18 Feb 2017

[Howto] Kerberos + NFSv4 + ZFS (kerberized NFS)

by | posted in: computer, network | 0

prerequisite 1:

a working Domain-Name-System for all devices (DNS and rDNS), because the kerberos tickets uses DNS-names instead of IP-adresses. Without a working DNS resolution a connection can’t be established.

myServer.com → 192.168.0.1

192.168.0.1 → myServer.com

#check DNS resolution
dig myServer.com

#check rDNS resolution
dig -x 192.168.0.1

 

prerequisite 2:

a working Kerberos server (kdc). You must be able to retrieve working ticket on all devices. You must create the following principals on the kdc:

#service-principal for server (nfsd)
kadmin> add --random-key nfs/<server-hostname>@<REALM>
kadmin> ext_keytab --keyfile=/tmp/krb5.keytab nfs/<server-hostname>@<REALM>      <--must be moved to NFS-Server

#service-principal for client (mount.nfs)
kadmin> add --random-key nfs/<client-hostname>@<REALM>
kadmin> ext_keytab --keyfile=/tmp/krb5.keytab nfs/<client-hostname>@<REALM>      <--must be moved to Client
#check, if your service-principal on your NFS-server can automatically retrieve a ticket
kinit -k nfs/<server-hostname>@<REALM>

#check, if your service-principal on your client can automatically retrieve a ticket
kinit -k nfs/<client-hostname>@<REALM>

 

prerequisite 3:

start on all machines GSS-API. GSS is the part, which creates the secure connection between nfsd and the nfs-clients.

#on FreeBSD
gssd -h         <-- you must use '-h' (it enables automatic authorization with service-principals)

#on Linux
rpc.gssd
rpc_pipefs      <-- it's needed for communication between rpc.gssd and kernel

If you can’t establish a connection, read the individual manuals on you system. For example, Linux’s gssd needs some other principal names as freebsd’s gssd.

 

NFSv4 configuration:

for NFSv4 you have to set the filesystem root and the exported folders in a separate way. If you use ZFS, you must declare the NFSv4-root in /etc/exports and the exported folders via zfs set nfsshare=<nfs-options> <tank>/<zfs> command. If you don’t use the zfs command, they won’t be shown through NFS.

#/etc/exports (with enabled security mechanisms krb5p, krb5i and krb5)
V4: / -sec=krb5p:krb5i:krb5

#enable sharing on zfs
zfs set sharefs=on tank/zfs

#set export options (/etc/zfs/exports, don't modify, it will be modified through zfs-command)
zfs set nfsshare=-sec=krb5p tank/zfs

 

NFSv4 mount:

try to mount the filesystem. If you can’t mount,  enable debugging or verbose output. Check logfiles and step for step what went wrong.

#linux
mount -o vers=4,sec=krb5p   192.168.0.1:/exports/zfs   /mnt

#/etc/fstab
192.168.0.1:/exports/zfs   /mnt   nfs   vers=4,sec=krb5   0   0