Share My Idea from life

Linux NFSv4 with Kerberos

ipstor -

Linux NFSv4 with Kerberos

Time/NTP synchronization between OBD/NFS server, NFS client and KDC.
Make sure server and client in the same domain.
Add to DNS entry or
Add to /etc/hosts (suggest lower-case letter as hostname)
172.22.21.69   h21-69.example.com   h21-69   # NFS server
172.22.22.111  h22-111.example.com   h22-111 # NFS client
Config NFS server and client as kerberos client.
Get krb5.conf from KDC and save to :
/etc/krb5.conf in NFS client.
/usr/local/vtl/etc/krb5.conf in NFS server and create link file to /etc/krb5.conf.

Linux NFSv4 with Kerberos (NFS server)

Use kadmin command to create service principal 
# kadmin 
Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: password 
kadmin: addprinc -randkey nfs/h21-69.example.com 
kadmin: addprinc -randkey host/h21-69.example.com
Save to local /etc/krb5.keytab
kadmin: ktadd nfs/h21-69.example.com 
kadmin: ktadd host/h21-69.example.com 
kadmin: quit
If hostname is upper-case letter, please create principal with lower-case letter, too. 

Linux NFSv4 with Kerberos (NFS client)

Use kadmin command to create service principal 
# kadmin 
Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: password 
kadmin: addprinc -randkey nfs/h22-111.example.com 
kadmin: addprinc -randkey host/h22-111.example.com
Save to local /etc/krb5.keytab
kadmin: ktadd nfs/h22-111.example.com 
kadmin: ktadd host/h22-111.example.com 
kadmin: quit
Start rpc.gssd/rpc.idmapd service
# systemctl enable nfs-client.target && systemctl start nfs-client.target 

Linux NFSv4 with Kerberos (user)

Add user principal
kadmin: addprinc user01 
Enter password for principal "user01@EXAMPLE.COM": user01passwd 
Re-enter password for principal "user01@EXAMPLE.COM": user01passwd 
Principal "user01@EXAMPLE.COM" created.
Create user account user01 in both server and client. (If possible, make the same uid/gid in both server and client.)

Linux NFSv4 with Kerberos (mount) 

Use user root, mount NFS share with sec=krb5, sec=krb5i or sec=krb5p.
Switch to user user01, access NFS share.
Use df command to check mount path. If there is no kerberos ticket created before, user can’t see NFS mount path.
Create a Kerberos ticket :
$ kinit
Password for user01@EXAMPLE.COM: user01passwd
Use df command to check mount path again. Now user01 can see NFS mount path. 
Adjust the file/directory permission in NFS share. 

NFSv4 and HA

Without Kerberos, no special setting need in secondary.
With Kerberos, secondary server need to do following setting:
Time/NTP synchronization.
Domain setting (/etc/hosts) .
Config secondary/NFS server as kerberos client (krb5.conf). 
Get /etc/krb5.keytab from primary server.
Sync NFS user between primary and secondary server.

Debug

NFS and RPC kernel debug flags
Turn on
# rpcdebug -m nfsd -s proc
# rpcdebug -m rpc -s auth
Turn off
# rpcdebug -m nfsd -c proc
# rpcdebug -m rpc -c auth
rpc.idmapd/rpc.gssd : add “-vvvvv” as parameter