Kerberos

Ein korrekt eingerichter Kerberos Server ist Voraussetzung, wenn man NFSv4 mit richtiger Authentifizierung verwenden möchte.

Notwendige Pakete installieren

pacman -S krb5 pam-krb5

Kerberos Server konfigurieren

/etc/krb5.conf
[libdefaults] default_realm = EXAMPLE_REALM [realms] EXAMPLE_REALM = { admin_server = kerberos.localnet kdc = kerberos.localnet database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 8h 0m 0s max_renewable_life = 1d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts:normal aes256-cts-hmac-sha1-96:normal des3-hmac-sha1:normal default_principal_flags = +preauth } [domain_realm] localnet = EXAMPLE_REALM .localnet = EXAMPLE_REALM [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE
/var/lib/krb5kdc/kdc.conf
[kdcdefaults] kdc_listen = 88,750 [realms] EXAMPLE_REALM = { database_name = /var/lib/krb5kdc/principal acl_file = /var/lib/krb5kdc/kadm5.acl key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE_REALM max_life = 8h 0m 0s max_renewable_life = 2d 0h 0m 0s }
Datenbank anlegen
kdb5_util -r EXAMPLE_REALM create -s
Dienste starten
systemctl start krb5-kdc.service
Einen Key für den NFS Server erzeugen und in Keytab hinzufügen
kadmin.local: addprinc -nokey nfs/nfsserver.localnet kadmin.local: ktadd nfs/nfsserver.localnet
Keys für alle NFS Clients erzeugen und in Keytab hinzufügen
kadmin.local: addprinc -randkey host/client1.localnet kadmin.local: ktadd host/client1.localnet

Gemäss z.B. der Debian und Ubuntu HOWTO, sollen auch die Clients dem Muster nfs/client1.domain (anstatt host/client1.domain) folgen. Das scheint aber keine Rolle zu spielen, ich verwende das schema host/ damit klar erkennbar ist, welche principals client und welche server sind.

Keys für alle Benutzer erzeugen (müssen NICHT in Keytab)
addprinc user@EXAMPLE_REALM kadmin.local: quit
Für den angelegten Benutzer ein Ticket anfordern (zum Test ob es geht)
user@host:~$ kinit

Client konfigurieren

/etc/krb5.conf
[libdefaults] default_realm = EXAMPLE_REALM [realms] EXAMPLE_REALM = { admin_server = kerberos.localnet kdc = kerberos.localnet } [domain_realm] localnet = EXAMPLE_REALM .localnet = EXAMPLE_REALM [logging] # kdc = CONSOLE

Firewall

allow port 88, TCP and UDP for Kerberos v5
allow port 749, TCP and UDP for kadmin if you plan to configure it

Kerberos Ticket beim Anmelden eines Benutzers automatisch anfordern

pacman -S pam-krb5
/etc/pam.d/system-local-login
auth include system-login auth optional pam_krb5.so minimum_uid=1000 use_first_pass account include system-login account optional pam_krb5.so minimum_uid=1000 use_first_pass password include system-login session include system-login session optional pam_krb5.so
/etc/pam.d/sddm
auth include system-login auth optional pam_krb5.so minimum_uid=1000 use_first_pass account include system-login account optional pam_krb5.so minimum_uid=1000 use_first_pass password include system-login session include system-login session optional pam_krb5.so

Kerberos remote admin

Dienste starten
systemctl start krb5-kadmind.service
Admin anlegen
kadmin.local kadmin.local: addprinc user/admin@EXAMPLE_REALM WARNING: no policy specified for user/admin@EXAMPLE_REALM; defaulting to no policy Enter password for principal "user/admin@EXAMPLE_REALM": *** Re-enter password for principal "user/admin@EXAMPLE_REALM": *** Principal "user/admin@EXAMPLE_REALM" created.

Fehlersuche

Um sich den Inhalt der /etc/krb5.keytab anzeigen zu lassen:

ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 nfs/server.domain@REALM 2 2 host/client1.domain@REALM 3 2 host/client2.domain@REALM ktutil: quit

Oder einfacher:

klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/server.domain@REALM (aes256-cts-hmac-sha1-96) ...