NFSv4 (nfs4) + Kerberos in Debian

Some pointers to getting NFSv4 going with a Kerberos system, perhaps even one similar to LDAP/Kerberos.


Once one has a nice LDAP/Kerberos system running, one might want to mount filesystems across servers. After a bit of research, it seems that as of 2009-07-18 NFS is still the preferred way to do that between a bunch of Debian machines. NFS does have one horribly broken component to it which this tutorial hopes to solve: host-based authentication. By using Kerberos instead, hosts are required to prove identity in order to mount your filesystem instead of blindly assuming that the IP they're connecting from is genuine. This guideline is dedicated for Debian Jessie installations or newer.

Start by installing:

Read through /usr/share/doc/nfs-common/README.Debian.nfsv4. It's a great introduction to this. From here on, it is assumed that you've read this document and may still be struggling to get it going.

Client and Server

Create an nfs Kerberos principal for your client and server machines. This should be in the form of nfs/hostname@REALM. Each host should have a copy of its own key inside /etc/krb5.keytab. For each host, locally run kadmin -p adminuser/admin (adminuser/admin is an admin principal) with the commands:

addpriv -randkey nfs/hostnamename@REALM
ktadd nfs/clientname@REALM

The correct hostname can be found out with the command

getent hosts $(hostname) | awk '{print $1; exit}' | xargs getent hosts | awk '{print $2}'

Please note that the ktadd command invaidates all previously-issued keys reference.


There is the myth that one needs to create an export root directory (having fsid=0) and bind all exported directories into it. This works, but the regular exporting as in nfs3 works and is less error-prone. I.e., the command showmount --exports works only without an export root.

Say we wish to expose /home on the server. In your /etc/exports would read:

# 'no_subtree_check' is specified to get rid of warning messages
#    about the default value changing. This is the default value

(Replace the network according to your desired export configuration. Please note that the older notation "gss/krb5" instead of the network results at least in some situations in errors on the client side about non-existing mount points although "showmount -e" displays them.)

There are three different modes that nfs can operate in with Kerberos, which should be specified in the mount/export options:


On the client side, mount in the following way:

$ mount -t nfs4 -o sec=krb5 /home

If you don't specify the type, it may fall back on nfs3, which will probably error on you.


Other tutorials and further information sources