freeipa

Clone
Source Code
GIT

#4310 Set up NFS to work with Kerberos section contains an error
Closed: Invalid None Opened 10 years ago by dmossor.

Closed: Invalid
Reopen Issue

In FreeIPA 4.0 Draft documentation, section 3.4.1 contains incorrect directions on importing the Kerberos key for use with NFS. Currently, the instructions read as:

  1. Get credentials from Kerberos.
    {{{[root@server ~]#kinit admin}}}
  2. On a FreeIPA server, add an NFS service principal for the NFS client.
    {{{[root@server ~]# ipa service-add nfs/ipaclient.example.com@EXAMPLE}}}
  3. On the FreeIPA server, obtain a keytab for the NFS service principal.
    {{{[root@server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab}}}
  4. Copy the keytab from the FreeIPA server to the NFS server. For example, if the FreeIPA and NFS servers are on different machines:
    {{{[root@server ~]# scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab}}}
  5. Copy the keytab from the FreeIPA server to the FreeIPA client. For example:
    {{{[root@server ~]# scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab}}}

These instructions are directing the users to overwrite the existing /etc/krb5.keytab. They should read:

  1. On a FreeIPA server, add an NFS service principal for the NFS client.
    {{{[root@ipaserver ~]# ipa service-add nfs/ipaclient.example.com@EXAMPLE}}}
  2. On the NFS server, acquire credentials from Kerberos:
    {{{[root@nfsserver ~]#kinit admin}}}
  3. On the NFS server, obtain a keytab for the NFS service principal.
    {{{[root@nfsserver ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /etc/krb5.keytab}}}

....and this is where I get stuck. I can't progress beyond this point.

These instructions have ssevetral issues.

  1. They suggest to create keys in /tmp
    FIix: always create keys in /root

  2. They suggest to create the nfs ser ver keytab on a host that is not the server.
    Fix: suggest strongly to run ipa-getkeytab directly on the target host so keys do not risk to be exposed 'in transit', ipa-getkeytab know how to merge new keys in krb5.keytab w/o touching pre-existing keys
    Fix 2. If creating the nfs keys on the target NFS server is not possible the instructions MUST be change to advice copying in /root of the server and include instructions on how to use ktutil to merge these keys in /etc/krb5.keytab

  3. [SECURITY ISSUE] they suggest in point (5) to copy the SERVER's keys on the clients
    Congratulations, now your servers keys are useless and you gave client's the ability to lie to the server as well as to MITM it.
    Fix remove 5 with extreme prejudice.

FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.

I see no patch was submitted, moving out of 4.0.1 release to 3.0 docs milestone.

I will clone this ticket at least to downstream Bugzilla right away so that at least this official docs are correct.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1136202

FreeIPA project no longer actively maintains an upstream guide (see details). This ticket is already cloned to RHEL downstream guide so the issue should fixed at least there.

Metadata Update from @dmossor:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 3.x Documentation
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Documentation
None
0
nfs kerberos
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1136202
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.