Kerberized NFSv4 manual

From DCEwiki
Jump to: navigation, search

This paper assumes running Kerberos KDC, LDAP, DNS and time synchronization systems on the target network. Properly set DNS and time sync is essential for Kerberos operations. Configuration of Kerberos, LDAP, DNS and NTP environment is beyond the scope of this paper. Setting up NFSv4 environment with Kerberos/GSS authentication mechanisms is rather complex task with lot of caveats and pitfalls. Lot of available resources across the Internet are outdate or incomplete and following them may lead to confusion and misunderstanding. This paper reflect state-of-the-art in the middle of 2012.

Kernel prerequisites[edit]

Following options were tested on gentoo-sources-3.4.0.

Kernel configuration options[edit]

Kernel configuration for server and client is same (NFSv3 options could be disabled). Required options in the section File systems -> Network File Systems:

NFS_FS=y
NFS_V4=y
NFS_V4_1=y
PNFS_FILE_LAYOUT=y
NFS_USE_KERNEL_DNS=y
NFSD=y
NFSD_V4=y
LOCKD=y
LOCKD_V4=y
NFS_ACL_SUPPORT=y
NFS_COMMON=y
SUNRPC=y
SUNRPC_GSS=y
SUNRPC_BACKCHANNEL=y
RPCSEC_GSS_KRB5=m            <--- IMPORTANT
Upozornění The option RPCSEC_GSS_KRB5 must be compiled as a module, otherwise rpc.gssd and rpc.svcgssd daemon communication may fail.

Some other option are also required in the Cryptography API section:

CRYPTO_MD5=y
CRYPTO_DES=y
CRYPTO_CBC=y
CRYPTO_CTS=y
CRYPTO_ECB=y
CRYPTO_HMAC=y
CRYPTO_SHA1=y
CRYPTO_AES=y  
CRYPTO_ARC4=y

Verification[edit]

Proper kernel configuration could be verified by mount command:

Poznámka
root@nfs4ts:~# mount
..
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw,noexec,nosuid,nodev)          <-- may missing on client

File system rpc_pipefs and nfsd have to be mounted.

System prerequisites[edit]

Setup has been tested on Gentoo Linux. These packages have been emerged:

net-fs/nfs-utils-1.2.3-r1  USE="ipv6 kerberos nfsv3 nfsv4 tcpd -caps"
net-libs/libgssglue
net-libs/librpcsecgss

Preliminary attempts were done with nfs-utils-1.2.6, but than the mount command hangs in the loop[1].

Kerberos configuration in relation with NFSv4[edit]

Setting[2]

NFSv4 configuration[edit]

This part is similar for server and client. In the file /etc/gssapi_mech.conf (belongs to net-libs/libgssglue) is necessary to uncomment the following line

Poznámka
# Example /etc/gssapi_mech.conf file
 ..
/usr/lib/libgssapi_krb5.so		mechglue_internal_krb5_init

For some reason may rpc.gssd or rpc.svcgssd fail during start. Solution is to remove the absolute path from the gssapi_mech.conf.

In the file /etc/idmap.conf

Poznámka
# Example /etc/idmap.conf file
 ..
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = local.domain                            <-- set valid domain name

NFSv4 Server[edit]

Running daemons:

10771 ?        Ss     0:00 /sbin/rpcbind
10785 ?        Ss     0:00 /sbin/rpc.statd --no-notify
10797 ?        Ss     0:00 /usr/sbin/rpc.idmapd
10810 ?        Ss     0:00 /usr/sbin/rpc.svcgssd -vvv
10831 ?        Ss     0:00 /usr/sbin/rpc.mountd

Export NFSv4 root:


Other folders has to be bind to NFSv4 root:

nfs4ts / # mkdir -m 755 /exports

chown and chmod as required by policy

In /etc/exportfs

/exports	gss/krb5(fsid=0,rw,insecure,subtree_check,no_root_squash,sync)
Upozornění The no_root_squash is unsecure, remove if not needed. The fsid=0 option denotes NFSv4 root. Must be only one.

NFSv4 client[edit]

Running daemons:

11189 ?        Ss     0:00 /sbin/rpcbind
11203 ?        Ss     0:00 /sbin/rpc.statd --no-notify
11215 ?        Ss     0:00 /usr/sbin/rpc.idmapd
11228 ?        Ss     0:00 /usr/sbin/rpc.gssd -m -vvv

Fstab record for user allowed mounting

nfs4ts:/	/mnt/nfs4	nfs4		rw,noauto,users,soft,sec=krb5	0 0

Command

mount -o sec=krb5 -t nfs4 nfs4ts:/ /mnt/nfs4

NFSv4 mountpoint paths are relative to NFSv4 root.

Log of the successful auth rpc.gssd

nfs4cl rpc.gssd[11228]: dir_notify_handler: sig 37 si 0x7fff53e7b5f0 data 0x7fff53e7b4c0
nfs4cl rpc.gssd[11228]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt18)
nfs4cl rpc.gssd[11228]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
nfs4cl rpc.gssd[11228]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt18)
nfs4cl rpc.gssd[11228]: process_krb5_upcall: service is '<null>'
nfs4cl rpc.gssd[11228]: Full hostname for 'nfs4ts.felk.cvut.cz' is 'nfs4ts.felk.cvut.cz'
nfs4cl rpc.gssd[11228]: Full hostname for 'nfs4cl.felk.cvut.cz' is 'nfs4cl.felk.cvut.cz'
nfs4cl rpc.gssd[11228]: No key table entry found for root/nfs4cl.felk.cvut.cz@DCE.FELK.CVUT.CZ while getting keytab entry for  'root/nfs4cl.felk.cvut.cz@'
nfs4cl rpc.gssd[11228]: Success getting keytab entry for 'nfs/nfs4cl.felk.cvut.cz@'
nfs4cl rpc.gssd[11228]: Successfully obtained machine credentials for principal 'nfs/nfs4cl.felk.cvut.cz@DCE.FELK.CVUT.CZ' stored in ccache 'FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ'
nfs4cl rpc.gssd[11228]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ' are good until 1340930499
nfs4cl rpc.gssd[11228]: using FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ as credentials cache for machine creds
nfs4cl rpc.gssd[11228]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ
nfs4cl rpc.gssd[11228]: creating context using fsuid 0 (save_uid 0)
nfs4cl rpc.gssd[11228]: creating tcp client for server nfs4ts.felk.cvut.cz
nfs4cl rpc.gssd[11228]: DEBUG: port already set to 2049
nfs4cl rpc.gssd[11228]: creating context with server nfs@nfs4ts.felk.cvut.cz
nfs4cl rpc.gssd[11228]: DEBUG: serialize_krb5_ctx: lucid version!
nfs4cl rpc.gssd[11228]: prepare_krb5_rfc4121_buffer: protocol 1
nfs4cl rpc.gssd[11228]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
nfs4cl rpc.gssd[11228]: doing downcall

Remarks[edit]

References[edit]