This is a page about how to setup a client with nfs4, kerberos, and secure ldap.

The setup for the server is described here: http://wiki.debian.org/nfs4-kerberos-ldap

First of all, you will need a correct FQDN hostname on both client and server. If you give the command "hostname --fqdn" this should give something like "anja.example.com" and not only "anja". You can change the hostname in /etc/hostname, after changing it you must run /etc/init.d/hostname.sh and logout and login. You can change the domain-part in /etc/hosts. You need there a line like:

192.168.1.44       anja.example.com   anja

where "anja" is the hostname of the machine, and "example.com" is your domain. Every machine needs an unique name.

This setup assumes that there is a machine-key for this machine created on the server.

Further it assumes that you have an admin account and a normal user account on the server, if not, read the part on the end of this page.

Client setup:

# become root:
su -

# check your hostname if it's correct. When not, see the part at the begin of the howto
hostname --fqdn

# First set variables, and ask for some
read -p "Server with Kerberos and LDAP, something like 'server.example.com' : " SERVER

read -p "Admin username on the server, something like 'john' : " ADMIN

HOST=$(hostname --fqdn)
DOMAIN=${HOST#*.}
SERVERDOMAIN=${SERVER#*.}
REALM=$(echo "${SERVERDOMAIN}" | tr '[:lower:]' '[:upper:]')
LDAPROOT=""; IFS="."; for DC in $SERVERDOMAIN ; do LDAPROOT="${LDAPROOT},dc=$DC"; done; LDAPROOT="${LDAPROOT#,}"

# install some packages
DEBIAN_FRONTEND=noninteractive apt-get install ntp nscd krb5-user krb5-doc libpam-krb5 ca-certificates nfs-common rpl

DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends libnss-ldap

# Increase minimal UID in for kerberos accounts accepted by PAM
cd /etc/pam.d/
sed -i '/[^#].*pam_krb5/s/minimum_uid=1000/minimum_uid=2000/' \
    common-auth common-session common-password common-account

# Configure LDAP
cat <<EOF >/etc/ldap/ldap.conf
BASE ${LDAPROOT}
URI ldaps://${SERVER}
TLS_CACERT /etc/ssl/certs/CAself-cert.pem
TLS_REQCERT demand
EOF

# Activate LDAP in name service switch
sed -i 's/compat/files ldap/' /etc/nsswitch.conf

# Copy /etc/ssl/certs/CAself-cert.pem from the server to the client
# in the same directory, e.g. if you have an account on the server.
# (there no real need to do this in a secure way)
scp $ADMIN@"${SERVER}":/etc/ssl/certs/CAself-cert.pem /etc/ssl/certs

# configure name service switch, for Ubuntu you need to change /etc/ldap.conf!
cat <<EOF >/etc/libnss-ldap.conf
base ${LDAPROOT}
uri ldaps://${SERVER}
ldap_version 3
scope sub
EOF

# Configure kerberos, ticket_lifetime is in minutes
cat <<EOF >/etc/krb5.conf
[libdefaults]
        default_realm = ${REALM}
        allow_weak_crypto = true
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        ticket_lifetime = 525600

[realms]
        $REALM = {
                kdc = ${SERVER}
                admin_server = ${SERVER}
        }

[domain_realm]
        .$DOMAIN = ${REALM}

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
     kdc = SYSLOG:INFO:DAEMON
     admin_server = SYSLOG:INFO:DAEMON
     default = SYSLOG:INFO:DAEMON[logging]
EOF

# Download the machine-key to /etc/krb5.keytab
kadmin -p $ADMIN/admin -q "ktadd nfs/$(hostname --fqdn)"

# configure the NFS init script for the daemons
sed -i 's/^ *NEED_GSSD=.*$/NEED_GSSD=yes/' /etc/default/nfs-common
sed -i 's/^ *NEED_IDMAPD=.*$/NEED_IDMAPD=yes/' /etc/default/nfs-common
echo 'RPCGSSDOPTS="-vv"' >>/etc/default/nfs-common

# Configure NFS4-domain for idmapd
sed -i "s/^Domain *=.*$/Domain = $SERVERDOMAIN/" /etc/idmapd.conf

# Restart daemons for NFS4
/etc/init.d/nfs-common restart
#
# On ubuntu clients do this instead:
#    stop portmap ; start portmap ; restart gssd ; restart idmapd


# tell fstab what you want to mount
mkdir /mnt/home
echo "$SERVER:/home /mnt/home nfs4  rw,sec=krb5i,auto 0 0" >>/etc/fstab
mount -a

# if everything works fine, you can use the /home, and not /mnt/home/
umount /mnt/home
rpl "/mnt/home" "/home" /etc/fstab

# in many cases you want to change the umask, so normal users will give write access for the group.
# see "man pam_umask" or http://wiki.debian.org/DebianDesktopHowTo for more information.
echo -e "\nsession optional pam_umask.so umask=0002" >> /etc/pam.d/common-session

# in many cases you want to say that all users can use usb and write cd's:
echo "
*;*;*;Al0000-2400;cdrom,plugdev
" >> /etc/security/group.conf
echo "
Name: Group membership granted at login
Default: yes
Priority: 0
Auth-Type: Additional
Auth:
      optional                        pam_group.so
" > /usr/share/pam-configs/group
pam-auth-update --package

What to do when you don't want that the person who install's the client has an admin account on the server? Or when you don't want ssh access on the server?

# On the server you can do this to get the key of a machine
kadmin.local -q "ktadd -k nfs-pc1.example.com.keytab nfs/pc1.example.com"

# You have to find a secure way to bring the file to the client-machine.

# On the client you can do this to to copy the key to the right place:
mv nfs-pc1.example.com.keytab /etc/krb5.keytab
chmod 0600 /etc/krb5.keytab

# You can publish your certificate on a website. You can download it, and copy it to the right location
wget www.example.com/CAself-cert.pem
mv CAself-cert.pem /etc/ssl/certs/