I have an NFS server with Kerberos authentication (Debian 11). If I want to mount a share on a client for the first time after a restart, this takes 10-12 seconds. If I then mount another share from the same server, it works almost immediately.
NFS exports:
/data/bilder 192.168.1.0/24(sec=krb5p,rw,sync,wdelay,no_subtree_check,root_squash,no_all_squash)
/data/video 192.168.1.0/24(sec=krb5p,rw,sync,wdelay,no_subtree_check,root_squash,no_all_squash)
/data/musik 192.168.1.0/24(sec=krb5p,rw,sync,wdelay,no_subtree_check,root_squash,no_all_squash)
/etc/default/nfs-common:
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
/etc/default/nfs-kernel-server:
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=""
krb5.conf (client and server):
[libdefaults]
default_realm = TS13.LAN
allow_weak_crypto = false
rdns = false
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
ticket_lifetime = 24h
renew_lifetime = 7d
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
TS13.LAN = {
kdc = dc.ts13.lan
admin_server = dc.ts13.lan
}
[domain_realm]
.ts13.lan = TS13.LAN
ts13.lan = TS13.LAN
kdc.conf:
[kdcdefaults]
kdc_ports = 88
restrict_anonymous_to_tgt = true
spake_preauth_kdc_challenge = edwards25519
[realms]
TS13.LAN = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
default_principal_flags = +preauth
spake_preauth_indicator = hardened
encrypted_challenge_indicator = hardened
}
