User:Mattst88/NFS+Kerberos

From Gentoo Wiki
Jump to:navigation Jump to:search
CODE make-principals.sh
#!/bin/bash

hostname=$(hostname -f)
echo "Hostname is $hostname"

principals=(
	host/$hostname@MATTST88.COM
	nfs/$hostname@MATTST88.COM
	root/$hostname@MATTST88.COM
	portage/$hostname@MATTST88.COM
)

echo -n "Enter Kerberos password: "
read -s password
echo

cat <<EOF > /etc/krb5.conf
[libdefaults]
	default_realm = MATTST88.COM

[realms]
# use "kdc = ..." if realm admins haven't put SRV records into DNS
	MATTST88.COM = {
		kdc = server.mattst88.com
		admin_server = server.mattst88.com
		default_principal_flags = +preauth
		auth_to_local = RULE:[2:\$1@\$0](.*@MATTST88.COM)s/@.*//
	}

[domain_realm]
	.mattst88.com = MATTST88.COM
	mattst88.com = MATTST88.COM

[logging]
	kdc          = SYSLOG:NOTICE
	admin_server = SYSLOG:NOTICE
	default      = SYSLOG:NOTICE
EOF

for i in "${principals[@]}";
do
	kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ank -randkey $i"
done

kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /etc/krb5.keytab host/$hostname@MATTST88.COM"
kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /etc/krb5.keytab nfs/$hostname@MATTST88.COM"
kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /var/lib/gssproxy/clients/root.keytab root/$hostname@MATTST88.COM"
kadmin -p mattst88/admin@MATTST88.COM -w $password -q "ktadd -k /var/lib/gssproxy/clients/portage.keytab portage/$hostname@MATTST88.COM"

cat <<-EOF | ktutil
	rkt /var/lib/gssproxy/clients/root.keytab
	wkt /etc/krb5.keytab
	q
EOF

mkdir -p /etc/systemd/system/rpc-gssd.service.d
cat <<-EOF > /etc/systemd/system/rpc-gssd.service.d/use-gss-proxy.conf
	[Service]
	Environment="GSS_USE_PROXY=yes"
EOF

cat <<-EOF > /etc/nfs.conf
	[gssd]
	use-gss-proxy=1
EOF

cat <<-EOF > /etc/gssproxy/99-nfs-client.conf
	[service/nfs-client]
	  mechs = krb5
	  cred_store = keytab:/etc/krb5.keytab
	  cred_store = ccache:FILE:/var/lib/gssproxy/rcache/krb5cc_%u
	  cred_store = client_keytab:/var/lib/gssproxy/clients/%u.keytab
	  cred_usage = initiate
	  allow_any_uid = yes
	  trusted = yes
	  euid = 0
EOF
rm -f /etc/gssproxy/80-httpd.conf /etc/gssproxy/24-nfs-server.conf

cat <<-EOF > /etc/autofs/auto.gentoo
	/var/cache/distfiles	-sec=krb5i		server:/var/cache/distfiles
	/var/cache/binpkgs	-sec=krb5i		server:/var/cache/binpkgs
	/var/db/repos/crossdev	-sec=krb5i		server:/var/db/repos/crossdev
	/var/db/repos/sqfs	-sec=krb5i		server:/var/db/repos/sqfs
	/var/db/repos/gentoo	-fstype=squashfs	:/var/db/repos/sqfs/gentoo.sqfs
EOF

if grep -q gentoo /etc/autofs/auto.master; then
	:;
else
	cat <<-EOF >> /etc/autofs/auto.master
		
		/-			/etc/autofs/auto.gentoo			--timeout 60
	EOF
fi

systemctl daemon-reload
systemctl enable  gssproxy rpc-gssd nfs-client.target autofs
systemctl restart gssproxy rpc-gssd nfs-client.target autofs

TODO

Troubleshooting

DNS

  • DNS is critical to Kerberos, so make sure that both client and server can do reverse DNS lookups of the other's IP and obtain its fully-qualified domain name. If the client, for example, cannot do a reverse DNS lookup of the server's IP, it will fail.

Using host from net-dns/bind-tools:

imac-g4 $host 10.0.0.1
1.0.0.10.in-addr.arpa domain name pointer server.mattst88.com.
imac-g4 $ping server
PING server.mattst88.com (10.0.0.1) 56(84) bytes of data.
64 bytes from _gateway (10.0.0.1): icmp_seq=1 ttl=0 time=0.423 ms
Feb 26 09:09:24 server krb5kdc[691]: TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 10.0.0.33: LOOKING_UP_SERVER: authtime 0, etypes {rep=UNSUPPORTED:(0)} root/imac-g4.mattst88.com@MATTST88.COM for nfs/_gateway@MATTST88.COM, Server not found in Kerberos database


In this case, removing mymachines and myhostname from the hosts:</code line of /etc/nsswitch.conf resolved the error above:

FILE /etc/nsswitch.conf
[...]
hosts:      resolve [!UNAVAIL=return] files dns
[...]
imac-g4 $ping server
PING server.mattst88.com (10.0.0.1) 56(84) bytes of data.
64 bytes from server.mattst88.com (10.0.0.1): icmp_seq=1 ttl=0 time=0.398 ms
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: NEEDED_PREAUTH: root/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM, Additional pre-authentication required
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, root/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM
Feb 23 17:29:30 server krb5kdc[691]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, root/imac-g4.mattst88.com@MATTST88.COM for nfs/server.mattst88.com@MATTST88.COM
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: NEEDED_PREAUTH: portage/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM, Additional pre-authentication required
Feb 23 17:29:30 server krb5kdc[691]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, portage/imac-g4.mattst88.com@MATTST88.COM for krbtgt/MATTST88.COM@MATTST88.COM
Feb 23 17:29:30 server krb5kdc[691]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.33: ISSUE: authtime 1645666170, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, portage/imac-g4.mattst88.com@MATTST88.COM for nfs/server.mattst88.com@MATTST88.COM

Client keytab

root #klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/tortuga.mattst88.com@MATTST88.COM
   2 host/tortuga.mattst88.com@MATTST88.COM
   2 nfs/tortuga.mattst88.com@MATTST88.COM
   2 nfs/tortuga.mattst88.com@MATTST88.COM
   2 root/tortuga.mattst88.com@MATTST88.COM
   2 root/tortuga.mattst88.com@MATTST88.COM
root #klist -k /var/lib/gssproxy/clients/root.keytab
Keytab name: FILE:/var/lib/gssproxy/clients/root.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 root/tortuga.mattst88.com@MATTST88.COM
   2 root/tortuga.mattst88.com@MATTST88.COM
root #klist -k /var/lib/gssproxy/clients/portage.keytab
Keytab name: FILE:/var/lib/gssproxy/clients/portage.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 portage/tortuga.mattst88.com@MATTST88.COM
   2 portage/tortuga.mattst88.com@MATTST88.COM

Client credential cache

root #klist -c /var/lib/gssproxy/rcache/krb5cc_portage
Ticket cache: FILE:/var/lib/gssproxy/rcache/krb5cc_portage
Default principal: portage/tortuga.mattst88.com@MATTST88.COM

Valid starting       Expires              Service principal
03/09/2022 17:54:43  03/10/2022 03:54:43  krbtgt/MATTST88.COM@MATTST88.COM
        renew until 03/10/2022 17:54:43
03/09/2022 17:54:43  03/10/2022 03:54:43  nfs/server.mattst88.com@MATTST88.COM
        renew until 03/10/2022 17:54:43
Retrieved from "https://wiki.gentoo.org/index.php?title=User:Mattst88/NFS%2BKerberos&oldid=1055335"