Mac OS X Server version 10.5: Setting up KDC to support Kerberized NFS for non-Mac OS X clients

This article has been archived and is no longer updated by Apple.

In Mac OS X Server version 10.5, Apple's Kerberized NFS implementation strictly follows RFC 1964 and as a result only supports single DES encryption. However, Open Directory or other Kerberos environments will often set up multiple keys with differing encryption types. Mac OS X 10.5 clients will only request key types that they support, so the additional key offerings will not cause an issue for Mac OS X clients. However, a non-Mac client of a Mac OS X NFS server could request a session key that the server can not handle. If you are an administrator of such an environment, it will be necessary for you to remove the offending keys from the directory or KDC. This can be done with the kadmin command.

Use the following commands to generate only single DES keys for the server and update the keytab by removing the current keys for the nfs server from the KDC and the keytab then creating a new single DES key and adding it to the keytab.

Example

In the following example, TEST.EXAMPLE.COM is the name of the Kerberos realm, "macos-x-nfs.example.com" is the name of the server, and "adminuser" is the name of a user with administrative access to the KDC. Substitute the correct realm, host and user names for your server in each command.

  1. Authenticate to the KDC. Enter the password for "adminuser" at the prompt.

$ sudo kadmin -r TEST.EXAMPLE.COM -p adminuser/admin@TEST.EXAMPLE.COM
Password:

Authenticating as principal adminuser/admin@TEST.EXAMPLE.COM with password.
Password for adminuser/admin@TEST.EXAMPLE.COM:
(adminuser/admin's Kerberos password)

  1. Verify that the NFS service principal has undesirable keys via get_principal:

kadmin: get_principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM

Principal: nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Expiration date: [never]
Last password change: Tue Oct 09 14:56:57 PDT 2007
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Oct 09 14:56:57 PDT 2007 (adminuser/admin@TEST.EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0 Number of keys: 3
Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 3, ArcFour with HMAC/md5, no salt
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]


  1. Note that Triple DES and ArcFour are listed in addition to a single DES key. To correct this, remove the the principal with the delete_principal command:

kadmin: delete_principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM

Are you sure you want to delete the principal "nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM"? (yes/no): yes

Principal "nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.


  1. Add the principal back (using randkey since this is a service principal) with the -e option to specify only the single DES key des-cbc-crc:normal.

kadmin: add_principal -randkey -e des-cbc-crc:normal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM

WARNING: no policy specified for nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM; defaulting to no policy
Principal "nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM" created.


  1. Verify that only the single DES key has been added by issuing the get_principal command again.

kadmin: get_principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM

Principal: nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM
Expiration date: [never]
Last password change: Tue Oct 09 15:00:38 PDT 2007
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Oct 09 15:00:38 PDT 2007 (adminuser/admin@TEST.EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]


  1. Remove the old set of keys from the keytab.

kadmin: ktremove nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM

Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5.keytab.


  1. Add the new key to the keytab.

kadmin: ktadd -e des-cbc-crc:normal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM

Entry for principal nfs/macos-x-nfs.example.com@TEST.EXAMPLE.COM with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.


  1. Quit:

kadmin: quit

Additional information

For more information about Kerberized NFS in Mac OS X Server version 10.5, see this article.

Published Date: Feb 20, 2012