This is a page about how to setup a client with nfs4, kerberos, and secure ldap.
The setup for the server is described here: http://wiki.debian.org/nfs4-kerberos-ldap
First of all, you will need a correct FQDN hostname on both client and server. If you give the command "hostname --fqdn" this should give something like "anja.example.com" and not only "anja". You can change the hostname in /etc/hostname, after changing it you must run /etc/init.d/hostname.sh and logout and login. You can change the domain-part in /etc/hosts. You need there a line like:
127.0.1.1 anja.example.com anja
where "anja" is the hostname of the machine, and "example.com" is your domain. Every machine needs an unique name.
This setup assumes that there is a machine-key for this machine created on the server.
Further it assumes that you have an admin account and a normal user account on the server, if not, read the part on the end of this page.
Client setup:
# become root: su - # check your hostname if it's correct. When not, see the part at the begin of the howto hostname --fqdn # First set variables, and ask for some read -p "Server with Kerberos and LDAP, something like 'server.example.com' : " SERVER read -p "Admin username on the server, something like 'john' : " ADMIN HOST=$(hostname --fqdn) DOMAIN=${HOST#*.} REALM=$(echo "${DOMAIN}" | tr '[:lower:]' '[:upper:]') LDAPROOT=""; IFS="."; for DC in $DOMAIN ; do LDAPROOT="${LDAPROOT},dc=$DC"; done; LDAPROOT="${LDAPROOT#,}" # install some packages DEBIAN_FRONTEND=noninteractive apt-get install ntp nscd krb5-user krb5-doc libpam-krb5 ca-certificates nfs-common rpl DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends libnss-ldap # Increase minimal UID in for kerberos accounts accepted by PAM cd /etc/pam.d/ sed -i '/[^#].*pam_krb5/s/minimum_uid=1000/minimum_uid=2000/' \ common-auth common-session common-password common-account # Configure LDAP cat <<EOF >/etc/ldap/ldap.conf BASE ${LDAPROOT} URI ldaps://${SERVER} TLS_CACERT /etc/ssl/certs/CAself-cert.pem TLS_REQCERT demand EOF # Activate LDAP in name service switch sed -i 's/compat/files ldap/' /etc/nsswitch.conf # Copy /etc/ssl/certs/CAself-cert.pem from the server to the client # in the same directory, e.g. if you have an account on the server. # (there no real need to do this in a secure way) scp $ADMIN@"${SERVER}":/etc/ssl/certs/CAself-cert.pem /etc/ssl/certs # configure name service switch cat <<EOF >/etc/libnss-ldap.conf base ${LDAPROOT} uri ldaps://${SERVER} ldap_version 3 scope sub EOF # Configure kerberos, ticket_lifetime is in minutes cat <<EOF >/etc/krb5.conf [libdefaults] default_realm = ${REALM} allow_weak_crypto = true krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ticket_lifetime = 525600 [realms] $REALM = { kdc = ${SERVER} admin_server = ${SERVER} } [domain_realm] .$DOMAIN = ${REALM} [login] krb4_convert = true krb4_get_tickets = false [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON[logging] EOF # Download the machine-key to /etc/krb5.keytab kadmin -p $ADMIN/admin -q "ktadd nfs/$(hostname --fqdn)" # configure the NFS init script for the daemons sed -i 's/^ *NEED_GSSD=.*$/NEED_GSSD=yes/' /etc/default/nfs-common sed -i 's/^ *NEED_IDMAPD=.*$/NEED_IDMAPD=yes/' /etc/default/nfs-common echo 'RPCGSSDOPTS="-vv"' >>/etc/default/nfs-common /etc/init.d/nfs-common restart # tell fstab what you want to mount mkdir /mnt/home echo "$SERVER:/home /mnt/home nfs4 rw,sec=krb5i,auto 0 0" >>/etc/fstab mount -a # if everything works fine, you can use the /home, and not /mnt/home/ umount /mnt/home rpl "/mnt/home" "/home" /etc/fstab
What to do when you don't want that the person who install's the client has an admin account on the server? Or when you don't want ssh access on the server?
# On the server you can do this to get the key of a machine kadmin.local -q "ktadd -k nfs-pc1.example.com.keytab nfs/pc1.example.com" # You have to find a secure way to bring the file to the client-machine. # On the client you can do this to to copy the key to the right place: mv nfs-pc1.example.com.keytab /etc/krb5.keytab chmod 0600 /etc/krb5.keytab # You can publish your certificate on a website. You can download it, and copy it to the right location wget www.example.com/CAself-cert.pem mv CAself-cert.pem /etc/ssl/certs/