User:Mattst88/NFS+Kerberos
From Gentoo Wiki
Jump to:navigation
Jump to:search
CODE make-principals.sh
#!/bin/bash hostname=$(hostname -f) echo "Hostname is $hostname" principals=( host/$hostname@MATTST88.COM nfs/$hostname@MATTST88.COM root/$hostname@MATTST88.COM portage/$hostname@MATTST88.COM ) echo -n "Enter Kerberos password: " read -s password echo cat <<EOF > /etc/krb5.conf [libdefaults] default_realm = MATTST88.COM [realms] # use "kdc = ..." if realm admins haven't put SRV records into DNS MATTST88.COM = { kdc = server.mattst88.com admin_server = server.mattst88.com default_principal_flags = +preauth auth_to_local = RULE:[2:\$1@\$0](.*@MATTST88.COM)s/@.*// } [domain_realm] .mattst88.com = MATTST88.COM mattst88.com = MATTST88.COM [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE EOF for i in "${principals[@]}"; do kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ank -randkey $i" done kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /etc/krb5.keytab host/$hostname@MATTST88.COM" kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /etc/krb5.keytab nfs/$hostname@MATTST88.COM" kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /var/lib/gssproxy/clients/root.keytab root/$hostname@MATTST88.COM" kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /var/lib/gssproxy/clients/portage.keytab portage/$hostname@MATTST88.COM" cat <<-EOF | ktutil rkt /var/lib/gssproxy/clients/root.keytab wkt /etc/krb5.keytab q EOF mkdir -p /etc/systemd/system/rpc-gssd.service.d cat <<-EOF > /etc/systemd/system/rpc-gssd.service.d/use-gss-proxy.conf [Service] Environment="GSS_USE_PROXY=yes" EOF cat <<-EOF > /etc/nfs.conf [gssd] use-gss-proxy=1 EOF cat <<-EOF > /etc/gssproxy/99-nfs-client.conf [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/rcache/krb5cc_%u cred_store = client_keytab:/var/lib/gssproxy/clients/%u.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 EOF rm -f /etc/gssproxy/80-httpd.conf /etc/gssproxy/24-nfs-server.conf cat <<-EOF > /etc/autofs/auto.gentoo /var/cache/distfiles -sec=krb5i server:/var/cache/distfiles /var/cache/binpkgs -sec=krb5i server:/var/cache/binpkgs /var/db/repos/crossdev -sec=krb5i server:/var/db/repos/crossdev /var/db/repos/sqfs -sec=krb5i server:/var/db/repos/sqfs /var/db/repos/gentoo -fstype=squashfs :/var/db/repos/sqfs/gentoo.sqfs EOF if grep -q gentoo /etc/autofs/auto.master; then :; else cat <<-EOF >> /etc/autofs/auto.master /- /etc/autofs/auto.gentoo --timeout 60 EOF fi systemctl daemon-reload systemctl enable gssproxy rpc-gssd nfs-client.target autofs systemctl restart gssproxy rpc-gssd nfs-client.target autofs
TODO
Troubleshooting
DNS
- DNS is critical to Kerberos, so make sure that both client and server can do reverse DNS lookups of the other's IP and obtain its fully-qualified domain name. If the client, for example, cannot do a reverse DNS lookup of the server's IP, it will fail.
Using host
from net-dns/bind-tools:
imac-g4 $
host 10.0.0.1
1.0.0.10.in-addr.arpa domain name pointer server.mattst88.com.
imac-g4 $
ping server
PING server.mattst88.com (10.0.0.1) 56(84) bytes of data. 64 bytes from _gateway (10.0.0.1): icmp_seq=1 ttl=0 time=0.423 ms
Feb 26 09:09:24 server krb5kdc[691]: TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 10.0.0.33: LOOKING_UP_SERVER: authtime 0, etypes {rep=UNSUPPORTED:(0)} root/imac-g4.mattst88.com@MATTST88.COM for nfs/_gateway@MATTST88.COM, Server not found in Kerberos database
In this case, removing mymachines
and myhostname
from the hosts:</code line of
/etc/nsswitch.conf
resolved the error above:
FILE /etc/nsswitch.conf
[...]
hosts: resolve [!UNAVAIL=return] files dns
[...]
imac-g4 $
ping server
PING server.mattst88.com (10.0.0.1) 56(84) bytes of data.
64 bytes from server.mattst88.com (10.0.0.1): icmp_seq=1 ttl=0 time=0.398 ms
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: NEEDED_PREAUTH: root/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM, Additional pre-authentication required
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, root/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM
Feb 23 17:29:30 server krb5kdc[691]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, root/imac-g4.mattst88.com@MATTST88.COM for nfs/server.mattst88.com@MATTST88.COM
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: NEEDED_PREAUTH: portage/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM, Additional pre-authentication required
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, portage/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM
Feb 23 17:29:30 server krb5kdc[691]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, portage/imac-g4.mattst88.com@MATTST88.COM for nfs/server.mattst88.com@MATTST88.COM
Client keytab
root #
klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/tortuga.mattst88.com@MATTST88.COM
2 host/tortuga.mattst88.com@MATTST88.COM
2 nfs/tortuga.mattst88.com@MATTST88.COM
2 nfs/tortuga.mattst88.com@MATTST88.COM
2 root/tortuga.mattst88.com@MATTST88.COM
2 root/tortuga.mattst88.com@MATTST88.COM
root #
klist -k /var/lib/gssproxy/clients/root.keytab
Keytab name: FILE:/var/lib/gssproxy/clients/root.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 root/tortuga.mattst88.com@MATTST88.COM
2 root/tortuga.mattst88.com@MATTST88.COM
root #
klist -k /var/lib/gssproxy/clients/portage.keytab
Keytab name: FILE:/var/lib/gssproxy/clients/portage.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 portage/tortuga.mattst88.com@MATTST88.COM
2 portage/tortuga.mattst88.com@MATTST88.COM
Client credential cache
root #
klist -c /var/lib/gssproxy/rcache/krb5cc_portage
Ticket cache: FILE:/var/lib/gssproxy/rcache/krb5cc_portage
Default principal: portage/tortuga.mattst88.com@MATTST88.COM
Valid starting Expires Service principal
03/09/2022 17:54:43 03/10/2022 03:54:43 krbtgt/MATTST88.COM@MATTST88.COM
renew until 03/10/2022 17:54:43
03/09/2022 17:54:43 03/10/2022 03:54:43 nfs/server.mattst88.com@MATTST88.COM
renew until 03/10/2022 17:54:43