This blog posting is a part of a series of blog postings:
- Part 1 - OpenLDAP setup
- Part 2 - SSL/TLS
- Part 3 - Schemas for samba, autofs and kerberos
- Part 4 - Kerberos setup
- Part 5 - DNS settings for kerberos using dnsmasq
- Part 6 - NFSv4 with kerberos
- Part 7 - Autofs
- https://help.ubuntu.com/community/NFSv4Howto
- MIT Kerberos manual: Hostnames for KDCs
- Doug Potter: Kerberos/LDAP/NFSv4 HOWTO
- /home/school1
- /home/school2
- /home/school3
- server.edu.example.org - 10.0.0.1
- ldap.edu.example.org - 10.0.0.1
- kerberos.edu.example.org - 10.0.0.1
- client1.edu.example.org - 10.0.0.10
- client2.edu.example.org - 10.0.0.11
DNS settings
Before we start with the NFS setup, we need to make sure that name resolution for the server and clients works with fully qualified domain names (fqdn). Also reverse mappings need to be working for NFSv4+krb5 to work properly. There are many DNS servers that can be used. Here we use dnsmasq:sudo apt-get install dnsmasq/etc/dnsmasq.conf
domain-needed domain=edu.example.org ptr-record=1.0.0.10.in-addr.arpa.,"server.edu.example.org" address=/server.edu.example.org/10.0.0.1 ptr-record=10.0.0.10.in-addr.arpa.,"client1.edu.example.org" address=/client1.edu.example.org/10.0.0.10 ptr-record=11.0.0.10.in-addr.arpa.,"client2.edu.example.org" address=/client2.edu.example.org/10.0.0.11After restarting dnsmasq and configuring it to be used in /etc/resolv.conf, it should resolve names properly both ways:
$ nslookup server.edu.example.org Server: 127.0.0.1 Address: 127.0.0.1#53 Name: server.edu.example.org Address: 10.0.0.1 $ nslookup 10.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 1.0.0.10.in-addr.arpa name = server.edu.example.org.Make sure that also the client machine names resolve correctly. In addition to having DNS server configured properly, if the /etc/hosts file has names configured, make sure that the FQDN is before the shortname, e.g.:
10.0.0.1 server.edu.example.org server 10.0.0.10 client1.edu.example.org client1 10.0.0.11 client2.edu.example.org client2This makes sure that host mappings are not done from /etc/hosts using the shortname of the server. While we are at it, let's also add the SRV records for kerberos so that we don't need to configure kerberos realms for every client separately: /etc/dnsmasq.conf
address=/kerberos.edu.example.org/10.0.0.1 address=/ldap.edu.example.org/10.0.0.1 txt-record=_kerberos.edu.example.org,"EDU.EXAMPLE.ORG" srv-host=_kerberos._udp.edu.example.org,"kerberos.edu.example.org",88 srv-host=_kerberos._tcp.edu.example.org,"kerberos.edu.example.org",88 srv-host=_kerberos-master._udp.edu.example.org,kerberos."edu.example.org",88 srv-host=_kerberos-adm._tcp.edu.example.org,"kerberos.edu.example.org",749 srv-host=_kpasswd._udp.edu.example.org,"kerberos.edu.example.org",464Clients can now find the kerberos server automatically when the realm is given (e.g. kinit testuser@EDU.EXAMPLE.ORG). To set default realm, /etc/krb5.conf can be used:
[libdefaults] default_realm = EDU.EXAMPLE.ORG dns_lookup_kdc = true dns_lookup_realm = trueNow the name server should be ready for the actual setup. The actual NFSv4+kerberos setup is described in the next part.