[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Buster/HowTo/Administration" by WolfgangSchweer

Debian Wiki wiki at debian.org
Fri Feb 8 15:48:34 GMT 2019


Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.

The "DebianEdu/Documentation/Buster/HowTo/Administration" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Buster/HowTo/Administration?action=diff&rev1=3&rev2=4

Comment:
document Kerberized NFS

  
  /!\ Warning: {{{ldapvi}}} is a very powerful tool. Be careful and don't mess up the LDAP database, same warning applies for JXplorer.
  
+ == Kerberized NFS ==
+ 
+ Using Kerberos for NFS to mount home directories is a security feature.
+ The levels ''krb5'', ''krb5i'' and ''krb5p'' are supported (''krb5'' means Kerberos authentication, ''i'' stands for integrity check and ''p'' for privacy, i.e. encryption); the load on both server and workstation increases with the security level, ''krb5i'' might be a good choice.
+ 
+ For new systems added with GOsa², Kerberos host keytab files are generated automatically.<<BR>>
+ To create one for a system already configured with GOsa², login on the main server as root and run
+ {{{
+ /usr/share/debian-edu-config/tools/gosa-modify-host <hostname> <IP>
+ }}}
+ '''Please note:''' host keytab creation is possible for systems of type ''workstations'', ''servers'' and ''terminals'' but not for those of type ''netdevices''. Also, LTSP clients are using ''sshfs'' to mount home directories, so there's nothing to do for diskless workstations.
+ 
+ === How to enable it ===
+ 
+ '''Main server'''
+  * login as root
+  * run {{{ldapvi -ZD '(cn=admin)'}}}, search for ''sec=sys'' and replace it with ''sec=krb5i''
+  * edit {{{/etc/exports}}}: uncomment/adjust/comment existing entries for /srv/*; make sure they look like this:  
+ {{{
+ /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
+ /srv/nfs4/home0  gss/krb5i(rw,sync,no_subtree_check)
+ }}}
+  * run {{{exportfs -r}}}
+  * run {{{exportfs}}} to control if ''gss/krb5i'' is active for both entries.
+ 
+ '''Workstation'''
+  * login as root.
+  * run {{{/usr/share/debian-edu-config/tools/copy-host-keytab}}}
+ 
  == JXplorer, an LDAP GUI ==
  
  If you prefer a GUI to work with the LDAP database, check out the {{{jxplorer}}} package, which is installed by default. To get write access connect like this:



More information about the debian-edu-commits mailing list