I was unable to find any guides which accurately described setting up a NFSv4 client with Kerberos on Gentoo. There are guides for setting things up on other distros, but I have run into numerous issues which were directly related to using Gentoo. Therefore, I am going to use this guide to document some of those problems. Please note that the NFS server is running Ubuntu 10.04, so there are some parts of this guide which won’t apply to Gentoo.<\/p>\n
Setting up the Kerberos server is fairly straightforward, however, there is a difference in the way things are compiled on Gentoo. The OpenAFS<\/a> guide on the wiki is mostly correct. I’ll reiterate the correct steps here.<\/p>\n First, you need to install the Kerberos server.<\/p>\n Copy the The edited file will look similar to this<\/p>\n You will need to replace “EXAMPLE.COM”, “example.com”, and “krb.example.com” with appropriate values for your environment. Note that realm names are always uppercase. The name of your KDC (krb.example.com in the example) is arbitrary.<\/p>\n This is where the OpenAFS guide is confusing. The kdc.conf file should reside at Replace “EXAMPLE.COM” with your own realm name. Also note that some of the options above are changed from their default values. I have added a logging section at the end and changed the directory where things reside.<\/p>\n An important difference is that the After modifying As usual, make sure you use your realm name.<\/p>\n I’ll leave this as an exercise for the reader. I generally create varying policies for services and users and those won’t be entirely useful for most. For a really good guide on creating\/using policies, see\u00a0http:\/\/techpubs.spinlocksolutions.com\/dklar\/kerberos.html#id2500817<\/a>.<\/p>\n To start the kdc and kadmind servers, run the following.<\/p>\n Add them to the default runlevel so that they start up after a reboot<\/p>\n First install the nfs client utilities<\/p>\n You will want to make sure you have both the kerberos<\/strong> and the nfsv4<\/strong> USE flags enabled.<\/p>\n You will need to configure the kernel with the appropriate relevant options. I won’t bother going through that entire process. Rather, I’ll point out some things that went wrong for me, but weren’t immediately obvious.<\/p>\n The kernel needs to have the rpcsec_gss_krb5 option configured as a module. I spent quite a while debugging this problem. I had the option compiled directly into the kernel.\u00a0Looking in the nfs client’s syslog, I also found this obscure error message.<\/p>\n Whatever the hell that means. Surprisingly, there are very few references to this error. One of them I found suggested recompiling the kernel with the\u00a0rpcsec_gss_krb5 module and simple loading it after boot. Surprisingly, this actually worked.<\/p>\n Both the nfs server and the nfs client need nfs principals added to their krb5.keytab. Since my nfs server was running an older kernel (Ubuntu 10.04), I needed to do a couple things to get this to work.<\/p>\n First, you need to add an nfs principal for both the client and the server. In my case, the server needed an encryption type which isn’t generated by default on a Gentoo Kerberos server. Therefore, I generated the principal like this.<\/p>\n Since I had a service policy defined, this created the nfs\/www.siriad.com principal with the “des-cbc-crc” encryption type. This is necessary for the older version of nfs that is available for Ubuntu 10.04. You then need to login to the nfs server, run kadmin, and do the following.<\/p>\n This will add the entry to your nfs server’s host keytab. Using this encryption type is extremely important. If you don’t, you will probably end up with very cryptic errors like the ones I had.<\/p>\n This indicates that the NFS server has not implemented the encryption types being used in your keytab.<\/p>\n Now you just need to add an nfs principal for your client. In this case, Gentoo had support for the more recent encryption types, so I didn’t need to do anything special. I just created the principal.<\/p>\n then added it to the client’s host keytab using kadmin on the client<\/p>\n Lastly, you need to make sure you allow for weak encryption types in the First, you need to allow for weak encryption types on the NFS server. You can do this by modifying the Note that the values listed as permitted are those generated by default on my Kerberos server. Please DO NOT<\/strong>\u00a0set the default encryption type to the weak encryption. I see far too many howtos that tell you to do this and it is NOT<\/strong> a good idea. If you can use the stronger encryption for things other than NFS, there is no reason not to.<\/p>\n On the NFS server, you also need to make sure that rpc.svcgssd is set to start alongside NFS. On Ubuntu, you can do this by editing your You will also need to edit the following line in the Edit the Lastly, you need to modify \/etc\/exports with the appropriate values. My export looks something like this.<\/p>\n You can then restart the nfs-kernel-server service and your NFS server should be ready to go.<\/p>\n You need to first make sure that rpc.idmapd and rpc.gssd are set to start with nfs. Edit your NFS_NEEDED_SERVICES=”rpc.idmapd rpc.gssd”<\/p>\n You will need to edit You can now test your nfs mount with the following command<\/p>\n This should work successfully and you should be able to see the appropriate requests coming through in your KDC logs.<\/p>\n","protected":false},"excerpt":{"rendered":" I was unable to find any guides which accurately described setting up a NFSv4 client with Kerberos on Gentoo. There are guides for setting things up on other distros, but I have run into numerous issues which were directly related to using Gentoo. Therefore, I am going to use this guide to document some of […]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[12,17,16,3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/223"}],"collection":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/comments?post=223"}],"version-history":[{"count":14,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/223\/revisions"}],"predecessor-version":[{"id":235,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/223\/revisions\/235"}],"wp:attachment":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/media?parent=223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/categories?post=223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/tags?post=223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Installation<\/h3>\n
emerge -av mit-krb5<\/pre>\n
\/etc\/krb5.conf.example<\/code> file that is included over to \/etc\/krb5.conf<\/code> and edit it according to your needs.<\/p>\ncp \/etc\/krb5.conf.example \/etc\/krb5.conf<\/pre>\n
[libdefaults]\r\n default_realm = EXAMPLE.COM\r\n forwardable = true\r\n renew_lifetime = 7days\r\n\r\n[realms]\r\n EXAMPLE.COM = {\r\n kdc = krb.example.com\r\n admin_server = krb.example.com\r\n }\r\n\r\n[domain_realm]\r\n .example.com = EXAMPLE.COM\r\n example.com = EXAMPLE.COM<\/pre>\nSetting up the primary KDC<\/h3>\n
\/var\/lib\/krb5kdc\/kdc.conf<\/code>, not \/etc\/kdc.conf<\/code>. So, go ahead and copy \/var\/lib\/krb5kdc\/kdc.conf.example<\/code> and create a new file. Here are what the contents should look like.<\/p>\n[kdcdefaults]\r\n kdc_ports = 750,88\r\n\r\n[realms]\r\n EXAMPLE.COM = {\r\n database_name = \/var\/lib\/krb5kdc\/principal\r\n admin_keytab = FILE:\/var\/lib\/krb5kdc\/kadm5.keytab\r\n acl_file = \/var\/lib\/krb5kdc\/kadm5.acl\r\n key_stash_file = \/var\/lib\/krb5kdc\/.k5.EXAMPLE.COM\r\n kdc_ports = 750,88\r\n max_life = 10h 0m 0s\r\n max_renewable_life = 7d 0h 0m 0s\r\n default_principal_flags = +preauth\r\n }\r\n\r\n[logging]\r\n kdc = FILE:\/var\/log\/kerberos\/kdc.log\r\n admin_server = FILE:\/var\/log\/kerberos\/kadmin.log<\/pre>\ndefault_principal_flags<\/code> has been set to +preauth. The reason for this is that without it, Kerberos is vulnerable to offline dictionary attacks<\/a>. If you are going to have your KDC\u00a0publicly\u00a0accessible, then you definitely want to consider enabling preauthentication. In my opinion, you probably want this even if the KDC is not<\/strong>\u00a0publicly\u00a0accessible, but that’s because I trust no one.<\/p>\n\/var\/lib\/krb5kdc\/kadm5.acl<\/code> to your liking, you can go ahead and create the database.<\/p>\ncd \/var\/lib\/krb5kdc\r\nkdb5_util create -r EXAMPLE.COM -s<\/pre>\n
Principal Creation<\/h4>\n
Start Kerberos Server<\/h4>\n
\/etc\/init.d\/mit-krb5kadmind start\r\n\/etc\/init.d\/mit-krb5kdc start<\/pre>\n
rc-update add mit-krb5kadmind default\r\nrc-update add mit-krb5kdc default<\/pre>\n
Installing NFSv4 client<\/h3>\n
emerge -av nfs-utils<\/pre>\n
Configuring the kernel<\/h4>\n
gss_create: Pseudoflavor 390003 not found!\r\nRPC: Couldn't create auth handle (flavor 390003)<\/pre>\n
Adding nfs principals<\/h4>\n
addprinc -policy service -randkey -e \"des-cbc-crc:normal\" nfs\/nfsserver<\/pre>\n
kadmin: \u00a0ktadd -e des-cbc-crc:normal nfs\/nfsserver<\/pre>\n
rpc.svcgssd: ERROR:\u00a0prepare_krb5_rfc_cfx_buffer: not implemented\r\nrpc.svcgssd: ERROR: failed serializing krb5 context for kernel\r\nrpc.svcgssd: WARNING: handle_nullreq: serialize_context_for_kernel failed<\/pre>\n
addprinc -policy service -randkey nfs\/nfsclient<\/pre>\n
kadmin: \u00a0ktadd nfs\/nfsclient<\/pre>\n
\/etc\/krb5.conf<\/code> file. Add the following to the [libdefaults]<\/code> section.<\/p>\nallow_weak_crypto = true<\/pre>\n
Setting up the NFS server<\/h4>\n
\/etc\/krb5.conf<\/code> file. You will need to add the following two lines in the [libdefaults]<\/code> section.<\/p>\nallow_weak_crypto = true\r\npermitted_enctypes = \"des-cbc-crc arcfour-hmac des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96\"<\/pre>\n
\/etc\/default\/nfs-kernel-server<\/code> file and editing\/modifying the following line.<\/p>\nNEED_SVCGSSD=yes<\/pre>\n
\/etc\/default\/nfs-common<\/code> file.<\/p>\nNEED_IDMAPD=yes<\/pre>\n
\/etc\/idmapd.conf<\/code> file and set the Domain line to the appropriate value for your environment. Make sure you restart rpc.idmapd if necessary.<\/p>\n\/export\/dir gss\/krb5(rw,fsid=0,insecure,no_subtree_check)<\/pre>\n
Setting up the NFS client<\/h4>\n
\/etc\/conf.d\/nfs<\/code> file and modify the following line.<\/p>\n\/etc\/idmapd.conf<\/code> with the same information from the NFS server. Then you can \/etc\/init.d\/nfs restart<\/code> and test your NFS mount.<\/p>\nTesting your NFS mount<\/h4>\n
\u00a0mount -vvv -t nfs4 -o sec=krb5 nfsserver:\/ test\/<\/pre>\n