NFSv4 (nfs4) + Kerberos in Debian

Some pointers to getting NFSv4 going with a Kerberos system, perhaps even one similar to LDAP/Kerberos.

Overview

Once one has a nice LDAP/Kerberos system running, one might want to mount filesystems across servers. After a bit of research, it seems that as of 2009-07-18 NFS is still the preferred way to do that between a bunch of Debian machines. NFS does have one horribly broken component to it which this tutorial hopes to solve: host-based authentication. By using Kerberos instead, hosts are required to prove identity in order to mount your filesystem instead of blindly assuming that the IP they're connecting from is genuine.

Start by installing:

Read through /usr/share/doc/nfs-common/README.Debian.nfsv4. It's a great introduction to this. From here on, it is assumed that you've read this document and may still be struggling to get it going.

Server

You need to create the export root. All nfs4 exports will be off this path.

Say we wish to expose /home on the server. We need to create a root path for nfs4 (we put it at /export, but you can put it wherever you'd like):

$ mkdir -p /export/home
$ mount --bind /home /export/home

In your /etc/fstab, the last line would read:

/home           /export/home      none    ro,bind         0       0

In your /etc/exports would read:

# 'fsid=0' designates this path as the nfs4 root
# 'crossmnt' is necessary to properly expose the paths
# 'no_subtree_check' is specified to get rid of warning messages
#    about the default value changing. This is the default value
/export        gss/krb5(rw,sync,fsid=0,no_subtree_check,crossmnt)
/export/home   gss/krb5(rw,sync,no_subtree_check)

Client

On the client side, mount in the following way:

$ mount -t nfs4 -o sec=krb5 nfs4-server.example.com:/home /home

If you don't specify the type, it may fall back on nfs3, which will probably error on you.

The package README mentions sec=krb5i, which seems to require that a given user have a Kerberos ticket before accessing the filesystem. If you don't have a completely integrated Kerberos system, it is probably best to leave it at sec=krb5.

Tips

Other tutorials