Discussion:
Mount a krb5 nfs export and ticket renew time
Richard Smits
2010-04-01 14:37:37 UTC
Permalink
Hello,

We have a workstation wich has to do maintenance on a krb5 export.
NFS server is a NetApp nashead.

(Create homedirs and set owner etc)

We have this working now, but if I do a kinit and get a maximum lifetime
krb5 ticket, I have to do this once a week.

My question is as followes :

- Can you mount a krb5 export like it is nfsv3 (with ip number in the
export) (I know, cannot be done, but this is something like i want :-)

We need something stable and solid, and typing in a password once a week
is not the way to go.

Can anyone give some advice in how they solved this. (Or are we the only
one using krb5 nfs4 exports ;-) ?

Greetings .. Richard
William A. (Andy) Adamson
2010-04-01 15:28:10 UTC
Permalink
Hello
Post by Richard Smits
Hello,
We have a workstation wich has to do maintenance on a krb5 export.
NFS server is a NetApp nashead.
(Create homedirs and set owner etc)
We have this working now, but if I do a kinit and get a maximum lifetime
krb5 ticket, I have to do this once a week.
- Can you mount a krb5 export like it is nfsv3 (with ip number in the
export) (I know, cannot be done, but this is something like i want :-)
I think you mean can you mount a krb5 export like AUTH_SYS where the
client machine authenticates the user and the ip address of the client
machine is used for authentication on the server. If so, then no.
Kerberos authenticates the user (or service principal) to the NFS
server.
Post by Richard Smits
We need something stable and solid, and typing in a password once a week is
not the way to go.
Can anyone give some advice in how they solved this. (Or are we the only one
using krb5 nfs4 exports ;-) ?
You can create a principal for the maintenance work with a keytab
entry instead of a password, and use a cron job to renew the
credentials by calling kinit, something lilke this:

kinit -S maintenance-service/host -k -t /path/to/keytab maintenance_principal

-->Andy
Post by Richard Smits
Greetings .. Richard
_______________________________________________
NFSv4 mailing list
NFSv4 at linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
Trond Myklebust
2010-04-01 16:50:25 UTC
Permalink
Post by Richard Smits
Hello,
We have a workstation wich has to do maintenance on a krb5 export.
NFS server is a NetApp nashead.
(Create homedirs and set owner etc)
We have this working now, but if I do a kinit and get a maximum lifetime
krb5 ticket, I have to do this once a week.
- Can you mount a krb5 export like it is nfsv3 (with ip number in the
export) (I know, cannot be done, but this is something like i want :-)
If this is a client that is dedicated to administrative work, and is on
the same local network as the server, why can't you add an entry on the
server that exports this volume as auth-sys to this particular client
only?
Post by Richard Smits
We need something stable and solid, and typing in a password once a week
is not the way to go.
Can anyone give some advice in how they solved this. (Or are we the only
one using krb5 nfs4 exports ;-) ?
As Andy said, you can create a keytab entry instead.

Trond
Guillaume Rousse
2010-04-01 22:35:39 UTC
Permalink
Post by Trond Myklebust
Post by Richard Smits
Hello,
We have a workstation wich has to do maintenance on a krb5 export.
NFS server is a NetApp nashead.
(Create homedirs and set owner etc)
We have this working now, but if I do a kinit and get a maximum lifetime
krb5 ticket, I have to do this once a week.
- Can you mount a krb5 export like it is nfsv3 (with ip number in the
export) (I know, cannot be done, but this is something like i want :-)
If this is a client that is dedicated to administrative work, and is on
the same local network as the server, why can't you add an entry on the
server that exports this volume as auth-sys to this particular client
only?
AFAIK, this is not possible with DataOntapp, as you can not specificy
host-specific security flavors in a single export entry. I don't have
the man page available right now, but from what I remember, specifying
multiple security flavors is only useful to allow negociation with the
client when it doesn't support the initial one.

However, reading Trond answer, I just realized you could eventually have
several export definitions for the same path, with different options,
where I only imaginated a single export definition initialy.

Anyway, even with krb5 security, you can install a root/hostname
principal in a machine keytab, grant it root access permission on the
export (in addition to read/write perms), and you'll get a permanent
administration server.
--
BOFH excuse #439:

Hot Java has gone cold
Richard Smits
2010-04-02 00:01:32 UTC
Permalink
Post by Guillaume Rousse
Post by Trond Myklebust
Post by Richard Smits
- Can you mount a krb5 export like it is nfsv3 (with ip number in the
export) (I know, cannot be done, but this is something like i want :-)
If this is a client that is dedicated to administrative work, and is on
the same local network as the server, why can't you add an entry on the
server that exports this volume as auth-sys to this particular client
only?
AFAIK, this is not possible with DataOntapp, as you can not specificy
host-specific security flavors in a single export entry. I don't have
the man page available right now, but from what I remember, specifying
multiple security flavors is only useful to allow negociation with the
client when it doesn't support the initial one.
Aha, I thought so. I couldn't get this to work, so this is the reason.
Post by Guillaume Rousse
However, reading Trond answer, I just realized you could eventually have
several export definitions for the same path, with different options,
where I only imaginated a single export definition initialy.
I have tried a second export with auth-sys, but no luck :-( But i will
play around with the export options to see if I can make something work.
Post by Guillaume Rousse
Anyway, even with krb5 security, you can install a root/hostname
principal in a machine keytab, grant it root access permission on the
export (in addition to read/write perms), and you'll get a permanent
administration server.
This is interesting. My krb5 knowledge is not as good as i would like
to, but this is what i want. But i always thought that you always need a
ticket from your KDC (that expires at one time). In our case this is a
windows 2003/2008 AD. Not a unix KDC. Is it still possible then ?

If I obtain a ticket, and with an option for a very long time, I do :
---
kinit username -l 300d (for 300 days valid)

But if i do a klist : (date and time not valid in this example)
---
Valid starting Expires Service principal
04/02/10 01:15:01 04/02/10 11:15:03 krbtgt/COMPANY.NET at COMPANY.NET
renew until 04/06/10 13:12:44

The maximum lifetime for my ticket is always one week.

how can an entry in a keytab file replaces this mechanism ?

My keytab :
---
klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 root/nasmgt.company.net at COMPANY.NET (DES cbc mode with CRC-32)
2 root/nasmgt.company.net at COMPANY.NET (DES cbc mode with RSA-MD5)
2 root/nasmgt.company.net at COMPANY.NET (ArcFour with HMAC/md5)
2 root/nasmgt at COMPANY.NET (DES cbc mode with CRC-32)
2 root/nasmgt at COMPANY.NET (DES cbc mode with RSA-MD5)
2 root/nasmgt at COMPANY.NET (ArcFour with HMAC/md5)

Greetings .. Richard
Post by Guillaume Rousse
Post by Trond Myklebust
Post by Richard Smits
Hello,
We have a workstation wich has to do maintenance on a krb5 export.
NFS server is a NetApp nashead.
(Create homedirs and set owner etc)
We have this working now, but if I do a kinit and get a maximum lifetime
krb5 ticket, I have to do this once a week.
.
Guillaume Rousse
2010-04-02 08:48:26 UTC
Permalink
Post by Richard Smits
Post by Guillaume Rousse
Anyway, even with krb5 security, you can install a root/hostname
principal in a machine keytab, grant it root access permission on the
export (in addition to read/write perms), and you'll get a permanent
administration server.
This is interesting. My krb5 knowledge is not as good as i would like
to, but this is what i want. But i always thought that you always need a
ticket from your KDC (that expires at one time). In our case this is a
windows 2003/2008 AD. Not a unix KDC. Is it still possible then ?
In order to autentify with the KDC, you may either use your password
(which is internally converted to a key), or use your key directly, if
it is stored in a keytab. I supposed using a microsoft KDC should also
allow to do it, but I have no clue how to do this.
Post by Richard Smits
---
kinit username -l 300d (for 300 days valid)
But if i do a klist : (date and time not valid in this example)
---
Valid starting Expires Service principal
04/02/10 01:15:01 04/02/10 11:15:03 krbtgt/COMPANY.NET at COMPANY.NET
renew until 04/06/10 13:12:44
The maximum lifetime for my ticket is always one week.
how can an entry in a keytab file replaces this mechanism ?
This is just another way to ask for tickets.

BTW, you can also try renewable tickets, to automatically renew them
once expired.
--
BOFH excuse #357:

I'd love to help you -- it's just that the Boss won't let me near the
computer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4251 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linux-nfs.org/pipermail/nfsv4/attachments/20100402/b133e271/attachment.bin
Richard Smits
2010-04-08 22:34:47 UTC
Permalink
Post by Guillaume Rousse
Post by Richard Smits
Post by Guillaume Rousse
Anyway, even with krb5 security, you can install a root/hostname
principal in a machine keytab, grant it root access permission on the
export (in addition to read/write perms), and you'll get a permanent
administration server.
This is interesting. My krb5 knowledge is not as good as i would like
to, but this is what i want. But i always thought that you always need a
ticket from your KDC (that expires at one time). In our case this is a
windows 2003/2008 AD. Not a unix KDC. Is it still possible then ?
In order to autentify with the KDC, you may either use your password
(which is internally converted to a key), or use your key directly, if
it is stored in a keytab. I supposed using a microsoft KDC should also
allow to do it, but I have no clue how to do this.
Post by Richard Smits
---
kinit username -l 300d (for 300 days valid)
But if i do a klist : (date and time not valid in this example)
---
Valid starting Expires Service principal
04/02/10 01:15:01 04/02/10 11:15:03 krbtgt/COMPANY.NET at COMPANY.NET
renew until 04/06/10 13:12:44
The maximum lifetime for my ticket is always one week.
how can an entry in a keytab file replaces this mechanism ?
This is just another way to ask for tickets.
BTW, you can also try renewable tickets, to automatically renew them
once expired.
Fixed, the magic command i was looking for was :
kinit -k root/pcname.company.net at COMPANY.NET

This in a cronjob every hour and it is done.

Greetings ... Richard

Loading...