The following enctype settings in /etc/krb5.conf
are not necessary for NFS (which is what we do here).
But they seem to be for CIFS (see , and so I still used them.
But I verified that things worked without them:
[libdefaults] default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC <snip>
I use these particular enctypes because the AD admin tells me these are the ones supported by AD.
In order to use them on Debian Squeeze, I have to use the 3.2 kernel and the nfs-kernel-server from squeeze-backports
!
Getting getent to work
Go through either or , so this works:
apprentice@nfsserv-pc:~$ getent passwd U1234567
U1234567:*:41234567:41234567:A. Prentice:/home/U1234567:/bin/sh
Create something to serve
apprentice@nfsserv-pc:~$ sudo mkdir /srv/exported
apprentice@nfsserv-pc:~$ sudo chmod 1777 /srv/exported
Install the NFS packages
apprentice@nfsserv-pc:~$ sudo apt-get install -y nfs-kernel-server
Configure the NFS services
/etc/default/nfs-common
:
STATDOPTS=
/etc/default/nfs-kernel-server
:
RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS=--manage-gids NEED_SVCGSSD=yes RPCSVCGSSDOPTS= RPCNFSDOPTS=
Making a Kerberos key available to NFS
apprentice@nfsserv-pc:~$ sudo net ADS keytab add nfs -U 'unixJOINer%JOINpwd'
Processing principals to add...
Verify that with sudo net ads keytab list
Restarting the NFS daemons
apprentice@nfsserv-pc:~$ sudo /etc/init.d/nfs-kernel-server restart
<snip>
apprentice@nfsserv-pc:~$ sudo service idmapd restart
Installing NFS and Samba packages
apprentice@clnt-3-53:~$ sudo apt-get -y install nfs-common samba-common
Configure Samba
Same edits to /etc/smb.conf
as on server:
workgroup = WSPACE realm = WSPACE.MYDOMAIN.NL kerberos method = system keytab security = ADS
... then join the domain:
apprentice@clnt-3-53:~$ sudo net ADS JOIN -U 'unixJOINer%JOINpwd' createupn=host/$(hostname -f)@WSPACE.MYDOMAIN.NL createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'
apprentice@clnt-3-53:~$ sudo net ads keytab add root/$(hostname -f)@WSPACE.MYDOMAIN.NL -U 'unixJOINer%JOINpwd'
Processing principals to add...
Configure the ancillary services (idmapd and gssd)
/etc/default/nfs-common
:
NEED_STATD=no STATDOPTS= NEED_GSSD=yes NEED_IDMAPD=yes
apprentice@clnt-3-53:~$ sudo /etc/init.d/gssd start
Mount
The entry in /etc/fstab
:
nfsserv-pc.ict.mydomain.com:/ /nfsmount nfs4 sec=krb5p 0 0
apprentice@clnt-3-53:~$ sudo mkdir /nfsmount
apprentice@clnt-3-53:~$ sudo mount /nfsmount
Check the mount
Since we 're mounting with root squash, root cannot look inside the mounted share. And because the admin user we 're logged in as doesn't have any tickets, he cannot either. But we could obtain a ticket. Or log in with AD authentication (which will automatically fetch us a ticket), and look inside the mount:
apprentice@intra202:~$ ssh U1234567@clnt-3-53.ict.mydomain.com
U1234567@clnt-3-53.ict.mydomain.com's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-24-generic x86_64)
<snip>
$ ls /nfsmount
srv $ echo blah > /nfsmount/srv/exported/blah.txt
Now this should show up on the server:
apprentice@nfsserv-pc:~$ ls -trl /srv/exported/
Ergo: It Works!
total 4
-rw-r--r-- 1 U1234567 41234567 5 May 7 21:21 blah.txt
apprentice@nfsserv-pc:~$ cat /srv/exported/blah.txt
blah
1. |
I get |
The Linux NFS4 FAQ points to Mike Eisler's blog for this, which in turn point to MS Support entry 833708. | |
2. |
I still get
|
Are you using Squeeze? The default Squeeze kernel and daemon doesn't have strong enough encryption available. You need to use a backported kernel, and a backported nfs-kernel-server. Or you may get away with using weaker encryption, if your AD server supports it.
Another advantage of a newer kernel is that the bug that causes | |
3. |
I still get
|
That is most likely a nameserving inconsistency.
Or maybe you put a domain in | |
4. | How do I get more debug information? |
According to a Novell article, one can enable debugging of both NFS and RPC in the kernel through
... but I hardly find the output useful.
Most times, I you want to know for which principals the host holds keys, try sudo ktutil list | |
5. | This is NFS! Is all that Samba stuff really necessary? I find that Samba needs too much configuration for having just a supporting role. |
No, Samba isn't really needed. I switched to msktutil. But as long as msktutil hasn't made it into Debian Sid, I'll still advocate Samba here. | |
6. |
Hey, I thought you said I had to configure
[General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # Above is for Ubuntu. Change above to below for Debian # Pipefs-Directory = /var/lib/nfs/rpc_pipefs # This is not the same as the Kerberos realm Domain = WSPACE.MYDOMAIN.NL # LocalDomains = Doesn't need to be set if Kerberos configured well [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = nsswitch
|
I did. You still do for Debian Squeeze. If Kerberos is configured well in /etc/krb5.conf on Ubuntu Precise, the default settings suffice for idmapd.conf. |