Procedure 3.2. Installing the NFS client
Making the PC a Kerberos client
We install the heimdal-clients with the same preconfiguration as on the NFS server and the Kerberos server:
apprentice@nfs-client:~$ cat debconf-kerberos-settings |sudo debconf-set-selections
apprentice@nfs-client:~$
apprentice@nfs-client:~$ sudo apt-get install -y heimdal-clients
Reading package lists... Done
<snip the usual apt-get output>
A principal for the NFS client
apprentice@nfs-client:~$ sudo kadmin -p apprentice/admin@MYDOMAIN.COM
kadmin> add -r nfs/nfs-client.mydomain.com@MYDOMAIN.COM
apprentice/admin@MYDOMAIN.COM's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext_keytab -k /etc/krb5.keytab nfs/nfs-client.mydomain.com@MYDOMAIN.COM
kadmin> q
apprentice@nfs-client:~$
Installing the NFS client
apprentice@nfs-client:~$ sudo apt-get install nfs-common
<snip>
Configuring the NFS client
Copy /etc/idmapd.conf
from the NFS server.
In /etc/default/nfs-common
, put:
# Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD=no STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Edit /etc/krb5.conf
to work around bugs 575895 and 512110, gssd
:
[libdefaults] <snip> # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # allow_weak_crypto = true # The following libdefaults parameters are only for Heimdal Kerberos. <snip>
Make sure gssd
will run even after reboot (idmapd
appears to run by default on Lenny:
apprentice@nfs-client:~$ sudo update-rc.d gssd defaults
update-rc.d: warning: /etc/init.d/gssd missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
Adding system startup for /etc/init.d/gssd ...
/etc/rc0.d/K20gssd -> ../init.d/gssd
/etc/rc1.d/K20gssd -> ../init.d/gssd
/etc/rc6.d/K20gssd -> ../init.d/gssd
/etc/rc2.d/S20gssd -> ../init.d/gssd
/etc/rc3.d/S20gssd -> ../init.d/gssd
/etc/rc4.d/S20gssd -> ../init.d/gssd
/etc/rc5.d/S20gssd -> ../init.d/gssd
And (re)start the services:
apprentice@nfs-client:~$ sudo /etc/init.d/gssd start
<snip>
gssd start/running, process 7178
apprentice@nfs-client:~$ sudo /etc/init.d/idmapd start
<snip>
idmapd start/running, process 7193
apprentice@nfs-client:~$
Creating a mount point
apprentice@nfs-client:~$ sudo mkdir /lwphome
apprentice@nfs-client:~$
Mounting
apprentice@nfs-client:~$ sudo mount.nfs4 nfs-server.mydomain.com:/ /lwphome -vvv -o sec=krb5p
mount.nfs4: timeout set for Tue Jun 29 23:41:27 2010
mount.nfs4: text-based options: 'sec=krb5p,clientaddr=192.168.0.48,addr=192.168.0.11'
nfs-server.mydomain.com:/ on /lwphome type nfs4 (sec=krb5p)
apprentice@nfs-client:~$ mount|grep lwphome
nfs-server.mydomain.com:/ on /lwphome type nfs4 (rw,sec=krb5p,clientaddr=192.168.0.48,addr=192.168.0.11)
apprentice@nfs-client:~$ sudo umount /lwphome
apprentice@nfs-client:~$
Putting it in fstab
/etc/fstab
:
nfs-server.mydomain.com:/ /lwphome nfs4 sec=krb5p 0 0
apprentice@nfs-client:~$ sudo mount -a
apprentice@nfs-client:~$ mount|grep lwphome
nfs-server.mydomain.com:/ on /lwphome type nfs4 (rw,sec=krb5p,clientaddr=192.168.0.48,addr=192.168.0.11)
apprentice@nfs-client:~$
Reading and writing
Now root is allowed to mount /lwphome from the NFS server on the NFS client:
apprentice@nfs-client:~$ sudo touch /lwphome/by-root
apprentice@nfs-client:~$ sudo ls /lwphome/by-root
/lwphome/by-root
But an ordinary user isn't allowed to:
apprentice@nfs-client:~$ touch /lwphome/by-apprentice
touch: cannot touch `/lwphome/by-apprentice': Permission denied
apprentice@nfs-client:~$
And the user we created a principal for earlier, joeuser
is, even though it is known on both the NFS server and the NFS client, cannot either:
apprentice@rc-706:~$ ssh joeuser@nfs-client.mydomain.com
<snip>
joeuser@nfs-client.mydomain.com's password:
Linux nfs-client 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 19:31:57 UTC 2010 x86_64 GNU/Linux
<snip>
joeuser@nfs-client:~$ touch /lwphome/by-joeuser
touch: cannot touch `/lwphome/by-joeuser': Permission denied
... but once the user authenticates to the Kerberos server, they can write on the NFS share:
joeuser@nfs-client:~$ kinit joeuser
joeuser@MYDOMAIN.COM's Password:
joeuser@nfs-client:~$ touch /lwphome/by-joeuser
joeuser@nfs-client:~$
ACLs
We can even use ACLs on NFS:
apprentice@nfs-client:~$ sudo apt-get install nfs4-acl-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libpulse-browse0
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
nfs4-acl-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 29.1kB of archives.
After this operation, 123kB of additional disk space will be used.
Get:1 http://mirror.mydomain.com/ubuntu/ lucid/universe nfs4-acl-tools 0.3.3-0ubuntu1 [29.1kB]
Fetched 29.1kB in 0s (2,006kB/s)
Selecting previously deselected package nfs4-acl-tools.
(Reading database ... 281523 files and directories currently installed.)
Unpacking nfs4-acl-tools (from .../nfs4-acl-tools_0.3.3-0ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Setting up nfs4-acl-tools (0.3.3-0ubuntu1) ...
apprentice@nfs-client:~$
joeuser@nfs-client:~$ nfs4_getfacl /lwphome/also-by-joeuser
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
joeuser@nfs-client:~$
Warning | |
---|---|
As of currently, bug #562913 is unfixed, and ACLs do not work with the default Ubuntu Lucid kernel. |