entries with FQDN /etc/hosts (or solve BIND9 configuration problem. How?).
