This is a page about how to setup a client with nfs4, kerberos, and secure ldap. I have tested it with Debian 7 and 8, but I don't have production experiences with Debian 8.
The setup for the server is described here: http://wiki.debian.org/nfs4-kerberos-ldap
Remark: this page uses libnss-ldap, but the release notes advices to replace that with libnss-ldapd: https://www.debian.org/releases/wheezy/amd64/release-notes/ch-information.en.html#ldap-gnutls I have tried libnss-ldapd once with Debian 8, but it did not work, so I use libnss-ldap at the moment.
First of all, you need a correct FQDN hostname. When you did the setup correct, the FQDN hostname will allready be correct. If you give the command "hostname --fqdn" this should give something like "pc001.example.com" and not only "pc001". You can change the hostname in /etc/hostname, put the short name there (e.g. "pc001"), After changing it you must run /etc/init.d/hostname.sh and logout and login, or reboot. You can change the domain-part in /etc/hosts. You need there a line like:
127.0.1.1 pc001.example.com pc001
where "pc001" is the hostname of the machine, and "example.com" is your domain. Every machine needs an unique name.
This setup assumes that there is a machine-key for this machine created on the server.
Further it assumes that you have an admin account and a normal user account on the server, if not, read the part on the end of this page.
Client setup:
# become root: su - # check your hostname if it's correct. When not, see the part at the begin of the howto hostname --fqdn # First set variables, and ask for some read -p "Server with Kerberos and LDAP, something like 'server.example.com' : " SERVER read -p "Admin username on the server, something like 'john' : " ADMIN HOST=$(hostname --fqdn) DOMAIN=${HOST#*.} SERVERDOMAIN=${SERVER#*.} REALM=$(echo "${SERVERDOMAIN}" | tr '[:lower:]' '[:upper:]') LDAPROOT=""; IFS="."; for DC in $SERVERDOMAIN ; do LDAPROOT="${LDAPROOT},dc=$DC"; done; LDAPROOT="${LDAPROOT#,}" # install some packages DEBIAN_FRONTEND=noninteractive apt-get install ntp nscd krb5-user krb5-doc libpam-krb5 ca-certificates nfs-common rpl DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends libnss-ldap # Increase minimal UID in for kerberos accounts accepted by PAM cd /etc/pam.d/ sed -i '/[^#].*pam_krb5/s/minimum_uid=1000/minimum_uid=2000/' \ common-auth common-session common-password common-account # Configure LDAP cat <<EOF >/etc/ldap/ldap.conf BASE ${LDAPROOT} URI ldaps://${SERVER} TLS_CACERT /etc/ssl/certs/CAself-cert.pem TLS_REQCERT demand EOF # Activate LDAP in name service switch sed -i 's/compat/files ldap/' /etc/nsswitch.conf # Copy /etc/ssl/certs/CAself-cert.pem from the server to the client # in the same directory, e.g. if you have an account on the server. # (there no real need to do this in a secure way) scp $ADMIN@"${SERVER}":/etc/ssl/certs/CAself-cert.pem /etc/ssl/certs # configure name service switch, for Ubuntu you need to change /etc/ldap.conf! cat <<EOF >/etc/libnss-ldap.conf base ${LDAPROOT} uri ldaps://${SERVER} ldap_version 3 scope sub EOF # Configure kerberos, ticket_lifetime is in minutes cat <<EOF >/etc/krb5.conf [libdefaults] default_realm = ${REALM} krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ticket_lifetime = 525600 rdns = false [realms] $REALM = { kdc = ${SERVER} admin_server = ${SERVER} } [domain_realm] .$DOMAIN = ${REALM} [login] krb4_convert = true krb4_get_tickets = false [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON[logging] EOF # Download the machine-key to /etc/krb5.keytab. When this is not possible this way, # look at the end of this page for another way. kadmin -p $ADMIN/admin -q "ktadd nfs/$(hostname --fqdn)" # configure the NFS init script for the daemons sed -i 's/^ *NEED_GSSD=.*$/NEED_GSSD=yes/' /etc/default/nfs-common sed -i 's/^ *NEED_IDMAPD=.*$/NEED_IDMAPD=yes/' /etc/default/nfs-common echo 'RPCGSSDOPTS="-vv"' >>/etc/default/nfs-common # Configure NFS4-domain for idmapd sed -i "s/^Domain *=.*$/Domain = $SERVERDOMAIN/" /etc/idmapd.conf # Restart daemons for NFS4 /etc/init.d/nfs-common restart # tell fstab what you want to mount mkdir /mnt/home echo "$SERVER:/home /mnt/home nfs4 rw,sec=krb5i,auto,_netdev 0 0" >>/etc/fstab mount -a # if everything works fine, you can use the /home, and not /mnt/home/ umount /mnt/home rpl "/mnt/home" "/home" /etc/fstab # in many cases you want to change the umask, so normal users will give write access for the group. # see "man pam_umask" or http://wiki.debian.org/DebianDesktopHowTo for more information. echo -e "\nsession optional pam_umask.so umask=0002" >> /etc/pam.d/common-session # in many cases you want to say that all users can use usb and write cd's: echo " *;*;*;Al0000-2400;cdrom,plugdev " >> /etc/security/group.conf echo " Name: Group membership granted at login Default: yes Priority: 0 Auth-Type: Additional Auth: optional pam_group.so " > /usr/share/pam-configs/group pam-auth-update --package # this gives an error about line 689 and 690 of pam-auth-update. Not sure.
What to do when you don't want that the person who install's the client has an admin account on the server? Or when you don't want ssh access on the server? Or when the server is a slave, and so read-only?
# On the server or master-server you can do this to get the key of a machine kadmin.local -q "ktadd -k pc1.keytab nfs/pc1.EXAMPLE.COM" # You have to find a secure way to bring the file to the client-machine. # On the client you can do this to to copy the key to the right place: mv pc1.keytab /etc/krb5.keytab chmod 0600 /etc/krb5.keytab # You can publish your certificate on a website. You can download it, and copy it to the right location wget www.example.com/CAself-cert.pem mv CAself-cert.pem /etc/ssl/certs/