Mounting home (U:) drive on Linux via NFS/Kerberos

About NFS

Quote from the NFS wiki entry:

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.

On the C&CZ managed fileservers, Kerberos authentication is used for security.

All Science users have a homedrive, see for more info the home directories section.

Prerequisites

You need to have your krb5.keytab file generated by C&CZ postmaster. If you do not have any, please contact C&CZ postmaster and one will be generated.

Setting-up

For Kerberos to work you must be within the science.ru.nl realm

  • thus being connected directly to the science.ru.nl network, or be tunneled-in by the vpn.

Rename the file provided by the C&CZ to krb5.keytab and move it to the /etc/ folder, change its mod to rw—— and ownership to root:root. Finally, the file should look like this:

[chuck@uberpc ~]$ ls -l /etc/krb5.keytab
-rw------- 1 root root 1337 Jan 1 00:01 /etc/krb5.keytab

Next you need to configure Kerberos properly in your krb5.conf. At the end, the file should look like this in the case of portable PCs (notebooks):

[chuck@uberpc ~]$ cat /etc/krb5.conf
# RU krb5config

[libdefaults]
default_realm = SCIENCE.RU.NL
forwardable = yes
forward = yes
encrypt = yes
srv_lookup = no
srv_try_txt = no
no-addresses = yes
rdns = no

[realms]
SCIENCE.RU.NL = {
admin_server = kerberos.science.ru.nl:749
}

[domain_realm]
.science.ru.nl = SCIENCE.RU.NL
science.ru.nl = SCIENCE.RU.NL

In case of the desktop PCs within the university the rdns = no parameter should be omitted. After setting up Kerberos, try the command “kinit $USERNAME”, where you substitute $USERNAME by your Science login name. For simplicity science user Chuck Norris (thus username cnorris) will be used as an example. Try to kinit with your science password and check if the ticket has been successfully leased by using the klist command:

[chuck@uberpc ~]$ kinit cnorris
Password for cnorris@SCIENCE.RU.NL:
[chuck@uberpc ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: cnorris@SCIENCE.RU.NL

Valid starting Expires Service principal
01/01/2018 06:06:06 01/02/2018 06:06:06 krbtgt/SCIENCE.RU.NL@SCIENCE.RU.NL

To proceed further with our mounting, we need to determine which folder we should mount on the server, fast way how to determine that is by executing this command:

[chuck@uberpc ~]$ ssh cnorris@lilo.science.ru.nl """mount | grep nfs | grep cnorris"""

The output should be similar to this:

cnorris@lilo.science.ru.nl's password:
home2.science.ru.nl:/VGsda66/cnorris on /home/cnorris type nfs (rw,nosuid,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=131.174.30.206,mountvers=3,mountport=656,mountproto=udp,local_lock=none,addr=131.174.30.206)

From the output of the above command we can clearly see that Chuck Norris’ homedrive is located in /VGsda66, thus we will attempt to mount the home2.science.ru.nl:/VGsda66/cnorris directory.

Now that you know the proper mount path and Kerberos has been set up, you need to get working nfs software on your unix pc. In case of Archlinux that consists of the nfs-utils package, in other distributions nfs will most probably come preinstalled. Ensure that nfs-client.target and/or rpc-gssd.service is up and running as it is vital for the Kerberos authentication procedure as referred on the ArchLinux wiki.

if rpc-gssd.service is NOT running, the output will look similar to this:

[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv
mount.nfs: timeout set for Fri Jan 1 06:23:39 2018
mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=131.174.30.206'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 131.174.30.206 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 131.174.30.206 prog 100005 vers 3 prot UDP port 656
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified

when rpc-gssd.service is up an running (as it should), the correct output will look similar to this:

[root@uberpc cnorris]# mount -t nfs home2.science.ru.nl:/VGsda66/cnorris /mnt/ -vv
mount.nfs: timeout set for Fri Jan 1 06:24:09 2018
mount.nfs: trying text-based options 'vers=4.2,addr=131.174.30.206,clientaddr=131.174.224.137'
[root@uberpc cnorris]#

if you have an active Kerberos ticket, you should be able to list the content of the /mnt/ directory by now.

[chuck@uberpc ~]$ ls /mnt/
'$RECYCLE.BIN'/ desktop.ini /MK_ultra_results /answer_to_42.txt /cancer_cure

When finished, please umount the /mnt/ and destroy ticket by kdestroy command.

Further reading

if interested in the topic, you can proceed to:

https://en.wikipedia.org/wiki/Network_File_System

https://en.wikipedia.org/wiki/Kerberos_(protocol)

https://en.wikipedia.org/wiki/Project_Athena

https://wiki.archlinux.org/index.php/Nfs

https://wiki.archlinux.org/index.php/Kerberos