Kerberize NFS
From Leo's Notes
Last edited on 1 September 2019, at 06:21.
Introduction
http://jurjenbokma.com/ApprenticesNotes/ad_nfs4.html
Setup
Windows Server
Create 3 accounts:
- unixclienthost (represents the unixclient machine)
- unixclientroot (account for root on unixclient)
- unixclientnfs (used by the NFS Server on unixclient)
After creating these users, right click on each user, go to properties and under the "Account" tab change the "User logon name" to "host/unixclient.nfsdomain.com", "root/unixclient.nfsdomain.com", and "nfs/unixclient.nfsdomain.com" respectively.
Now we're going to set the SPNs on these accounts:
setspn -A host/unixclient unixclienthost setspn -A host/unixclient.nfsdomain.com unixclienthost setspn -A root/unixclient unixclientroot setspn -A root/unixclient.nfsdomain.com unixclientroot setspn -A nfs/unixclient unixclientnfs setspn -A nfs/unixclient.nfsdomain.com unixclientnfs
Client Machine
net ads join createupn=host/$(hostname -f)@CS.CPSC.UCALGARY.CA -U admin%pass net ads keytab add nfs/$(hostname -f)@CS.CPSC.UCALGARY.CA -U admin%pass
klist -kte
root@cs1:/mnt# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
4 05/06/13 16:24:51 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-crc)
4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-md5)
4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (arcfour-hmac)
4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
4 05/06/13 16:24:52 host/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (des-cbc-crc)
4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (des-cbc-md5)
4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (arcfour-hmac)
4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
4 05/06/13 16:24:52 host/cs1@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (des-cbc-crc)
4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (des-cbc-md5)
4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (arcfour-hmac)
4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
4 05/06/13 16:24:52 CS1$@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
4 05/06/13 16:24:52 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-crc)
4 05/06/13 16:24:52 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-md5)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (arcfour-hmac)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (des-cbc-crc)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (des-cbc-md5)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (arcfour-hmac)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
4 05/06/13 16:24:53 nfs/cs1.cs.cpsc.ucalgary.ca/cs1@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
File Server
net ads keytab add nfs -U admin%pass
klist -kte
root@file2:~# klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-crc)
2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (des-cbc-md5)
2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (arcfour-hmac)
2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
2 05/06/13 16:21:39 nfs/file2.cs.cpsc.ucalgary.ca@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (des-cbc-crc)
2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (des-cbc-md5)
2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (arcfour-hmac)
2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (aes128-cts-hmac-sha1-96)
2 05/06/13 16:21:39 nfs/file2@CS.CPSC.UCALGARY.CA (aes256-cts-hmac-sha1-96)
Joining Domain
To join a domain as a specific computer, you can pass in
createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'
Troubleshooting
mount.nfs4: access dened by server
Attempted to do:
root@cs1:/mnt# mount -t nfs4 -o sec=krb5i file2:/export/home /mnt/test mount.nfs4: access denied by server while mounting file2:/export/home
rpcgssd -fvvv returns:
dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
dir_notify_handler: sig 37 si 0x7fffc1aa5a70 data 0x7fffc1aa5940
handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1c)
process_krb5_upcall: service is '<null>'
Full hostname for 'file2.cs.cpsc.ucalgary.ca' is 'file2.cs.cpsc.ucalgary.ca'
Full hostname for 'cs1.cs.cpsc.ucalgary.ca' is 'cs1.cs.cpsc.ucalgary.ca'
Success getting keytab entry for 'CS1$@CS.CPSC.UCALGARY.CA'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
using FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA
creating context using fsuid 0 (save_uid 0)
creating tcp client for server file2.cs.cpsc.ucalgary.ca
DEBUG: port already set to 2049
creating context with server nfs@file2.cs.cpsc.ucalgary.ca
WARNING: Failed to create krb5 context for user with uid 0 for server file2.cs.cpsc.ucalgary.ca
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA for server file2.cs.cpsc.ucalgary.ca
WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server file2.cs.cpsc.ucalgary.ca
Full hostname for 'file2.cs.cpsc.ucalgary.ca' is 'file2.cs.cpsc.ucalgary.ca'
Full hostname for 'cs1.cs.cpsc.ucalgary.ca' is 'cs1.cs.cpsc.ucalgary.ca'
Success getting keytab entry for 'CS1$@CS.CPSC.UCALGARY.CA'
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA' are good until 1367913056
using FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA as credentials cache for machine creds
using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA
creating context using fsuid 0 (save_uid 0)
creating tcp client for server file2.cs.cpsc.ucalgary.ca
DEBUG: port already set to 2049
creating context with server nfs@file2.cs.cpsc.ucalgary.ca
WARNING: Failed to create krb5 context for user with uid 0 for server file2.cs.cpsc.ucalgary.ca
WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_CS.CPSC.UCALGARY.CA for server file2.cs.cpsc.ucalgary.ca
WARNING: Failed to create machine krb5 context with any credentials cache for server file2.cs.cpsc.ucalgary.ca
doing error downcall
dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
dir_notify_handler: sig 37 si 0x7fffc1aa5bb0 data 0x7fffc1aa5a80
dir_notify_handler: sig 37 si 0x7fffc1aa1470 data 0x7fffc1aa1340
dir_notify_handler: sig 37 si 0x7fffc1aa5ab0 data 0x7fffc1aa5980
dir_notify_handler: sig 37 si 0x7fffc1aa5ab0 data 0x7fffc1aa5980
dir_notify_handler: sig 37 si 0x7fffc1aa1470 data 0x7fffc1aa1340
dir_notify_handler: sig 37 si 0x7fffc1aa1470 data 0x7fffc1aa1340
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1d
destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1c