”’Note that I’m not a kerberos expert by any means. These short instructions got puzzled together from some tutorials, and they work for me. It’s likely I forgot something too, so YMMV”’
1. Initialize the kdc database. On debian this is done through debconf at package install time. Take the rest of the initial setup of /etc/krb5.conf and /etc/krb5kdc/kadm.acl etc from the first link of the resources.
1. Add an admin account.
kadmin.local -q "addprinc root/admin"
1. Add an account for the machine
kadmin.local -q "addprinc -randkey host/foo.bar"
1. For every client, on the server
1. Add a machine account
kadmin -q "addprinc -randkey host/client.bar"
1. Add a nfs account
kadmin -q "addprinc -randkey nfs/client.bar"
1. On every client add the keys generated on the server to the tab
kadmin -q "ktadd host/client.bar" kadmin -q "ktadd -e des-cbc-crc:normal nfs/client.bar"
- In debian, edit /etc/default/nfs-common and nfs-kernel-server to make sure that statd is not running, and that idmap and the gss services are started.
- Make sure that the fqdn of the server doesn’t resolve to 127.0.0.1 through /etc/hosts – it will break kadmin
- Edit /etc/idmap.confand change
[General] Domain = your.domain
Otherwise you will get errors like ”rpc.svcgssd: WARNING: get_ids: failed to map name ‘nfs/alucardo.nd.mcbf.net@ND.MCBF.NET’ to uid/gid: Invalid argument” in syslog.
- hostname –fqdn really does need to return the full-qualified domain name. Often it does not, because many people set up /etc/hostsso that the unqualified domain name comes before the full qualified one. A correct setup is:
10.0.0.1 foo.bar foo
A wrong setup will cause errors like
Aug 23 20:47:19 tor rpc.svcgssd: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No principal in keytab matches desired name Aug 23 20:47:19 tor rpc.svcgssd: Unable to obtain credentials for 'nfs' Aug 23 20:47:19 tor rpc.svcgssd: unable to obtain root (machine) credentials Aug 23 20:47:19 tor rpc.svcgssd: do you have a keytab entry for nfs/@ in /etc/krb5.keytab?
- Clocks must be synchronized (ntp is sufficient), or you will get strange errors. I.e. an gss error where the major code is Unknown Error and the minor code is unknown as well.
- Looks good, but not used for this guide: http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto.pdf
Additional pages not really used: