David Mohr

Setup

”’Note that I’m not a kerberos expert by any means. These short instructions got puzzled together from some tutorials, and they work for me. It’s likely I forgot something too, so YMMV”’

1. Initialize the kdc database. On debian this is done through debconf at package install time. Take the rest of the initial setup of /etc/krb5.conf and /etc/krb5kdc/kadm.acl etc from the first link of the resources.
1. Add an admin account.

 
kadmin.local -q "addprinc root/admin"

1. Add an account for the machine

kadmin.local -q "addprinc -randkey host/foo.bar"

1. For every client, on the server
1. Add a machine account

kadmin -q "addprinc -randkey host/client.bar"

1. Add a nfs account

kadmin -q "addprinc -randkey nfs/client.bar"

1. On every client add the keys generated on the server to the tab

kadmin -q "ktadd host/client.bar"
kadmin -q "ktadd -e des-cbc-crc:normal nfs/client.bar"

Notes

• In debian, edit /etc/default/nfs-common and nfs-kernel-server to make sure that statd is not running, and that idmap and the gss services are started.
• Make sure that the fqdn of the server doesn’t resolve to 127.0.0.1 through /etc/hosts – it will break kadmin
• Edit /etc/idmap.confand change

[General] Domain = your.domain

Otherwise you will get errors like ”rpc.svcgssd[5054]: WARNING: get_ids: failed to map name ‘nfs/alucardo.nd.mcbf.net@ND.MCBF.NET’ to uid/gid: Invalid argument” in syslog.

• hostname –fqdn really does need to return the full-qualified domain name. Often it does not, because many people set up /etc/hostsso that the unqualified domain name comes before the full qualified one. A correct setup is:

10.0.0.1 foo.bar foo

A wrong setup will cause errors like

Aug 23 20:47:19 tor rpc.svcgssd[4738]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide more information - No principal in keytab matches desired name 
Aug 23 20:47:19 tor rpc.svcgssd[4738]: Unable to obtain credentials for 'nfs' 
Aug 23 20:47:19 tor rpc.svcgssd[4738]: unable to obtain root (machine) credentials 
Aug 23 20:47:19 tor rpc.svcgssd[4738]: do you have a keytab entry for nfs/@ in /etc/krb5.keytab?

• Clocks must be synchronized (ntp is sufficient), or you will get strange errors. I.e. an gss error where the major code is Unknown Error and the minor code is unknown as well.

Resources

• http://www.itp.uzh.ch/~dpotter/howto/kerberos
• http://www.freesoftwaremagazine.com/blogs/securing_nfs
• http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
• http://www.debian-administration.org/articles/570
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521878
• Looks good, but not used for this guide: http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto.pdf

Additional pages not really used:

• http://www.vanemery.com/DAS/260-kerb5.html
• http://web.mit.edu/kerberos/krb5-1.3/krb5-1.3/doc/krb5-admin.html

My card uses the saa7134 driver. lspci output:

00:0a.0 Multimedia controller: Philips Semiconductors SAA7131/SAA7133/SAA7135 Video Broadcast Decoder (rev d1)
	Subsystem: Micro-Star International Co., Ltd. TV@nywhere Plus

It seems in 2.6 kernels with this driver the remote should just register as a keyboard, you can check in /proc/bus/input/devices if it shows up. Mine did not out of the box on debian testing with a 2.6.26 kernel.

With 2.6.29 a patch (http://marc.info/?l=linux-video&m=122086916009931&w=2) is integrated which does make the remote show up as a keyboard input. Using it then with lirc requires a special config file: http://linux.bytesex.org/v4l2/faq.html#lircd , which seems to be the same essentially as http://www.lemis.com/grog/programs/multimedia/TVatnywhere. I ended up using the former. It does work fine now, aside from two buttons which are switched somehow, which is not a big deal to me.

The remaining step is to setup an ~/.lircrc. Information on this is surprisingly sparse, so I’ll post my version shortly.