Kerberized NFSv4 manual
This paper assumes running Kerberos KDC, LDAP, DNS and time synchronization systems on the target network. Properly set DNS and time sync is essential for Kerberos operations. Configuration of Kerberos, LDAP, DNS and NTP environment is beyond the scope of this paper. Setting up NFSv4 environment with Kerberos/GSS authentication mechanisms is rather complex task with lot of caveats and pitfalls. Lot of available resources across the Internet are outdate or incomplete and following them may lead to confusion and misunderstanding. This paper reflect state-of-the-art in the middle of 2012.
Kernel prerequisites
Following options were tested on gentoo-sources-3.4.0.
Kernel configuration options
Kernel configuration for server and client is same (NFSv3 options could be disabled). Required options in the section File systems -> Network File Systems:
NFS_FS=y NFS_V4=y NFS_V4_1=y PNFS_FILE_LAYOUT=y NFS_USE_KERNEL_DNS=y NFSD=y NFSD_V4=y LOCKD=y LOCKD_V4=y NFS_ACL_SUPPORT=y NFS_COMMON=y SUNRPC=y SUNRPC_GSS=y SUNRPC_BACKCHANNEL=y RPCSEC_GSS_KRB5=m <--- IMPORTANT
The option RPCSEC_GSS_KRB5 must be compiled as a module, otherwise rpc.gssd and rpc.svcgssd daemon communication may fail. |
Some other option are also required in the Cryptography API section:
CRYPTO_MD5=y CRYPTO_DES=y CRYPTO_CBC=y CRYPTO_CTS=y CRYPTO_ECB=y CRYPTO_HMAC=y CRYPTO_SHA1=y CRYPTO_AES=y CRYPTO_ARC4=y
Verification
Proper kernel configuration could be verified by mount command:
root@nfs4ts:~# mount
..
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw,noexec,nosuid,nodev) <-- may missing on client
|
File system rpc_pipefs and nfsd have to be mounted.
System prerequisites
Setup has been tested on Gentoo Linux. These packages have been emerged:
net-fs/nfs-utils-1.2.3-r1 USE="ipv6 kerberos nfsv3 nfsv4 tcpd -caps" net-libs/libgssglue net-libs/librpcsecgss
Preliminary attempts were done with nfs-utils-1.2.6, but than the mount command hangs in the loop[1].
Kerberos configuration in relation with NFSv4
Setting[2]
NFSv4 configuration
This part is similar for server and client. In the file /etc/gssapi_mech.conf
(belongs to net-libs/libgssglue
) is necessary to uncomment the following line
# Example /etc/gssapi_mech.conf file
..
/usr/lib/libgssapi_krb5.so mechglue_internal_krb5_init
|
For some reason may rpc.gssd
or rpc.svcgssd
fail during start. Solution is to remove the absolute path from the gssapi_mech.conf
.
In the file /etc/idmap.conf
# Example /etc/idmap.conf file
..
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = local.domain <-- set valid domain name
|
NFSv4 Server
Running daemons:
10771 ? Ss 0:00 /sbin/rpcbind 10785 ? Ss 0:00 /sbin/rpc.statd --no-notify 10797 ? Ss 0:00 /usr/sbin/rpc.idmapd 10810 ? Ss 0:00 /usr/sbin/rpc.svcgssd -vvv 10831 ? Ss 0:00 /usr/sbin/rpc.mountd
Export NFSv4 root:
Other folders has to be bind to NFSv4 root:
nfs4ts / # mkdir -m 755 /exports
chown and chmod as required by policy
In /etc/exportfs
/exports gss/krb5(fsid=0,rw,insecure,subtree_check,no_root_squash,sync)
The no_root_squash is unsecure, remove if not needed. The fsid=0 option denotes NFSv4 root. Must be only one. |
NFSv4 client
Running daemons:
11189 ? Ss 0:00 /sbin/rpcbind 11203 ? Ss 0:00 /sbin/rpc.statd --no-notify 11215 ? Ss 0:00 /usr/sbin/rpc.idmapd 11228 ? Ss 0:00 /usr/sbin/rpc.gssd -m -vvv
Fstab record for user allowed mounting
nfs4ts:/ /mnt/nfs4 nfs4 rw,noauto,users,soft,sec=krb5 0 0
Command
mount -o sec=krb5 -t nfs4 nfs4ts:/ /mnt/nfs4
NFSv4 mountpoint paths are relative to NFSv4 root.
Log of the successful auth rpc.gssd
nfs4cl rpc.gssd[11228]: dir_notify_handler: sig 37 si 0x7fff53e7b5f0 data 0x7fff53e7b4c0 nfs4cl rpc.gssd[11228]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt18) nfs4cl rpc.gssd[11228]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' nfs4cl rpc.gssd[11228]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt18) nfs4cl rpc.gssd[11228]: process_krb5_upcall: service is '<null>' nfs4cl rpc.gssd[11228]: Full hostname for 'nfs4ts.felk.cvut.cz' is 'nfs4ts.felk.cvut.cz' nfs4cl rpc.gssd[11228]: Full hostname for 'nfs4cl.felk.cvut.cz' is 'nfs4cl.felk.cvut.cz' nfs4cl rpc.gssd[11228]: No key table entry found for root/nfs4cl.felk.cvut.cz@DCE.FELK.CVUT.CZ while getting keytab entry for 'root/nfs4cl.felk.cvut.cz@' nfs4cl rpc.gssd[11228]: Success getting keytab entry for 'nfs/nfs4cl.felk.cvut.cz@' nfs4cl rpc.gssd[11228]: Successfully obtained machine credentials for principal 'nfs/nfs4cl.felk.cvut.cz@DCE.FELK.CVUT.CZ' stored in ccache 'FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ' nfs4cl rpc.gssd[11228]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ' are good until 1340930499 nfs4cl rpc.gssd[11228]: using FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ as credentials cache for machine creds nfs4cl rpc.gssd[11228]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_DCE.FELK.CVUT.CZ nfs4cl rpc.gssd[11228]: creating context using fsuid 0 (save_uid 0) nfs4cl rpc.gssd[11228]: creating tcp client for server nfs4ts.felk.cvut.cz nfs4cl rpc.gssd[11228]: DEBUG: port already set to 2049 nfs4cl rpc.gssd[11228]: creating context with server nfs@nfs4ts.felk.cvut.cz nfs4cl rpc.gssd[11228]: DEBUG: serialize_krb5_ctx: lucid version! nfs4cl rpc.gssd[11228]: prepare_krb5_rfc4121_buffer: protocol 1 nfs4cl rpc.gssd[11228]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 nfs4cl rpc.gssd[11228]: doing downcall