# eselect rc add /etc/init.d/mit-krb5kadmin default
# eselect rc add /etc/init.d/mit-krb5kadmind default
-Add new principals ([krb manual][principal]:
+Add new principals ([krb manual][principal]):
$ kadmin -p jdoe/admin
Authenticating as principal jdoe/admin with password.
# emerge -av pam_krb5
-and `scp` `/etc/krb.conf` from your Kerberos server onto the client.
+and `scp` `/etc/krb5.conf` from your Kerberos server onto the client.
Check that everything works by running
get_ids: failed to map name 'nfs/<fqdn>@REALM' to uid/gid: Invalid argument
-bug [discussion][lr-bug].
+bug ([discussion][lr-bug]).
Since we'll be running the NFS service, we'll need a
`nfs/<fqdn>@REALM` principal for the service. Because we want that
Password for jdoe/admin@R.EDU:
kadmin.local: add_principal -randkey nfs/server.d.net
WARNING: no policy specified for nfs/server.d.net@R.EDU; defaulting to no policy
- Principal "dns/server.d.net@R.EDU" created.
+ Principal "nfs/server.d.net@R.EDU" created.
kadmin.local: ktadd nfs/server.d.net
Entry for principal nfs/server.d.net...
...
Read through `/etc/idmapd.conf` to see if you need to make any changes
for your setup. I set `Domain = d.net` and `Local-Realms = R.EDU`.
You probably also want to look through `/etc/conf.d/nfs`. I added
-`-vvv` to `OPTS_RPC_GSSD` and `OPTS_RPC_SVCGSSD` to aid in debugging.
+`-vvv` to `OPTS_RPC_GSSD`, `OPTS_RPC_IDMAPD`, and `OPTS_RPC_SVCGSSD`
+to aid in debugging.
Setup your export filesystem. NFSv4 wants all its exports to live
under a single root, so do something like:
Setup the NFS client
--------------------
+In order to use private (`sec=krb5p`) mounts, you'll need to enable
+[RPCSEC_GSS_KRB5][]. Without it, [you'll get error
+messages][gss_error] such as
+
+ gss_create: Pseudoflavor 390005 not found!
+
You'll also need `nfs-utils` here
# USE="kerberos" emerge -av nfs-utils
$ ls /tmp/mnt/
home
-I'm not sure if this is a bug or a feature.
+This is because your credentials have been cached in the client's
+kernel. On AIX there seems to be an [nfsauthreset][] command to
+manually flush cached GSSAPI information. Linux support is [waiting
+on a new key ring implementation][keyring].
Other stuff
-----------
(e.g. `cups`, `curl`, `cvs`, `emacs`, `openssh`, most SASL libraries,
...).
+For details on using Kerberos with [[SSH]], check out the excellent
+description in [the SSH definative guide][ssh]. The key elements are
+`host/<fqdn>@REALM` principals for each host (with keyfiles on each
+server) and appropriate enabling of the `GSSAPI*` options in
+`sshd_config` and `ssh_config`.
+
There's also [suite of Kerberos-aware utilities][apps] in
`app-crypt/mit-krb5-appl` (`krcp`, `krlogin`, `krsh`, `ktelnet`, and
`kftp`). I don't use the non-Kerberized versions, so I haven't tried
any of these.
+If you're using [[MPD]] on an NFS-mounted music repository, you might
+be interested in my [[kinit-mpd.sh]] script for granting the `mpd`
+user access to the NFS-mounted music as the `nobody` principal.
+
+For debugging, check out the [KRB5_TRACE][] environment variable. I
+sent some patches [upstream][7151] to integrate reverse DNS debugging
+into the `KRB5_TRACE` framework. The patches will go live with the
+next major krb5 release after the 1.10 series.
+
+If you end up compiling from source, you can run the [unit
+tests][test] and [check coverage][gcov] with something like:
+
+ $ git clone git://github.com/krb5/krb5.git
+ $ cd krb5/src
+ $ util/reconf
+ $ mkdir ../build
+ $ cd ../build
+ $ ../src/configure --disable-rpath CFLAGS="-fprofile-arcs -ftest-coverage -O0" LIBS=-lgcov
+ $ make
+ $ make check
+ $ cd lib/krb5/os
+ $ gcov -o sn2princ.so.gcno ../../../lib/krb5/os/sn2princ.c
+ $ gcov -o sn2princ.so.gcno sn2princ.c
+ $ less sn2princ.c.gcov
+
+Running `configure` from a separate directory creates a [VPATH][]
+build, which avoids polluting the source directory with generated
+files.
+
[Kerberos]: http://web.mit.edu/kerberos/
[install]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html
[DNS]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Using%20DNS
[acl]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Add%20Administrators%20to%20the%20Acl%20File
[principal]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-admin.html#Adding%20or%20Modifying%20Principals
[keytab]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Create%20a%20kadmind%20Keytab%20%28optional%29
+[RPCSEC_GSS_KRB5]: http://www.kernel.org/doc/menuconfig/net-sunrpc-Kconfig.html
+[gss_error]: http://osdir.com/ml/linux.nfsv4/2006-01/msg00014.html
[nfs-tut1]: http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
[nfs-tut2]: http://bernard.nexusinternational.jp/2008/03/nfs-and-kerberos-bernie-howto.html
[nfs-tut3]: http://www.techrepublic.com/blog/opensource/kerberos-authentication-with-nfsv4/1965
[CTS]: http://permalink.gmane.org/gmane.linux.nfs/39963
[libnfsidmap]: http://www.citi.umich.edu/projects/nfsv4/linux/
[lr-bug]: http://linux-nfs.org/pipermail/nfsv4/2008-October/009558.html
+[nfsauthreset]: http://publib.boulder.ibm.com/infocenter/aix/v7r1/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds4/nfsauthreset.htm
+[keyring]: http://www.citi.umich.edu/projects/nfsv4/linux/faq/#krb5_006
+[ssh]: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch11_04.htm
[apps]: http://web.mit.edu/kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-user.html#Kerberos%20V5%20Applications
+[KRB5_TRACE]: http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/env_variables.html
+[7151]: http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7151
+[test]: http://web.mit.edu/kerberos/krb5-current/doc/krb_build/doing_build.html#testing-the-build
+[gcov]: http://web.mit.edu/kerberos/krb5-current/doc/krb_build/test_cov.html
+[VPATH]: http://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.69/html_node/Make-Target-Lookup.html
[[!tag tags/linux]]
[[!tag tags/tools]]