Using authd with NFS¶
The user identifiers (UIDs) and group identifiers (GIDs) assigned by authd are unique to each machine. This means that when using authd with NFS, the UIDs and GIDs of users and groups on the NFS server will not match those on the client machines, which leads to permission issues.
To avoid these issues, you can use NFS with ID mapping and Kerberos. This ensures that the UIDs and GIDs are mapped correctly across all machines.
Setting up NFS with IDMAP and Kerberos¶
This guide will walk you through setting up an NFS server with ID mapping and
Kerberos authentication. After following the steps outlined below, the user
alice will be able to access a shared directory on the server from a client
machine.
Steps for the server¶
Step 1: Install required packages¶
Install packages: On the NFS server, run:
sudo apt install -y nfs-kernel-server nfs-common rpcbind krb5-user krb5-admin-server krb5-kdc
Handle Kerberos configuration prompts: During the installation of
krb5-user, you will be prompted to provide configuration details for Kerberos. Here’s what to enter:Default Kerberos version 5 realm: Enter the Kerberos realm name, which is the uppercase version of your domain. For example:
EXAMPLE.COM
Kerberos servers for your realm: Enter the hostname of the Key Distribution Center (KDC). Assuming the KDC is on the same host as the NFS server:
server.example.com
Administrative server for your Kerberos realm: Enter the hostname of the Kerberos admin server, which is also the same as the NFS server in this case:
server.example.com
Step 2: Configure Kerberos¶
Create the Realm:
sudo krb5_newrealmFollow the prompts to set up the Kerberos realm.
Add principals: In Kerberos, a principal is a unique identity that is used for authentication.
Add a principal for the NFS server: This principal is used by the NFS client to authenticate when mounting an NFS directory.
sudo kadmin.local addprinc -randkey nfs/server.example.com
Add a principal for the user
alice: This principal is used for authentication when the user accesses the mounted NFS directory.sudo kadmin.local addprinc alice
When prompted, set a password for the user
alice.
Generate Keytabs:
A keytab is a file that contains Kerberos principals and their associated secret keys. It allows services (such as NFS) to authenticate without needing to input a password each time.
Export the keytab for the NFS server and the user
alice:sudo kadmin.local ktadd -k /etc/krb5.keytab nfs/server.example.com
Step 3: Configure the NFS server¶
Create and configure the shared directory:
You’ll need to create the directory to share via NFS and configure the shared directory in the
/etc/exportsfile.Create a directory owned by
alice:sudo mkdir -p /srv/nfs/shared/alice sudo chown alice:alice /srv/nfs/shared/alice
Configure exports: Edit the
/etc/exportsfile to define the shared directory:sudo editor /etc/exports
Add this line:
/srv/nfs/shared *(rw,sync,no_subtree_check,sec=krb5)
Configure IDMAP: Edit the IDMAP configuration:
sudo editor /etc/idmapd.conf
Ensure the following is set:
[General] Domain = example.com
Restart services:
sudo systemctl restart nfs-kernel-server rpcbind rpc-svcgssd
Verify running services: Check the status of the relevant services:
sudo systemctl status nfs-kernel-server rpcbind rpc-svcgssd
Steps for the client¶
Step 1: Install required packages¶
Install packages: On the NFS client, run:
sudo apt install -y nfs-common krb5-user rpcbind
Handle Kerberos configuration prompts: During the installation of
krb5-user, you will be prompted to provide configuration details for Kerberos again. Enter the same details as before:Default Kerberos version 5 realm:
EXAMPLE.COM
Kerberos servers for your realm:
server.example.com
Administrative server for your Kerberos realm:
server.example.com
Step 2: Copy the Kerberos keytab file¶
Copy keytab file: Securely copy the keytab from the server to the client and set the correct permissions:
scp [email protected]:/etc/krb5.keytab /tmp/krb5.keytab && \ sudo mv /tmp/krb5.keytab /etc/krb5.keytab && \ sudo chown root:root /etc/krb5.keytab && \ sudo chmod 600 /etc/krb5.keytab
Step 3: Configure NFS client¶
Configure IDMAP: Edit the IDMAP configuration:
sudo editor /etc/idmapd.conf
Ensure the following is set:
[General] Domain = example.com
Restart services:
sudo systemctl restart nfs-client.target rpc-gssd.service rpcbind.service
Verify running services: Check the status of the relevant services:
sudo systemctl status nfs-client.target rpc-gssd.service auth-rpcgss-module.service rpcbind.service
Step 5: Obtain Kerberos ticket¶
Log in as the user alice and authenticate:
kinit alice
Verify the ticket:
klist
Step 6: Test and debug¶
Test access to the share: As the user
alice, try accessing the share:ls -la /home/alice/nfs
Create a test file to verify write access:
touch /home/alice/nfs/testCheck logs if issues arise:
On the server:
sudo journalctl -u nfs-kernel-server -u rpcbind -u rpc-svcgssd
On the client:
sudo journalctl -u rpcbind -u rpc-gssd
Cleanup¶
If you no longer need the NFS share or want to clean up the configuration, follow these steps:
On the server¶
Purge installed packages:
sudo apt purge "krb*" "nfs-*"
Remove Kerberos configuration and data:
sudo sh -c "rm -rf /etc/krb5* /var/lib/krb5kdc/* /tmp/krb5*"
Remove the shared directory:
sudo rm -rf /srv/nfs/shared sudo rmdir /srv/nfs
On the client¶
Unmount the shared directory and delete the mountpoint:
sudo umount /home/alice/nfs sudo rmdir /home/alice/nfs
Purge installed packages:
sudo apt purge nfs-common krb5-* rpcbind
Remove Kerberos data:
sudo rm -f /etc/krb5.keytab /tmp/krb5*