where can I ask user qns about nfs4?

where can I ask user qns about nfs4?

[steve]

I want to ask a question about nfs4 keytabs and Samba 4. I've tried 
asking here, on the Samba 4 list and on the openSUSE list (which is my 
Linux distribution) but they refer me to an nfs list. I see that this 
list is only for nfs devs.

I don't want to waste your time here but my question is just this:

My nfs4 server has a service principal nfs/server.domain.name

I already use nfs4 to serve my Linux clients. I'm going to kerberize it. 
My clients already have machine and host principals. What else do they need?

1. nfs/client.domain.name
2. nfs/server.domain/name
3. neither
4. both

The Google doco is contradictory and confusing to say the least. If you 
can't help, could you point me in the right direction?

Thanks so much fr your time,
Steve

Re: where can I ask user qns about nfs4?

[Tigran Mkrtchyan]

Hi Steve,

On Thu, Feb 2, 2012 at 7:39 AM, steve <steve@steve-ss.com> wrote:
> I want to ask a question about nfs4 keytabs and Samba 4. I've tried asking
> here, on the Samba 4 list and on the openSUSE list (which is my Linux
> distribution) but they refer me to an nfs list. I see that this list is only
> for nfs devs.
>
> I don't want to waste your time here but my question is just this:
>
> My nfs4 server has a service principal nfs/server.domain.name
>
> I already use nfs4 to serve my Linux clients. I'm going to kerberize it. My
> clients already have machine and host principals. What else do they need?
>
> 1. nfs/client.domain.name
> 2. nfs/server.domain/name
> 3. neither
> 4. both
>

We run kerberized NFS.

our keytab contains:

on server;
  nfs/server.domain

on client:
  nfs/client.domain

and, of course, you need a consistent  idmap configuration.

Tigran.

> The Google doco is contradictory and confusing to say the least. If you
> can't help, could you point me in the right direction?
>
> Thanks so much fr your time,
> Steve
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[steve]

On 02/02/12 11:58, Tigran Mkrtchyan wrote:
> Hi Steve,
>
>>
>> I already use nfs4 to serve my Linux clients. I'm going to kerberize it. My
>> clients already have machine and host principals. What else do they need?
>>
>> 1. nfs/client.domain.name
>> 2. nfs/server.domain/name
>> 3. neither
>> 4. both
>>
>
> We run kerberized NFS.
>
> our keytab contains:
>
> on server;
>    nfs/server.domain
>
> on client:
>    nfs/client.domain
>
> and, of course, you need a consistent  idmap configuration.
>
> Tigran.
>
Hi Tigran

That's what we have on our test lan at the moment. I can understand that 
the server would need the service principal:
    nfs/server.domain
but not the client, as it's not offering any kerberized service.

As an experiment, I removed the nfs/client.domain from a client keytab, 
rebooted and remounted the share. We could still access the kerberized 
nfs share. Maybe there were still some tickets left somewhere? That has 
me really confused.

And yes, we found out very early on that idmapd had to be running at 
both ends.

Thanks for the reply. You've got me thinking.
Steve

Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[Tigran Mkrtchyan]

On Thu, Feb 2, 2012 at 12:33 PM, steve <steve@steve-ss.com> wrote:
> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>
>> Hi Steve,
>>
>>>
>>> I already use nfs4 to serve my Linux clients. I'm going to kerberize it.
>>> My
>>> clients already have machine and host principals. What else do they need?
>>>
>>> 1. nfs/client.domain.name
>>> 2. nfs/server.domain/name
>>> 3. neither
>>> 4. both
>>>
>>
>> We run kerberized NFS.
>>
>> our keytab contains:
>>
>> on server;
>>   nfs/server.domain
>>
>> on client:
>>   nfs/client.domain
>>
>> and, of course, you need a consistent  idmap configuration.
>>
>> Tigran.
>>
> Hi Tigran
>
> That's what we have on our test lan at the moment. I can understand that the
> server would need the service principal:
>   nfs/server.domain
> but not the client, as it's not offering any kerberized service.

The mount step happens on behalf of host as there are no user requests yet.
Client host credentials are used at that time.

>
> As an experiment, I removed the nfs/client.domain from a client keytab,
> rebooted and remounted the share. We could still access the kerberized nfs
> share. Maybe there were still some tickets left somewhere? That has me
> really confused.

Huh! did you enforce kerberos in /etc/exports?

Tigran.
>
> And yes, we found out very early on that idmapd had to be running at both
> ends.
>
> Thanks for the reply. You've got me thinking.
> Steve

Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[steve]

On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
> On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@steve-ss.com>  wrote:
>> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>> Hi Steve,
>>>
>>>> I already use nfs4 to serve my Linux clients. I'm going to kerberize it.
>>>> My
>>>> clients already have machine and host principals. What else do they need?
>>>>
>>>> 1. nfs/client.domain.name
>>>> 2. nfs/server.domain/name
>>>> 3. neither
>>>> 4. both
>>>>
>>> We run kerberized NFS.
>>>
>>> our keytab contains:
>>>
>>> on server;
>>>    nfs/server.domain
>>>
>>> on client:
>>>    nfs/client.domain
>>>
>>> and, of course, you need a consistent  idmap configuration.
>>>
>>> Tigran.
>>>
>> Hi Tigran
>>
>> That's what we have on our test lan at the moment. I can understand that the
>> server would need the service principal:
>>    nfs/server.domain
>> but not the client, as it's not offering any kerberized service.
> The mount step happens on behalf of host as there are no user requests yet.
> Client host credentials are used at that time.
>
>> As an experiment, I removed the nfs/client.domain from a client keytab,
>> rebooted and remounted the share. We could still access the kerberized nfs
>> share. Maybe there were still some tickets left somewhere? That has me
>> really confused.
> Huh! did you enforce kerberos in /etc/exports?
>
Yes. /etc/exports exports as gss/krb5
I made a screenshot:

http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png

That's why I'm confused.
Steve

Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[steve]

On 02/02/12 14:29, steve wrote:
> On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
>> On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@steve-ss.com>  wrote:
>>> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>>> Hi Steve,
>>>>
>>>>> I already use nfs4 to serve my Linux clients. I'm going to 
>>>>> kerberize it.
>>>>> My
>>>>> clients already have machine and host principals. What else do 
>>>>> they need?
>>>>>
>>>>> 1. nfs/client.domain.name
>>>>> 2. nfs/server.domain/name
>>>>> 3. neither
>>>>> 4. both
>>>>>
>>>> We run kerberized NFS.
>>>>
>>>> our keytab contains:
>>>>
>>>> on server;
>>>>    nfs/server.domain
>>>>
>>>> on client:
>>>>    nfs/client.domain
>>>>
>>>> and, of course, you need a consistent  idmap configuration.
>>>>
>>>> Tigran.
>>>>
>>> Hi Tigran
>>>
>>> That's what we have on our test lan at the moment. I can understand 
>>> that the
>>> server would need the service principal:
>>>    nfs/server.domain
>>> but not the client, as it's not offering any kerberized service.
>> The mount step happens on behalf of host as there are no user 
>> requests yet.
>> Client host credentials are used at that time.
>>
>>> As an experiment, I removed the nfs/client.domain from a client keytab,
>>> rebooted and remounted the share. We could still access the 
>>> kerberized nfs
>>> share. Maybe there were still some tickets left somewhere? That has me
>>> really confused.
>> Huh! did you enforce kerberos in /etc/exports?
>>
> Yes. /etc/exports exports as gss/krb5
> I made a screenshot:
>
> http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png 
>
>
> That's why I'm confused.
> Steve

Digging a bit further, here is the output of mount on the client:
http://dl.dropbox.com/u/45150875/krb5testnfs.png

And this appears immediately after the mount:
http://dl.dropbox.com/u/45150875/krb5nfstmp.png

Most of the documentation tells you to stick nfs into the client keytab 
as well as the server keytab, but here, I only have the principal on the 
server.

What am I missing?
Thanks,
Steve

Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[Tigran Mkrtchyan]

On Thu, Feb 2, 2012 at 3:56 PM, steve <steve@steve-ss.com> wrote:
> On 02/02/12 14:29, steve wrote:
>>
>> On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
>>>
>>> On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@steve-ss.com>  wrote:
>>>>
>>>> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>>>>
>>>>> Hi Steve,
>>>>>
>>>>>> I already use nfs4 to serve my Linux clients. I'm going to kerberize
>>>>>> it.
>>>>>> My
>>>>>> clients already have machine and host principals. What else do they
>>>>>> need?
>>>>>>
>>>>>> 1. nfs/client.domain.name
>>>>>> 2. nfs/server.domain/name
>>>>>> 3. neither
>>>>>> 4. both
>>>>>>
>>>>> We run kerberized NFS.
>>>>>
>>>>> our keytab contains:
>>>>>
>>>>> on server;
>>>>>   nfs/server.domain
>>>>>
>>>>> on client:
>>>>>   nfs/client.domain
>>>>>
>>>>> and, of course, you need a consistent  idmap configuration.
>>>>>
>>>>> Tigran.
>>>>>
>>>> Hi Tigran
>>>>
>>>> That's what we have on our test lan at the moment. I can understand that
>>>> the
>>>> server would need the service principal:
>>>>   nfs/server.domain
>>>> but not the client, as it's not offering any kerberized service.
>>>
>>> The mount step happens on behalf of host as there are no user requests
>>> yet.
>>> Client host credentials are used at that time.
>>>
>>>> As an experiment, I removed the nfs/client.domain from a client keytab,
>>>> rebooted and remounted the share. We could still access the kerberized
>>>> nfs
>>>> share. Maybe there were still some tickets left somewhere? That has me
>>>> really confused.
>>>
>>> Huh! did you enforce kerberos in /etc/exports?
>>>
>> Yes. /etc/exports exports as gss/krb5
>> I made a screenshot:
>>
>>
>> http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png
>>
>> That's why I'm confused.
>> Steve
>
>
> Digging a bit further, here is the output of mount on the client:
> http://dl.dropbox.com/u/45150875/krb5testnfs.png
>
> And this appears immediately after the mount:
> http://dl.dropbox.com/u/45150875/krb5nfstmp.png
>
> Most of the documentation tells you to stick nfs into the client keytab as
> well as the server keytab, but here, I only have the principal on the
> server.
>
> What am I missing?

I think client simply falls back to 'host' if nfs entry is not available.

Tigran.
> Thanks,
> Steve
>

Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[steve]

On 02/02/2012 07:57 PM, Tigran Mkrtchyan wrote:
> On Thu, Feb 2, 2012 at 3:56 PM, steve<steve@steve-ss.com>  wrote:
>> On 02/02/12 14:29, steve wrote:
>>> On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
>>>> On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@steve-ss.com>    wrote:
>>>>> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>>>>> Hi Steve,
>>>>>>
>>>>>>> I already use nfs4 to serve my Linux clients. I'm going to kerberize
>>>>>>> it.
>>>>>>> My
>>>>>>> clients already have machine and host principals. What else do they
>>>>>>> need?
>>>>>>>
>>>>>>> 1. nfs/client.domain.name
>>>>>>> 2. nfs/server.domain/name
>>>>>>> 3. neither
>>>>>>> 4. both
>>>>>>>
>>>>>> We run kerberized NFS.
>>>>>>
>>>>>> our keytab contains:
>>>>>>
>>>>>> on server;
>>>>>>    nfs/server.domain
>>>>>>
>>>>>> on client:
>>>>>>    nfs/client.domain
>>>>>>
>>>>>> and, of course, you need a consistent  idmap configuration.
>>>>>>
>>>>>> Tigran.
>>>>>>
>>>>> Hi Tigran
>>>>>
>>>>> That's what we have on our test lan at the moment. I can understand that
>>>>> the
>>>>> server would need the service principal:
>>>>>    nfs/server.domain
>>>>> but not the client, as it's not offering any kerberized service.
>>>> The mount step happens on behalf of host as there are no user requests
>>>> yet.
>>>> Client host credentials are used at that time.
>>>>
>>>>> As an experiment, I removed the nfs/client.domain from a client keytab,
>>>>> rebooted and remounted the share. We could still access the kerberized
>>>>> nfs
>>>>> share. Maybe there were still some tickets left somewhere? That has me
>>>>> really confused.
>>>> Huh! did you enforce kerberos in /etc/exports?
>>>>
>>> Yes. /etc/exports exports as gss/krb5
>>> I made a screenshot:
>>>
>>>
>>> http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png
>>>
>>> That's why I'm confused.
>>> Steve
>>
>> Digging a bit further, here is the output of mount on the client:
>> http://dl.dropbox.com/u/45150875/krb5testnfs.png
>>
>> And this appears immediately after the mount:
>> http://dl.dropbox.com/u/45150875/krb5nfstmp.png
>>
>> Most of the documentation tells you to stick nfs into the client keytab as
>> well as the server keytab, but here, I only have the principal on the
>> server.
>>
>> What am I missing?
> I think client simply falls back to 'host' if nfs entry is not available.
>
> Tigran.
I completely cleared /tmp and stuck nfs/client back in the client keytab 
to see if it made any difference. It still wasn't used. I got exactly 
the same tickets as above. It looks as though this is a recent change to 
nfs-utils. I think this post explains why I see nfs being authenticated 
not by the /nfs/client nor /host/client but by the client$ principal.
https://fedorahosted.org/pipermail/sssd-devel/2010-August/004332.html
I'm new to all this so nothing is certain for me the moment!
Does this make sense?
Cheers,
Steve

Re: nfs4 keytabs [was:Re: where can I ask user qns about nfs4]?

[steve]

On 02/03/2012 06:22 PM, steve wrote:
> On 02/02/2012 07:57 PM, Tigran Mkrtchyan wrote:
>> On Thu, Feb 2, 2012 at 3:56 PM, steve<steve@steve-ss.com>  wrote:
>>> On 02/02/12 14:29, steve wrote:
>>>> On 02/02/2012 02:05 PM, Tigran Mkrtchyan wrote:
>>>>> On Thu, Feb 2, 2012 at 12:33 PM, steve<steve@steve-ss.com>    wrote:
>>>>>> On 02/02/12 11:58, Tigran Mkrtchyan wrote:
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>>> I already use nfs4 to serve my Linux clients. I'm going to 
>>>>>>>> kerberize
>>>>>>>> it.
>>>>>>>> My
>>>>>>>> clients already have machine and host principals. What else do 
>>>>>>>> they
>>>>>>>> need?
>>>>>>>>
>>>>>>>> 1. nfs/client.domain.name
>>>>>>>> 2. nfs/server.domain/name
>>>>>>>> 3. neither
>>>>>>>> 4. both
>>>>>>>>
>>>>>>> We run kerberized NFS.
>>>>>>>
>>>>>>> our keytab contains:
>>>>>>>
>>>>>>> on server;
>>>>>>>    nfs/server.domain
>>>>>>>
>>>>>>> on client:
>>>>>>>    nfs/client.domain
>>>>>>>
>>>>>>> and, of course, you need a consistent  idmap configuration.
>>>>>>>
>>>>>>> Tigran.
>>>>>>>
>>>>>> Hi Tigran
>>>>>>
>>>>>> That's what we have on our test lan at the moment. I can 
>>>>>> understand that
>>>>>> the
>>>>>> server would need the service principal:
>>>>>>    nfs/server.domain
>>>>>> but not the client, as it's not offering any kerberized service.
>>>>> The mount step happens on behalf of host as there are no user 
>>>>> requests
>>>>> yet.
>>>>> Client host credentials are used at that time.
>>>>>
>>>>>> As an experiment, I removed the nfs/client.domain from a client 
>>>>>> keytab,
>>>>>> rebooted and remounted the share. We could still access the 
>>>>>> kerberized
>>>>>> nfs
>>>>>> share. Maybe there were still some tickets left somewhere? That 
>>>>>> has me
>>>>>> really confused.
>>>>> Huh! did you enforce kerberos in /etc/exports?
>>>>>
>>>> Yes. /etc/exports exports as gss/krb5
>>>> I made a screenshot:
>>>>
>>>>
>>>> http://3.bp.blogspot.com/-g40b11Ys_DA/TypYtlO-ixI/AAAAAAAAAIc/cZdeRhnVuY4/s1600/s4all.png 
>>>>
>>>>
>>>> That's why I'm confused.
>>>> Steve
>>>
>>> Digging a bit further, here is the output of mount on the client:
>>> http://dl.dropbox.com/u/45150875/krb5testnfs.png
>>>
>>> And this appears immediately after the mount:
>>> http://dl.dropbox.com/u/45150875/krb5nfstmp.png
>>>
>>> Most of the documentation tells you to stick nfs into the client 
>>> keytab as
>>> well as the server keytab, but here, I only have the principal on the
>>> server.
>>>
>>> What am I missing?
>> I think client simply falls back to 'host' if nfs entry is not 
>> available.
>>
>> Tigran.
>
Yep. You're right. And not just host. They changed it to look for other 
keys too:
http://linux.die.net/man/8/rpc.gssd
So in my case that's why I see HOSTNAME$@REALM during the nfs mount.

Thanks so much for your time.
Steve

Re: where can I ask user qns about nfs4?

[Liam Gretton]

I have a related question, and like the OP I was reluctant to ask here 
as it's not a dev question, but I can't find any other suitable forum.

Has ANYBODY got kerberised NFS working where the KDC is Active Directory 
on a Windows 2008 R2 system? With 2008 R2, DES encryption for Kerberos 
is no longer enabled.

Our AD admins are understandably not keen to go against the recommended 
behaviour and enable DES just for this service (it needs to be enabled 
globally across the domain).

I can't find any documentation about Kerberised NFS that looks more 
recent than about 2006. That coupled with what I can see in the sources 
suggest that there's little development in this area, so I suspect the 
answer is that nobody has managed what I'm trying to do.

-- 
Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                http://www.le.ac.uk/its/
IT Services                                   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom

Re: where can I ask user qns about nfs4?

[steve]

On 04/02/12 21:50, Liam Gretton wrote:
> I have a related question, and like the OP I was reluctant to ask here 
> as it's not a dev question, but I can't find any other suitable forum.
>
> Has ANYBODY got kerberised NFS working where the KDC is Active 
> Directory on a Windows 2008 R2 system? With 2008 R2, DES encryption 
> for Kerberos is no longer enabled.
>
> Our AD admins are understandably not keen to go against the 
> recommended behaviour and enable DES just for this service (it needs 
> to be enabled globally across the domain).
>
> I can't find any documentation about Kerberised NFS that looks more 
> recent than about 2006. That coupled with what I can see in the 
> sources suggest that there's little development in this area, so I 
> suspect the answer is that nobody has managed what I'm trying to do.
>
Hi Liam
I am the OP. We really do need some down to earth and up to date info on 
NFS4. More to the point, it needs to be all in one place, rather than 
having snippets all around the Internet. I'm not a tecchie but maybe I 
could put together a readable howto if there was enough demand.

We have kerberized nfs4 working against Samba 4. There seem to be 
different flavours of des. The Samba 4 Kerberos produced these server 
keys for our test domain:

    1 nfs/hh3.hh3.site@HH3.SITE (des-cbc-crc)
    1 nfs/hh3.hh3.site@HH3.SITE (des-cbc-md5)
    1 nfs/hh3.hh3.site@HH3.SITE (arcfour-hmac)

We put together a howto which includes the nfs4 stuff here:
http://linuxcostablanca.blogspot.com/p/samba-4.html

HTH a little
Cheers,
Steve

Re: where can I ask user qns about nfs4?

[Jim Rees]

There is a a NFS wiki, and it does have kerberos setup instructions:
http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos

The wiki has mostly been used by developers for developer info but it might
be a good thing to use it for more general info too.

Re: where can I ask user qns about nfs4?

[Liam Gretton]

On 05/02/2012 14:16, Jim Rees wrote:
> There is a a NFS wiki, and it does have kerberos setup instructions:
> http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
>
> The wiki has mostly been used by developers for developer info but it might
> be a good thing to use it for more general info too.

Thanks, the problem isn't getting NFS with Kerberos to work in general, 
it's with AD as the KDC. It seems that NFS still only accepts DES 
encrypted Kerberos tickets, and these are specifically disabled in 
Windows Server 2008 R2.

-- 
Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                http://www.le.ac.uk/its/
IT Services                                   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom

Re: where can I ask user qns about nfs4?

[Jim Rees]

Liam Gretton wrote:

  On 05/02/2012 14:16, Jim Rees wrote:
  >There is a a NFS wiki, and it does have kerberos setup instructions:
  >http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
  >
  >The wiki has mostly been used by developers for developer info but it might
  >be a good thing to use it for more general info too.
  
  Thanks, the problem isn't getting NFS with Kerberos to work in
  general, it's with AD as the KDC. It seems that NFS still only
  accepts DES encrypted Kerberos tickets, and these are specifically
  disabled in Windows Server 2008 R2.

Wasn't that fixed recently?

Re: where can I ask user qns about nfs4?

[J. Bruce Fields]

On Sun, Feb 05, 2012 at 12:37:28PM -0500, Jim Rees wrote:
> Liam Gretton wrote:
> 
>   On 05/02/2012 14:16, Jim Rees wrote:
>   >There is a a NFS wiki, and it does have kerberos setup instructions:
>   >http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
>   >
>   >The wiki has mostly been used by developers for developer info but it might
>   >be a good thing to use it for more general info too.
>   
>   Thanks, the problem isn't getting NFS with Kerberos to work in
>   general, it's with AD as the KDC. It seems that NFS still only
>   accepts DES encrypted Kerberos tickets, and these are specifically
>   disabled in Windows Server 2008 R2.
> 
> Wasn't that fixed recently?

Yes, it supports some AES-based enctypes now, for example.  I wouldn't
know a better source of the details than

	git log net/sunrpc/auth_gss/gss_krb5_*

If someone wanted to summarize the situation for the wiki, go for it.

--b.

Re: where can I ask user qns about nfs4?

[steve]

On 06/02/12 17:39, J. Bruce Fields wrote:
> On Sun, Feb 05, 2012 at 12:37:28PM -0500, Jim Rees wrote:
>> Liam Gretton wrote:
>>
>>    On 05/02/2012 14:16, Jim Rees wrote:
>>    >There is a a NFS wiki, and it does have kerberos setup instructions:
>>    >http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
>>    >
>>    >The wiki has mostly been used by developers for developer info but it might
>>    >be a good thing to use it for more general info too.
>>
>>    Thanks, the problem isn't getting NFS with Kerberos to work in
>>    general, it's with AD as the KDC. It seems that NFS still only
>>    accepts DES encrypted Kerberos tickets, and these are specifically
>>    disabled in Windows Server 2008 R2.
>>
>> Wasn't that fixed recently?
> Yes, it supports some AES-based enctypes now, for example.  I wouldn't
> know a better source of the details than
>
> 	git log net/sunrpc/auth_gss/gss_krb5_*
>
> If someone wanted to summarize the situation for the wiki, go for it.
Hi
nfs with arcfour seems OK here with Samba 4. I don't think it's the 
default for AD but your windows admins may be happier with it. I think 
his is the relevant bit:

Kerberos: ENC-TS Pre-authentication succeeded -- HH3$@HH3.SITE using 
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime: 
2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45421 for 
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime: 
2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20

HTH
Steve

Re: where can I ask user qns about nfs4?

[Don Riden]

> Thanks, the problem isn't getting NFS with Kerberos to work in general, it's 
> with AD as the KDC. It seems that NFS still only accepts DES encrypted 
> Kerberos tickets, and these are specifically disabled in Windows Server 2008 
> R2.

I've recently managed to get a Linux Kerberized NFS server working
using an Active Directory 2008 R2 domain controller as a KDC (using
arcfour-hmac and aes256-cts-hmac-sha1-96).

It's reasonably fiddly and took quite a lot of tweaking to get right.

A short summary of the AD specific side of our configuration:

For hosts with Samba 3. We join them to the domain with 'net ads join' and
create NFS principals with 'net ads keytab'.

For hosts without Samba (the vast majority of hosts). We use ksetpw (an old Solaris utility to
generate AES/arcfour principals). I believe that Microsoft has a similar
utility called ktpass.exe but I've never tested it.

I'm happy to provide more details of the domain joining process offlist or summarise in another
email if there is interest.

In the computer Active Directory account we set the :

UserPrincpalName: host/fqdn@DNS_DOMAIN
ServicePrincipalName: host/fqdn and nfs/fqdn
DNSDomainName: fqdn
MSDS-SupportedEncryptionTypes: 0x1C

One caveat. I've observed the following behaviour on RHEL5 and RHEL6 (it may
have changed):

In AD (as far as I'm aware) you can only obtain a TGT from a 
principal matching the UserPrincpalName of the account.  On startup rpc.gssd
obtains a TGT. If you've generated both 'nfs/*' and 'host/*' 
principals in your keytab rpc.gssd will prefer the nfs principal.
This won't work if your UserPrincipalName in AD is 'host/*'.  My workaround in the
past has been to change the search order in the nfs-utils source code (putting the 
host principal first). Using a UPN of nfs/fqdn@DNS_DOMAIN may also work.

One issue that caused me difficulty was configuring the Kerberized NFS
server on Linux. Specifically - clients could mount the filesystem
without issue but when a user attempted to access the mount they got
'permission denied'.

Looking at the NFS requests on the wire I noticed that the GSS tokens
were around 2500 bytes in size. Further research indicated that this is the
result of Microsoft adding a 'Privilege Attribute Certificate' to service
tickets.

Setting the UserAccountControl parameter in AD on the NFS server to
'0x2000000' (NO_AUTH_DATA_REQUIRED) reduced the size of this token to
  about 500 bytes and resolved the issue.

Our NFS clients are mostly RHEL6 and RHEL5 with a few Gentoo boxes running
nfs-utils 1.2.5 and kernel 3.2.1 . All seem to work fine with the above configuration.

On the server side we've tested RHEL6 and Gentoo.

Hopefully that is of some help.

I'm surprised by the lack of documentation available on using Kerberised NFS with AD. I 
would have thought that it would be a fairly common configuration?

Since it's taken me a while to put the pieces together I'll try and come up with some  more
  comprehensive documentation in the near future.

Cheers


Don

Re: where can I ask user qns about nfs4?

[steve]

On 02/09/2012 07:57 PM, Don Riden wrote:
>
>
>> Thanks, the problem isn't getting NFS with Kerberos to work in 
>> general, it's with AD as the KDC. It seems that NFS still only 
>> accepts DES encrypted Kerberos tickets, and these are specifically 
>> disabled in Windows Server 2008 R2.
>
> I've recently managed to get a Linux Kerberized NFS server working
> using an Active Directory 2008 R2 domain controller as a KDC (using
> arcfour-hmac and aes256-cts-hmac-sha1-96).
>
> It's reasonably fiddly and took quite a lot of tweaking to get right.
>
> A short summary of the AD specific side of our configuration:
>
> For hosts with Samba 3. We join them to the domain with 'net ads join' 
> and
> create NFS principals with 'net ads keytab'.
>
> For hosts without Samba (the vast majority of hosts). We use ksetpw 
> (an old Solaris utility to
> generate AES/arcfour principals). I believe that Microsoft has a similar
> utility called ktpass.exe but I've never tested it.
>
> I'm happy to provide more details of the domain joining process 
> offlist or summarise in another
> email if there is interest.
>
> In the computer Active Directory account we set the :
>
> UserPrincpalName: host/fqdn@DNS_DOMAIN
> ServicePrincipalName: host/fqdn and nfs/fqdn
> DNSDomainName: fqdn
> MSDS-SupportedEncryptionTypes: 0x1C
>
> One caveat. I've observed the following behaviour on RHEL5 and RHEL6 
> (it may
> have changed):
>
> In AD (as far as I'm aware) you can only obtain a TGT from a principal 
> matching the UserPrincpalName of the account.  On startup rpc.gssd
> obtains a TGT. If you've generated both 'nfs/*' and 'host/*' 
> principals in your keytab rpc.gssd will prefer the nfs principal.
> This won't work if your UserPrincipalName in AD is 'host/*'.  My 
> workaround in the
> past has been to change the search order in the nfs-utils source code 
> (putting the host principal first). Using a UPN of nfs/fqdn@DNS_DOMAIN 
> may also work.
>
> One issue that caused me difficulty was configuring the Kerberized NFS
> server on Linux. Specifically - clients could mount the filesystem
> without issue but when a user attempted to access the mount they got
> 'permission denied'.
>
> Looking at the NFS requests on the wire I noticed that the GSS tokens
> were around 2500 bytes in size. Further research indicated that this 
> is the
> result of Microsoft adding a 'Privilege Attribute Certificate' to service
> tickets.
>
> Setting the UserAccountControl parameter in AD on the NFS server to
> '0x2000000' (NO_AUTH_DATA_REQUIRED) reduced the size of this token to
>  about 500 bytes and resolved the issue.
>
> Our NFS clients are mostly RHEL6 and RHEL5 with a few Gentoo boxes 
> running
> nfs-utils 1.2.5 and kernel 3.2.1 . All seem to work fine with the 
> above configuration.
>
> On the server side we've tested RHEL6 and Gentoo.
>
> Hopefully that is of some help.
>
> I'm surprised by the lack of documentation available on using 
> Kerberised NFS with AD. I would have thought that it would be a fairly 
> common configuration?
>
> Since it's taken me a while to put the pieces together I'll try and 
> come up with some  more
>  comprehensive documentation in the near future.
>
> Cheers
>
>
> Don
Hi
If it's a recent Linux distro you should be able to save a bit of 
fiddling because the nfs/client.domain principal is not needed. net ads 
keytab create makes the machine and host principals for you, and you're 
done:
http://linux.die.net/man/8/rpc.gssd
Working fine here with Samba 4 KDC and nfs4 for openSUSE Linux clients 
using acrfour-hmac.
HTH
Cheers,
Steve

Re: where can I ask user qns about nfs4?

[steve]

>>
>> I'm happy to provide more details of the domain joining process 
>> offlist or summarise in another
>> email if there is interest.
>>
>>
>>
>> I'm surprised by the lack of documentation available on using 
>> Kerberised NFS with AD. I would have thought that it would be a 
>> fairly common configuration?
>
Hi
This stuff really does need documenting. I've put together a rough guide 
of most of the common misunderstandings here:
http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
Steve

Re: where can I ask user qns about nfs4?

[J. Bruce Fields]

On Fri, Feb 10, 2012 at 09:19:38AM +0100, steve wrote:
> 
> >>
> >>I'm happy to provide more details of the domain joining process
> >>offlist or summarise in another
> >>email if there is interest.
> >>
> >>
> >>
> >>I'm surprised by the lack of documentation available on using
> >>Kerberised NFS with AD. I would have thought that it would be a
> >>fairly common configuration?
> >
> Hi
> This stuff really does need documenting. I've put together a rough
> guide of most of the common misunderstandings here:
> http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html

Could you get some of this material into the linux-nfs wiki?

The NFS w/ AD stuff, for example, would probably be worth a page of its
own and a top-level link under "Documentation" (and the link to Mike
Eisler's blog entry could be moved to the page, if it still looks like
it's current).

--b.

Re: where can I ask user qns about nfs4?

[steve]

On 02/10/2012 07:40 PM, J. Bruce Fields wrote:
> On Fri, Feb 10, 2012 at 09:19:38AM +0100, steve wrote:
>>>> I'm happy to provide more details of the domain joining process
>>>> offlist or summarise in another
>>>> email if there is interest.
>>>>
>>>>
>>>>
>>>> I'm surprised by the lack of documentation available on using
>>>> Kerberised NFS with AD. I would have thought that it would be a
>>>> fairly common configuration?
>> Hi
>> This stuff really does need documenting. I've put together a rough
>> guide of most of the common misunderstandings here:
>> http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
> Could you get some of this material into the linux-nfs wiki?
>
> The NFS w/ AD stuff, for example, would probably be worth a page of its
> own and a top-level link under "Documentation" (and the link to Mike
> Eisler's blog entry could be moved to the page, if it still looks like
> it's current).
>
> --b.
Unfortunately, I am unable to write technical English in the style that 
is required by the wiki. I am however happy for the link to be placed 
there. As there is no user nfs mailing list I'm also happy for folk to 
sign up to the article and use _it_ as a mailing list.
Cheers,
Steve

Re: where can I ask user qns about nfs4?

[J. Bruce Fields]

On Fri, Feb 10, 2012 at 08:13:16PM +0100, steve wrote:
> On 02/10/2012 07:40 PM, J. Bruce Fields wrote:
> >On Fri, Feb 10, 2012 at 09:19:38AM +0100, steve wrote:
> >>>>I'm happy to provide more details of the domain joining process
> >>>>offlist or summarise in another
> >>>>email if there is interest.
> >>>>
> >>>>
> >>>>
> >>>>I'm surprised by the lack of documentation available on using
> >>>>Kerberised NFS with AD. I would have thought that it would be a
> >>>>fairly common configuration?
> >>Hi
> >>This stuff really does need documenting. I've put together a rough
> >>guide of most of the common misunderstandings here:
> >>http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
> >Could you get some of this material into the linux-nfs wiki?
> >
> >The NFS w/ AD stuff, for example, would probably be worth a page of its
> >own and a top-level link under "Documentation" (and the link to Mike
> >Eisler's blog entry could be moved to the page, if it still looks like
> >it's current).
> >
> >--b.
> Unfortunately, I am unable to write technical English in the style
> that is required by the wiki.

Just say it however it makes sense to you, ping me, and I can do any
wordsmithing if it seems necessary.

--b.

> I am however happy for the link to be
> placed there. As there is no user nfs mailing list I'm also happy
> for folk to sign up to the article and use _it_ as a mailing list.

Re: where can I ask user qns about nfs4?

[steve]

On 02/10/2012 08:14 PM, J. Bruce Fields wrote:
> On Fri, Feb 10, 2012 at 08:13:16PM +0100, steve wrote:
>> On 02/10/2012 07:40 PM, J. Bruce Fields wrote:
>>> On Fri, Feb 10, 2012 at 09:19:38AM +0100, steve wrote:
>>>>>> I'm happy to provide more details of the domain joining process
>>>>>> offlist or summarise in another
>>>>>> email if there is interest.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'm surprised by the lack of documentation available on using
>>>>>> Kerberised NFS with AD. I would have thought that it would be a
>>>>>> fairly common configuration?
>>>> Hi
>>>> This stuff really does need documenting. I've put together a rough
>>>> guide of most of the common misunderstandings here:
>>>> http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html
>>> Could you get some of this material into the linux-nfs wiki?
>>>
>>> The NFS w/ AD stuff, for example, would probably be worth a page of its
>>> own and a top-level link under "Documentation" (and the link to Mike
>>> Eisler's blog entry could be moved to the page, if it still looks like
>>> it's current).
>>>
>>> --b.
>> Unfortunately, I am unable to write technical English in the style
>> that is required by the wiki.
> Just say it however it makes sense to you, ping me, and I can do any
> wordsmithing if it seems necessary.
>
> --b.
>
>> I am however happy for the link to be
>> placed there. As there is no user nfs mailing list I'm also happy
>> for folk to sign up to the article and use _it_ as a mailing list.
OK. I've requested a login. Linux has never been too good with 
documentation. At nfs level, unless you are capable of reading the code, 
you are stuck with misinformation. What I feel is that admins are stuck 
in the middle. It's a dilemma. You don't want to want to have to burden 
the devs with what to them is trivia. As admin, you have your own 
trivia: 'I saved it in My Documents but now only Sharon can open it'. 
You also need to be able to move forward without guessing: 'What's the 
official syntax for /etc/exports with krb5'. Your users get their 
answers. From you. Where are we expected to get our answers from!
Cheers,
Steve

Re: where can I ask user qns about nfs4?

[Liam Gretton]

On 09/02/2012 18:57, Don Riden wrote:
> I've recently managed to get a Linux Kerberized NFS server working
> using an Active Directory 2008 R2 domain controller as a KDC (using
> arcfour-hmac and aes256-cts-hmac-sha1-96).
>
> It's reasonably fiddly and took quite a lot of tweaking to get right.
>
> A short summary of the AD specific side of our configuration:

[snip]

Thanks very much for this information, it's very encouraging and I'll 
take another look at getting it working here.

> I'm surprised by the lack of documentation available on using Kerberised NFS with AD. I
> would have thought that it would be a fairly common configuration?

Me too. I'm working on knitting our Windows and Linux environments 
together, but all the hard work has to be done at the Linux end (as usual).

I hereby solemnly promise to document my experience on a blog somewhere 
assuming I make some progress and can add to the global knowledge pool.

-- 
Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                http://www.le.ac.uk/its/
IT Services                                   Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom