This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.
This section will help you configure NFS; using Kerberos to secure it.
The first step is to install the following NFS packages:
sudo apt-get install nfs-kernel-server nfs-common
NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:
sudo mkdir /export sudo mkdir /export/home
In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:
/home /export/home none bind 0 0
This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:
sudo mount /export/home
Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:
/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5) /export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:
NEED_STATD= STATDOPTS= NEED_IDMAPD=yes NEED_GSSD=yes
Then by setting the following options in /etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8 RPCNFSDPRIORITY=0 RPCMOUNTDOPTS=--manage-gids NEED_SVCGSSD=yes RPCSVCGSSDOPTS=
/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = danbishop.org [Mapping] Nobody-User = nobody Nobody-Group = nogroup
Next we need to create Kerberos principals for the NFS server.
sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org" sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"
sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.
Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:
allow_weak_crypto = true