Notes on NFSv4 experiments

Posted May 17 2011, 16:55 by William Shallum [updated May 17 2011, 17:26]

Today was a public holiday so spent the time with xen-tools in Debian Squeeze, setting up 4 VMs on an Atom PC. Not bad. They idle well at least.

Notes:

In /etc/exports there must be at least one export with fsid=0. This is the root of the exports hierarchy. See: http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html#pseudofs

On the NFS server, the nfs/<hostname> key in the keytab needs to be of type des-cbc-crc. There should be no other key types in the keytab for nfs/<hostname>. See: http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html

To check:

• do clients need the nfs/<hostname> key? NO the client can use host/<hostname> instead. Doesn’t seem to be any restrictions on alternative key types although I haven’t checked what would happen if the des-cbc-crc key was deleted from the client’s keytab.
• is the option allow_weak_crypto=true in /etc/krb5.conf really necessary? YES, both on the client and server. des-cbc-crc is weak crypto.
• are there any alternatives to setting allow_weak_crypto to true?

See also:

• http://wiki.linux-nfs.org/wiki/index.php/Enduser_doc_kerberos
• http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfscmdtut_v3.php (the tutorial is good)

• Prev: Apache as proxy (or: how to download podcasts with wget and get it into iTunes)
• Next: Notes on Kerberos experiments