Ping a Specific Port

Question

Saurabh Nanda

Asked: 2019-01-02 02:02:06 +0800 CST2019-01-02 02:02:06 +0800 CST 2019-01-02 02:02:06 +0800 CST

How does NFS figure out which Kerberos creds / principals to give access to?

772

I'm setting up NFS with Kerberos and following various guides, like NFSv4 with Kerberos on Ubuntu Wiki and How To Use Kerberos to Control Access to NFS Network Shares, amongst others. All guides follow the same basic pattern:

Set up a KDC
Create a key-based principal for nfs/nfs-server and make sure that these keys are in the /etc/krb5.keytab file of the NFS server
Create a key-based principal for nfs/nfs-client and make sure that these keys are in the /etc/krb5.keytab file of the NFS client

The next step is what's confusing me. Once /etc/exports on the NFS server is changed to some variation of...

/nfs/some-dir    [ip-address](rw,sec=krb5p,all_squash,sync)

... how does the NFS server know which Kerberos principal has been assigned to itself? Even more basic - how does the NFS server know which Kerberos realm is has been added to? Further, how does the NFS server know which Kerberos principals to allow access to? There could be a number of Kerberos users/principals in the realm and not all should be allowed access to a particular NFS export.

In a similar vein, once the following is executed on the NFS client...

mount -t nfs4 -o sec=krb5p [ip-address]:/nfs/some-dir /mnt/some-dir

...how does the NFS client know which Kerberos principal/key to use when talking to the NFS server?

Is there some implicit magic going on in the /etc/krb5.keytab and /etc/krb5.conf files?

1 Answers

Voted

kofemann · Answer 1 · 2019-01-03T03:47:36+08:00

Best Answer

kofemann

2019-01-03T03:47:36+08:002019-01-03T03:47:36+08:00

There are couple of discovery options used by kerberized NFS (of in general any kerberized service) to find out which kerberos realm to use. The number one place is /etc/krb5.conf where you can explicitly specify default realm to be used:

[libdefaults]
...
default_realm = YOUR.REALM

If nothing is specified, then client can query DNS server for kerberos service record. At the end, the domain name is used. The NFS server will scan /etc/krb5.keytab file for appropriate host principal to use for gss handshake.

When end-users accessing NFS server, for each client a dedicated GSS context is established. On the server side, you need a mapping service, typically nfsidmapd, which based on system configuration uses LDAP server of local password file to map kerberos principals to local uid/gids. The authorization happens based on unix permissions or ACLs, if configured.

1

How does NFS figure out which Kerberos creds / principals to give access to?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?