Commands
summary
Here is the Version 3 of three commands to facilitate
and controlling
the setup of
a linux kerberized NFS environmment.
- krbkdcsv: setup a
Kerberos KDC and a Kerberos administration Server
- krbnfssv: setup
a
Kerberos NFS Server
- krbnfscl :
setup a
Kerberos NFS Client
Time is synchronized with ntp if this
one is configured.
Defaults
values are proposed from /etc/krb5.conf
and from the configuration of
the machine the command is running on.
Nevertheless you can change
them
by options in the command.
How
to use:
First, krbkdcsv
has to be
run on the machine choiced to be the Kerberos KDC and a Kerberos
administration Server.
After,
krbnfssv
is run on
the machine choiced to be the Kerberos NFS Server.
Then, krbnfssv is run on
the machine to the Kerberos NFS Client.
Now the kerberized
nfs mount
can be done.
Where
to find the commands:
krbkdcsv
krbnfssv
krbnfscl
krbkdcsv
command
Purpose:
This shell command
takes care of setting a Kerberos KDC and a Kerberos administration
Server.
Written to be run by root on the machine to be the
Kerberos NFS
Server
and the KDC Server.
Usage :
krbkdcsv
{start
| status | reboot}
start: First KRB KDC
server
initialisation
status: Check if the KRB KDC Server is still OK
reboot: Check needed daemons (krb5kdc,kadmind) have been well started
and restart them if not
krbkdcsv
start { -h | {-a kerberos administrator
principal} {-b kerberos server}
{-c krb5.conf file directory} {-C kdc.conf file directory} {-d domain
}
{-D <Linux Distribution>} {-k kdc server} {-r realm} {-v}}
krbkdcsv status { -h | {-a kerberos
administrator principal} {-c <krb5.conf file directory>}
{-D <Linux Distribution>} {-v}}
krbkdcsv reboot { -h |
{-D <Linux Distribution>}}
Description:
The krbkdcsv command configures the KDC and Kerberos
server.
This command creates the krb5.conf, the kdc.conf
file,the
Kerberos
database and the kadm5.acl file. Those files can be edited to modify
the parameters set by this initial configuration.
The command does some controls:
start:
- checks Kerberos Server package
- checks REALM is UPPER CASE
- checks kerberos daemons running (krb5kdc, kadmind)
- checks KDC and administration server is operational
- synchronizes time with ntp when possible
status:
- checks kerberos daemons running (krb5kdc, kadmind)
- checks KDC and
administration
server is operational
reboot:
- checks kerberos daemons are running (krb5kdc, kadmind) and restart
them if not
Flags:
-a : kerberos
administrator
principal
-b : kerberos server name
-c : directory where is located the krb5.conf file
-C :directory where is located the kdc.conf file
-d : domain name for the Kerberos realm
-D : Linux Distribution among FEDORA, RHEL5.1
-h : help to display the command syntax
-k : KDC server name
-r : realm for which the Kerberos server is to be configured
-v : verbose mode
krbnfssv
Command
Purpose:
This shell command takes
care of setting a
Kerberos NFS
Server.
Written to be run by root on the
machine to be the
Kerberos NFS
Server.
Usage :
krbnfssv
{start | status |
reboot}
start:
First Kerberized
NFS Server
initialisation
status: Check the kerberised NFS Server configuration is still OK
reboot: Check nfsd,rpc.mountd,rpc.idmapd are started on the NFS Server.
Start them if not.
krbnfssv start { -h | {-b kerberos server} {-c krb5.conf
file
directory} {-d domain } {-D <Linux Distribution>} {-k kdc
server} {-n <ntp server>} {-r
realm} {-v}}
krbnfssv status { -h | {-b kerberos server} {-c
<krb5.conf file
directory>} {-D <Linux Distribution>} {-k kdc server}
{-n <ntp server>} {-v}}
krbnfssv reboot { -h | {-D
<Linux Distribution>}}
Description:
The krbnfssv command configures a kerberized NFS
Server.
The command does some controls:
start:
- checks Kerberos Client package
- checks REALM is UPPER CASE
- synchronizes time with ntp when possible
- checks time is synchronised (<300s) with the KDC Server
machine
time
- checks hostname is a full qualified name
- checks the /etc/hosts file lists the fully-qualified domain name
as the first entry on the line
with
the machine's IP address,
- checks in
/etc/resolv.conf name
server is the same as in
/etc/resolv.conf of the KDC Server
- checks the /etc/services file lists the nfs service (port
2049)
- checks KDC and Kerberos Server are reachable
- checks kerberos daemons running (krb5kdc, kadmind) on the
Kerberos
Server
- checks nfs server daemons are running
status:
- checks KDC and Kerberos
Server
are
reachable
- checks kerberos daemons running (krb5kdc, kadmind) on the
Kerberos
Server
- synchronizes time with ntp when possible
- checks time is synchronised (<300s) with the KDC Server
machine
time
- checks hostname is a full qualified domain name
- checks the /etc/hosts
file lists
the
fully-qualified domain name as the first entry on the line with the
machine's IP address
- checks
in
/etc/resolv.conf name
server is the same as in /etc/resolv.conf of the KDC Server - checks
nfs server daemons are running
- checks the /etc/services file lists the nfs service (port 2049)
reboot:
- checks and starts nfsd,rpc.mountd NFS Server daemons
- checks and starts the rpc.idmapd daemon
- checks and starts rpc.svcgssd daemon
Flags:
-b : kerberos server name
-c : directory where is
located
the
krb5.conf file
-d : domain name for the
Kerberos
realm
-D : Linux Distribution among FEDORA,
RHEL5.1
-h : help to display the command syntax
-k : KDC server name
-n : NTP server name
-r : realm for which the
Kerberos
server is to be configured
-v : verbose mode
- display more messages
- start rpc.svcgssd with
verbose
mode (
rpc.svcgssd -vvv)
krbnfscl
Command
Purpose:
This shell command
takes care of setting a Kerberos NFS Client.
Written to be run by root on the machine to be the
Kerberos NFS
Client.
Usage :
krbnfscl {start
| status | reboot}
start: First Kerberized
NFS Server
initialisation
status:
Check the kerberised NFS client configuration is still OK
reboot: Start needed daemons (rpc.gssd,rpc.idmapd) if not already
started
krbnfscl
start { -h | {-b kerberos server} {-c krb5.conf file repertory} {-d
domain } {-D <Linux
Distribution>} {-k kdc
server} {-n <ntp server>} {-r realm} {-s
nfs server} { -u user } {-v}}
krbnfscl status { -h | {-b
kerberos server} {-D <Linux Distribution>} {-k
kdc server} {-n <ntp
server>} {-r realm}
{-s nfs server} {-v}}
krbnfscl reboot { -h | {-D
<Linux Distribution>}}
Description:
The krbnfscl command configures a kerberized NFS
Client.
The command does some controls:
start:
- checks Kerberos Client package
- checks REALM is UPPER CASE
- synchronizes time with ntp when possible
- checks times is synchronised (<300s) with the KDC Server
machine
time
- checks hostname is a full qualified domain name
- checks the /etc/hosts file lists the fully-qualified domain name as
the first entry on the line with the machine's IP address,
- checks in /etc/resolv.conf the name server is the same as in
/etc/resolv.conf of the KDC Server
- checks the /etc/services file lists the nfs service (port
2049)
- checks KDC,Kerberos Server and NFS Server are reachable
- checks the kerberos daemons are running (krb5kdc, kadmind) on the
Kerberos Server
- checks the nfs server daemons are running on the NFS Server
status:
- checks REALM is UPPER
CASE
- synchronizes time with ntp when possible
- checks time is synchronised (<300s) with the KDC Server
machine
time
- checks hostname is a full qualified domain name
- checks the /etc/hosts file lists the fully-qualified domain name as
the first entry on the line with the machine's IP address,
- checks in /etc/resolv.conf name server is the same as in
/etc/resolv.conf of the KDC Server
- checks the /etc/services file lists the nfs service (port 2049)
- checks KDC,Kerberos Server and nfs Server are reachable
- checks kerberos daemons are running (krb5kdc, kadmind) on the
Kerberos Server
- checks nfs server daemons are running on the NFS Server
- checks rpc.gssd and rpc.svcgssd are running
reboot:
- checks and starts the rpc.idmapd daemon on the NFS Client
- checks and starts the rpc.gssd daemon on the NFS Client
Flags:
-b : kerberos server name
-c : directory where is located the krb5.conf file
-d : domain name for the Kerberos realm
-D : Linux Distribution among FEDORA,
RHEL5.1
-h : help to display the command syntax
-k : KDC server name
-n : NTP server name
-r : realm for which the
Kerberos server is
to be
configured
-s : nfs server name
-u : user name
-v : verbose mode
Tutorial
The goal
of this
tutorial
is to gather all what need NFSV4 administrators and end-users to more
easily configure and install NFSv4 within a secure environment. This
document has been built from my own experience in testing the
installation and robustness of NFSV4 with Kerberos and also from
experiences of others who have published it on the Web. The list is
at the end of this document.
It is
certainly not
complete. Let me know at aime.le-rouzic@bull.net
what is missing and also some real-life examples of
Kerberos
NFSV4
deployments. In this document:
- we present
three commands to facilitate and controlling the setup of a linux
kerberized NFS environment to allow the reader to use quickly NFS
with Kerberos.
- we do a
quick review of how NFSV4 and Kerberos work together in order to
understand the different steps of the deployment and the impact on
the configuration.
- we
continue
by presenting all the commands, files and daemons servers used to
manage and monitor NFSV4 and Kerberos.
- we detail
the methods, scripts and tools which make the setup aand the control
of the client and server configurations step by step by:
- we
describe
more the simplified and automatic setup listed in Chapter 1.
- we analyse
and explain the common errors encountered by the administrators.
- How these appear in the logs
files.
- How to detect them.
- Which recovery
actions are necessary following
troubleshootings.
- we provide
a list of different kinds of distributions and operating systems
offering a Kerberized NFSV4 environment.
- we
consider
the current limitations of Kerberized NFSV4 infrastructures.
- we look at
future directions.
- we list
the Frequently Asked Questions.
- Finally we
give good documents related to the topic with the address where to
find them.
Where to find the document:
Evolution
If something was uncomplete or wrong, for improvements
feel free
to contact us to
modify
these commands.
| Page maintained by: Aime Le Rouzic |
|
Accessed  times since its creation. |
| |
Last update: 2007, June 26
|
|
