| Ubuntu NFS4 server/client with AD Kerberos/LDAP | ||
|---|---|---|
 | Linux Authenticating against Active Directory |  |
| Ubuntu NFS4 server/client with AD Kerberos/LDAP | ||
|---|---|---|
| | Linux Authenticating against Active Directory | |
The following enctype settings in /etc/krb5.conf are not necessary for NFS (which is what we do here).
But they seem to be for CIFS (see , and so I still used them.
But I verified that things worked without them:
[libdefaults]
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
<snip>
I use these particular enctypes because the AD admin tells me these are the ones supported by AD.
In order to use them on Debian Squeeze, I have to use the 3.2 kernel and the nfs-kernel-server from squeeze-backports!
1. | Wait a minute! I thought you wrote here earlier that the following should be used?: default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
|
I did. That was with an Ubuntu Precise client and an Ubuntu Precise server. But I couldn't get it to work a second time. It looks like the production AD server I'm using now doesn't support these encryption types, while the test server did. So I removed that instruction. |
apprentice@nfsserv-pc:~$ sudo mkdir /srv/exported
apprentice@nfsserv-pc:~$ sudo chmod 1777 /srv/exported
apprentice@nfsserv-pc:~$ sudo apt-get install -y nfs-kernel-server
/etc/default/nfs-common:
STATDOPTS=
/etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS=--manage-gids NEED_SVCGSSD=yes RPCSVCGSSDOPTS= RPCNFSDOPTS=
apprentice@nfsserv-pc:~$ sudo net ADS keytab add nfs -U 'unixJOINer%JOINpwd'
Processing principals to add...
Verify that with sudo net ads keytab list
apprentice@nfsserv-pc:~$ sudo /etc/init.d/nfs-kernel-server restart
<snip>
apprentice@nfsserv-pc:~$ sudo service idmapd restart
apprentice@clnt-3-53:~$ sudo apt-get -y install nfs-common samba-common
Same edits to /etc/smb.conf as on server:
workgroup = WSPACE realm = WSPACE.MYDOMAIN.NL kerberos method = system keytab security = ADS
... then join the domain:
apprentice@clnt-3-53:~$ sudo net ADS JOIN -U 'unixJOINer%JOINpwd' createupn=host/$(hostname -f)@WSPACE.MYDOMAIN.NL createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'
apprentice@clnt-3-53:~$ sudo net ads keytab add root/$(hostname -f)@WSPACE.MYDOMAIN.NL -U 'unixJOINer%JOINpwd'
Processing principals to add...
/etc/default/nfs-common:
NEED_STATD=no STATDOPTS= NEED_GSSD=yes NEED_IDMAPD=yes
apprentice@clnt-3-53:~$ sudo /etc/init.d/gssd start
The entry in /etc/fstab:
nfsserv-pc.ict.mydomain.com:/ /nfsmount nfs4 sec=krb5p 0 0
apprentice@clnt-3-53:~$ sudo mkdir /nfsmount
apprentice@clnt-3-53:~$ sudo mount /nfsmount
Since we 're mounting with root squash, root cannot look inside the mounted share. And because the admin user we 're logged in as doesn't have any tickets, he cannot either. But we could obtain a ticket. Or log in with AD authentication (which will automatically fetch us a ticket), and look inside the mount:
apprentice@intra202:~$ ssh U1234567@clnt-3-53.ict.mydomain.com
U1234567@clnt-3-53.ict.mydomain.com's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64)
<snip>
$ ls /nfsmount
srv $ echo blah > /nfsmount/srv/exported/blah.txt
Now this should show up on the server:
apprentice@nfsserv-pc:~$ ls -trl /srv/exported/
total 4
-rw-r--r-- 1 U1234567 41234567 5 May 7 21:21 blah.txt
apprentice@nfsserv-pc:~$ cat /srv/exported/blah.txt
blah
1. |
I get |
The Linux NFS4 FAQ points to Mike Eisler's blog for this, which in turn point to MS Support entry 833708. | |
2. |
I still get
|
Are you using Squeeze? The default Squeeze kernel and daemon doesn't have strong enough encryption available. You need to use a backported kernel, and a backported nfs-kernel-server. Or you may get away with using weaker encryption, if your AD server supports it.
Another advantage of a newer kernel is that the bug that causes | |
3. |
I still get
|
That is most likely a nameserving inconsistency.
Or maybe you put a domain in | |
4. | How do I get more debug information? |
According to a Novell article, one can enable debugging of both NFS and RPC in the kernel through
... but I hardly find the output useful.
Most times, I you want to know for which principals the host holds keys, try sudo ktutil list | |
5. | This is NFS! Is all that Samba stuff really necessary? I find that Samba needs too much configuration for having just a supporting role. |
No, Samba isn't really needed. I switched to msktutil. But as long as msktutil hasn't made it into Debian Sid, I'll still advocate Samba here. | |
6. |
Hey, I thought you said I had to configure
[General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # Above is for Ubuntu. Change above to below for Debian # Pipefs-Directory = /var/lib/nfs/rpc_pipefs # This is not the same as the Kerberos realm Domain = WSPACE.MYDOMAIN.NL # LocalDomains = Doesn't need to be set if Kerberos configured well [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch
|
I did. You still do for Debian Squeeze. If Kerberos is configured well in /etc/krb5.conf on Ubuntu Precise, the default settings suffice for idmapd.conf. |