Kerberos 5 setup for NFSv4
The following is only necessary if you wish to use Kerberos 5 (krb5).
(Which is a good idea.)
- We assume you have a Kerberos KDC installed somewhere and have configured
Kerberos on your client and server.
- Create machine credentials for the client. This means
creating a Kerberos V5 principal/instance name of the form
nfs/dns.name.of.client@REALM, and either adding a key for this principal to an
existing /etc/krb5.keytab or creating an /etc/krb5.keytab.
Note: only the encryption type of des-cbc-crc is functional so far
in the kernel, so add only this type of key.
kadmin: addprinc -randkey nfs/myclient.mydomain
kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain
- Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client.
- Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server.
Things to be aware of when using Kerberos:
- The system clocks on your machines must be set to the correct time;
install ntp to make sure this is the case.
- The /etc/hosts file must list the fully-qualified domain name as the
first entry on the line with the machine's IP address, and the machine's
name must not be include on the localhost line.
- The /etc/services file must list the nfs service (port 2049). Something
like the following:
nfs 2049/tcp nfsd # Network File System
nfs 2049/udp nfsd # Network File System