NFSv4Howto

Differences between revisions 2 and 3
Revision 2 as of 2005-09-05 21:30:43
Size: 3636
Editor: lx1-ghoch
Comment: started krb5 section
Revision 3 as of 2005-09-06 13:52:53
Size: 5885
Editor: linux0-zid
Comment: more krb5 documentation
Deletions are marked like this. Additions are marked like this.
Line 25: Line 25:
Lets say we want to export our user homedirs in {{{/home/users}}}. First
we create the export filesytem:		  * Lets say we want to export our user homedirs in {{{/home/users}}}. First
 we create the export filesytem:
Line 28: Line 28:
{{{# mkdir /export  {{{# mkdir /export
Line 31: Line 31:
and mount the real users directory with:  and mount the real users directory with:
Line 33: Line 33:
{{{  {{{
Line 36: Line 36:
To save us from retyping this after every reboot we add the following
line to {{{/etc/fstab}}}
{{{		  To save us from retyping this after every reboot we add the following
 line to {{{/etc/fstab}}}
 {{{
Line 41: Line 41:
In {{{/etc/default/nfs-kernel-server}}} we set:
{{{		  * In {{{/etc/default/nfs-kernel-server}}} we set:
 {{{
Line 44: Line 44:
because do not activate NFSv4 security this time.  because we do not activate NFSv4 security this time.
Line 46: Line 46:
In {{{/etc/default/nfs-common}}} we set:
{{{		  * In {{{/etc/default/nfs-common}}} we set:
 {{{
Line 51: Line 51:
To export our directories to a local network 192.198.1.0/24
we add the following two lines to {{{/etc/exports}}}
{{{		  * To export our directories to a local network 192.198.1.0/24
 we add the following two lines to {{{/etc/exports}}}
 {{{
Line 61: Line 61:
On the client we can mount the complete export tree with one command:
{{{		  * On the client we can mount the complete export tree with one command:
 {{{
Line 64: Line 64:
We can also mount an exported ''subtree'' with:
{{{
 * We can also mount an exported ''subtree'' with:
 {{{
Line 79: Line 80:
On the nfs-server and nfs-client you need at least the ''krb5-user''
and optinal ''libpam-krb5'' if you wish to authenticate against krb5.
{{{# apt-get install krb5-user		  * On the nfs-server and nfs-client you need at least the ''krb5-user''
 and optinal ''libpam-krb5'' if you wish to authenticate against krb5.
 {{{# apt-get install krb5-user
Line 84: Line 85:
Specifiy ''des-cbc-crc'' in ''/etc/krb5.conf'' on nfs-servers and nfs-clients.
{{{[libdefaults]		  * Specifiy ''des-cbc-crc'' in ''/etc/krb5.conf'' on nfs-servers and nfs-clients.
 {{{[libdefaults]
Line 88: Line 89:

 * You need the gss kernel modules on nfs-servers and nfs-clients.
 {{{
# modprobe rpcsec_gss_krb5 }}}
 Add ''rpcsec_gss_krb5'' to ''/etc/modules'' to have it loaded
 automatically.
Line 113: Line 120:
 * Check your machine credentials in ''/etc/krb5.keytab''
 {{{# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1 2 nfs/nfs-server.domain@DOMAIN
}}}

 * In {{{/etc/default/nfs-kernel-server}}} we set:
 {{{
NEED_SVCGSSD=yes }}}

 * In {{{/etc/default/nfs-common}}} we set:
 {{{
NEED_IDMAPD=yes }}}

 * To export our directories from the example above to a
 local network 192.198.1.0/24 and addt
 we add the following two lines to {{{/etc/exports}}}
 {{{
/export 192.168.1.0/24(ro,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export gss/krb5(ro,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users 192.168.1.0/24(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users gss/krb5(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534) }}}

Please note that you can specify allowed hosts only in
the ''any authentication'' flavor. gss/krb5 flavours
are accessible from anywhere, if do not use an additional
firewall rules.
 
To export only with secure authentication flavors do
not include a ''host(...)'' line in ''/etc/exports''

To display your exports enter:
{{{
# exportfs -v }}}
Line 115: Line 164:

 * Check your machine credentials in ''/etc/krb5.keytab''
 {{{# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1 2 nfs/nfs-client.domain@DOMAIN
}}}
 
 * In {{{/etc/default/nfs-common}}} we set:
 {{{
NEED_IDMAPD=yes
NEED_GSSD=yes }}}

 * We can ''secure'' mount the complete export tree with:
 {{{
# mount -t nfsv4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/ /mnt}}}

 * We can also ''secure'' mount an exported ''subtree'' with:
 {{{
# mount -t nfsv4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/users /home/users}}}

TableOfContents

Installation

NFSv4 is not included in Ubuntu or Debian at this time. You have to get your packages from unofficial sources.

Follow the instructions in ["NFSv4"] and edit your sources.list accordingly. To install the packages enter:

  • NFSv4 client 
    # apt-get install nfs-common
  • NFSv4 server 
    # apt-get install nfs-kernel-server

NFSv4 without Kerberos

NFSv4 Server

NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the --bind option.

  • Lets say we want to export our user homedirs in /home/users. First we create the export filesytem: {{{# mkdir /export

# mkdir /export/users }}}

  • and mount the real users directory with: 
    # mount --bind /home/users /export/users
    To save us from retyping this after every reboot we add the following

    line to /etc/fstab 

    /home/users    /export/users   none    bind  0  0

  • In /etc/default/nfs-kernel-server we set: 

    NEED_SVCGSSD=no
    because we do not activate NFSv4 security this time.

  • In /etc/default/nfs-common we set: 

    NEED_IDMAPD=yes
NEED_GSSD=no
  • To export our directories to a local network 192.198.1.0/24

    we add the following two lines to /etc/exports 

    /export       192.168.1.0/24(ro,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users 192.168.1.0/24(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)

NFSv4 Client

  • On the client we can mount the complete export tree with one command: 
    # mount -t nfsv4 -o proto=tcp,port=2049 nfs-server:/ /mnt

  • We can also mount an exported subtree with: 

    # mount -t nfsv4 -o proto=tcp,port=2049 nfs-server:/users /home/users

NFSv4 with Kerberos

You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. On the nfs-server and nfs-clients you must use MIT krb5 for now.

When extracting the key to a keytab file and when configuring krb5 in /etc/krb5.conf it is neccessary to specify des-cbc-crc because only this type of encryption is supported by the kernel at the moment.

  • On the nfs-server and nfs-client you need at least the krb5-user and optinal libpam-krb5 if you wish to authenticate against krb5. {{{# apt-get install krb5-user

# apt-get install libpam-krb5 }}}

  • Specifiy des-cbc-crc in /etc/krb5.conf on nfs-servers and nfs-clients. {{{[libdefaults]

    • default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc }}}
  • You need the gss kernel modules on nfs-servers and nfs-clients. 
    # modprobe rpcsec_gss_krb5

    Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically.

Create and distribute credentials

NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features.

Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination

Heimdal

{{{# kinit kadmin/admin

# kadmin add -r nfs/nfs-server.domain # ktutil -k /root/keytab.nfs-server get -e des-cbc-crc nfs/nfs-server.domain # scp -p /root/keytab.nfs-server nfs-server:/etc/krb5.keytab

# kadmin add -r nfs/nfs-client.domain # ktutil -k /root/keytab.nfs-client get -e des-cbc-crc nfs/nfs-server.domain # scp -p /root/keytab.nfs-client nfs-client:/etc/krb5.keytab

# kdestroy }}}

NFSv4 Server

  • Check your machine credentials in /etc/krb5.keytab {{{# ktutil

ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal

  • 1 2 nfs/nfs-server.domain@DOMAIN

}}}

  • In /etc/default/nfs-kernel-server we set: 

    NEED_SVCGSSD=yes

  • In /etc/default/nfs-common we set: 

    NEED_IDMAPD=yes
  • To export our directories from the example above to a local network 192.198.1.0/24 and addt

    we add the following two lines to /etc/exports 

    /export       192.168.1.0/24(ro,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export       gss/krb5(ro,fsid=0,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users 192.168.1.0/24(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)
/export/users gss/krb5(rw,nohide,insecure, \
  no_subtree_check,async,anonuid=65534,anongid=65534)

Please note that you can specify allowed hosts only in the any authentication flavor. gss/krb5 flavours are accessible from anywhere, if do not use an additional firewall rules.

To export only with secure authentication flavors do not include a host(...) line in /etc/exports

To display your exports enter: 

# exportfs -v

NFSv4 Client

  • Check your machine credentials in /etc/krb5.keytab {{{# ktutil

ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal

  • 1 2 nfs/nfs-client.domain@DOMAIN

}}}

  • In /etc/default/nfs-common we set: 

    NEED_IDMAPD=yes
NEED_GSSD=yes

  • We can secure mount the complete export tree with: 

    # mount -t nfsv4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/ /mnt

  • We can also secure mount an exported subtree with: 

    # mount -t nfsv4 -o sec=krb5,proto=tcp,port=2049 nfs-server:/users /home/users

NFSv4Howto (last edited 2008-08-06 16:27:51 by localhost)