Kerberos

Notwendige Pakete installieren

pacman -S krb5 pam-krb5

Kerberos Server konfigurieren

/etc/krb5.conf
[libdefaults] default_realm = EXAMPLE_REALM [realms] EXAMPLE_REALM = { admin_server = kerberos.localnet kdc = kerberos.localnet database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 8h 0m 0s max_renewable_life = 1d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts:normal aes256-cts-hmac-sha1-96:normal des3-hmac-sha1:normal default_principal_flags = +preauth } [domain_realm] localnet = EXAMPLE_REALM .localnet = EXAMPLE_REALM [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE
/var/lib/krb5kdc/kdc.conf
[kdcdefaults] kdc_listen = 88,750 [realms] EXAMPLE_REALM = { database_name = /var/lib/krb5kdc/principal acl_file = /var/lib/krb5kdc/kadm5.acl key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE_REALM max_life = 8h 0m 0s max_renewable_life = 2d 0h 0m 0s }
Datenbank anlegen
kdb5_util -r EXAMPLE_REALM create -s
Dienste starten
systemctl start krb5-kdc.service
Einen Key für den NFS Server erzeugen und in Keytab hinzufügen
kadmin.local: addprinc -nokey nfs/nfsserver.localnet kadmin.local: ktadd nfs/nfsserver.localnet
Keys für alle NFS Clients erzeugen und in Keytab hinzufügen
kadmin.local: addprinc -randkey host/client1.localnet kadmin.local: ktadd host/client1.localnet
Keys für alle Benutzer erzeugen (müssen NICHT in Keytab)
addprinc user@EXAMPLE_REALM kadmin.local: quit
Für den angelegten Benutzer ein Ticket anfordern (zum Test ob es geht)
user@host:~$ kinit

Client konfigurieren

/etc/krb5.conf
[libdefaults] default_realm = EXAMPLE_REALM [realms] EXAMPLE_REALM = { admin_server = kerberos.localnet kdc = kerberos.localnet } [domain_realm] localnet = EXAMPLE_REALM .localnet = EXAMPLE_REALM [logging] # kdc = CONSOLE
root@host:~$ systemctl enable nfs-client.target systemctl start nfs-client.target systemctl enable rpc-gssd.service systemctl start rpc-gssd.service

Wichtig ist, dass in der /etc/fstab der fstype auf nfs ist, und keinesfalls nfs4 - die version muss (wenn überhaupt) zwingend per parameter nfsvers gesetzt werden.

Firewall

allow port 88, TCP and UDP for Kerberos v5
allow port 749, TCP and UDP for kadmin if you plan to configure it

Kerberos Ticket beim Anmelden eines Benutzers automatisch anfordern

pacman -S pam-krb5
/etc/pam.d/system-local-login
auth include system-login auth optional pam_krb5.so minimum_uid=1000 use_first_pass account include system-login account optional pam_krb5.so minimum_uid=1000 use_first_pass password include system-login session include system-login session optional pam_krb5.so
/etc/pam.d/sddm
auth include system-login auth optional pam_krb5.so minimum_uid=1000 use_first_pass account include system-login account optional pam_krb5.so minimum_uid=1000 use_first_pass password include system-login session include system-login session optional pam_krb5.so

Kerberos remote admin

Dienste starten
systemctl start krb5-kadmind.service
Admin anlegen
kadmin.local kadmin.local: addprinc user/admin@EXAMPLE_REALM WARNING: no policy specified for user/admin@EXAMPLE_REALM; defaulting to no policy Enter password for principal "user/admin@EXAMPLE_REALM": *** Re-enter password for principal "user/admin@EXAMPLE_REALM": *** Principal "user/admin@EXAMPLE_REALM" created.