Open Software. Open Knowledge.


Tim's WebLog

The long road to Kerberos/LDAP/NFSv4 and a shortcut

Recently we got a new server at university. It will replace the current file and authentication server which uses NIS and NFSv3. It provides us with a good opportunity to upgrade to something more secure and efficient. So I took on the journey to setup OpenLDAP as user directory, Kerberos for authentication, and NFSv4 for file sharing. But the way took a little time, only to find out later a shortcut which makes it almost a piece of cake. The long way still provides insightful information, therefore it's still useful to try it do-it-yourself style first.

Rather than writing yet another howto, I will link to documents that I used during the initial setup. The most relevant source is the Kerberos/LDAP/NFSv4 HOWTO. It describes the way pretty much step by step. If you want to replace NIS like us the Replacing NIS with Kerberos and LDAP HOWTO is a good read. We use CentOS 5.6 on the file server. The most common pitfall to run into then is that the NFS code there only supports weak ciphers. As client we used a Fedora 14 machine, which will only try strong ciphers by default (cf. for example Red Hat/Fedora bug reports #652273 and #573968). First edit /etc/krb5.conf and set allow_weak_crypto = yes in the [libdefaults] section. Then make sure to add -e des-cbc-crc:normal to the ktadd command to export keys to the keytab for the NFS service keys (nfs/host@REALM). It is described in the NFSv4 Kerberos Setup Guide, as well as the mentioned howto, but something to be easily missed and hard to diagnose when new to the system. The NFSv4 Linux FAQ provides some tips for NFS problems. Another document describes common Kerberos issues. When googling the Ubuntu NFSv4 HOWTO frequently comes up, but it does not provide much useful additional information.

Once I had it running I was pointed to FreeIPA. It is an integrated solution that combines the 389 directory server, Kerberos, and the Dogtag Certificate System with nice console administration tools and a helpful WebUI. I went straight for version 2.0.0 for which a new Enterprise Identity Management Guide is currently work in progress. FreeIPA 2.0.0 is not perfect, yet, and I had to report a few bugs, but it makes the overall process much easier. You still need to allo weak cryptos if CentOS/RHEL 5 is involved by yourself, IPA won't do that automatically for you. If you run into problems that the authentication fails (add -vvvvv as RPC idmapd and gssd/svcgssd flags to see this), wipe out the keys on both server and client and get new ones with the -e des-cbc-crc:normal for the NFS service keys! The nice people behind the project are extremely helpful if you ask nicely via IRC.

Have fun and enjoy secure authentication and encrypted file sharing as we hopefully will once the system is deployed.

Comments for this posting

FreeIPA 2.0

Thanks for the write up. I'm proud of what we've done on the 2.0 Release, and more good stuff is coming.

Top 5 Pages
Friends' blogs
SquidGuard Webmin Module

Palm Software
UniMatrix UniMensa UniSorter
UniChat OHS Mobile Onager

My Bookshelf

Valid XHTML 1.1!

RSS Copyright © 2000-2016 by Tim Niemueller