I figured I'd share my personal Notes on this particular Topic since Documentation on this is hard to find and most of it is outdated or scattered or leaves out certain details.

Maybe someone out there can find some of this useful.

How to setup Kerberos with NFSv4 on Linux in 2025:

• This Guide assumes that:
  • You are familiar with Kerberos, NFS, DNS, Linux and UNIX-like Operating Systems in General.
  • All of the Machines involved can talk to each other.
  • All of the Machines involved have their System Date and Time synchronized.
  • All of the Machines involved have relatively up-to-date Software.
  • You have a running Server with:
    • A working default NFS Installation with Shares that can be mounted by Clients.
    • A working Kerberos V Installation where Clients can successfully authenticate and receive Tickets.
  • You are using the MIT implementation of Kerberos V. Heimdal and others may work, but haven't been tested.

1: Server-Side

1.1: Principals

kadmin into your Kerberos Server and add a Service Principal for NFS and a Machine Principal for each one of your Clients:

addprinc -nokey nfs/<Server's Hostname>
addprinc -nokey root/<Client-1 Hostname>
addprinc -nokey root/<Client-2 Hostname>
addprinc -nokey root/<Client-3 Hostname>
... etc ...

IMPORTANT: If you're using your own DNS Server and have multiple reverse (PTR) Records configured to resolve to your NFS Server's IP Address, then you MUST also add a Service Principal for each one of those Records.
For Example, if you have the Records my-nfs-server.lan and awesome-nfs-server.lan pointing at the same IP Address you do:

addprinc -nokey nfs/my-nfs-server.lan
addprinc -nokey nfs/awesome-nfs-server.lan

The reason for this is because Kerberos may try any Domain Name that is associated with your NFS Server's IP Address.

Next, make sure to add all the newly created Service Principal(s) to the Server's keytab:

ktadd nfs/<Server's Hostname>
ktadd nfs/my-nfs-server.lan
... etc ...

Then add each of the Machine Principals to their own keytab:

ktadd -k client-1.keytab root/<Client-1 Hostname>
ktadd -k client-2.keytab root/<Client-2 Hostname>
ktadd -k client-3.keytab root/<Client-3 Hostname>
... etc ...

Now quit out of the Admin Program and copy the newly created Kerberos keytab Files to all of your Clients!

1.2: rpc.svcgssd is dead

If your NFS Server Installation is mostly unmodified then there is a good chance that it's configured to use rpc.svcgssd for GSS authentication. But the reality of the Situation is that this Daemon is dead and in fact has been removed a long time ago.

gssproxy is its replacement, however it's a separate Component that needs to be installed manually.
It should be available in your Operating System's Package Manager. If not, make sure to look through the AUR and pkgsrc.
If for some reason none of them have it, then grab the source code and compile it manually:

$ git clone https://github.com/gssapi/gssproxy
$ cd gssproxy
$ vim BUILD.txt

gssproxy should also come with a couple of config files in /etc/gssproxy.
Specifically the Files 24-nfs-server.conf and 99-network-fs-clients.conf need to be present.
If for some reason you don't have them on your System, grab them from the gssproxy Git Repository. They are in the examples directory.

If everything looks OK start gssproxy (either via a Service File or manually).
Make sure that it stays running and doesn't print any errors. It should be treated as a part of NFS and needs to start with NFS Server Daemons.

1.3: exports

Any NFS Share that you want to use with Kerberos needs to have the sec mount option set.
For Example, if you have an /etc/exports File with an Entry like this:

/export/movies                          *(rw,async,no_subtree_check,no_root_squash)

Then you need to change it to look like this to "Kerberize" it:

/export/movies                          *(rw,async,no_subtree_check,no_root_squash,sec=krb5)

NOTE: NFS offers multiple ways to use Kerberos:

• sec=krb5 is the most basic Option uses Kerberos for Authentication only.
• sec=krb5i uses Kerberos for Authentication and verifies Data Integrity.
• sec=krb5p uses Kerberos for Authentication, verifies Data Integrity and encrypts traffic.

If you want to use your NFS Shares in a Network with many different Users then krb5p is highly recommended.

Don't forget to run # exportfs -arv to reload your exports!

1.4: NFS idmapd.conf

Under [General] change Domain to your Kerberos Realm and make sure that [Translation] is using the nsswitch method.
Save the changes and restart the rpc.idmapd Daemon. Verify that your Domain is set correctly by running:

# nfsidmap -d

That should print your Kerberos Realm's Domain Name.

2: Client-Side

Make sure rpc.statd is always running.
IMPORTANT: Start rpc.gssd with the GSS_USE_PROXY Environment Variable set to 1 and make sure it is also always running!
Example:

# env GSS_USE_PROXY=1 rpc.gssd -f

If you have a Service File for rpc.gssd on your System, make sure it sets that Environment Variable! Edit the Service File if you must!
If for some reason rpc.gssd crashes and complains about some rpc_pipefs being empty then you need to mount that pseudo-Filesystem manually:

# mount sunrpc /var/lib/nfs/rpc_pipefs -t rpc_pipefs -o nodev

If rpc_pipefs doesn't exist then you need to load the sunrpc Kernel Module first:

# modprobe sunrpc

At this point you should be able to mount your NFS Shares on the Client:

# mount my-nfs-server.lan:/export/movies /mnt

You may need to be a bit more specific though:

# mount -t nfs -o sec=krb5p,vers=4.2 my-nfs-server.lan:/export/movies /mnt

If no errors occurred, confirm that the Shares are mounted correctly:

$ mount
...
my-nfs-server.lan:/export/movies on /mnt type nfs4 (rw,relatime,vers=4.2,sec=krb5p,etc.)
...

If everything looks good, you need to grab a Ticket for your User via your personal Principal:

$ kinit
Password for user@KERBEROSREALM.ORG: 

Now your User should be able to see and access the mounted NFS Shares:

$ touch /mnt/test
$ ls -l /mnt/test
-rw-r--r-- 1 user user 0 Jan 23 07:33 /mnt/test
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@KERBEROSREALM.ORG

Valid starting     Expires            Service principal
01/23/25 03:28:00  01/23/25 13:28:00  krbtgt/KERBEROSREALM.ORG@KERBEROSREALM.ORG
01/23/25 03:28:00  01/23/25 13:28:00  nfs/my-nfs-server.lan@KERBEROSREALM.ORG

NOTE: Once your Ticket is expired your User will no longer be able to access the Shares until a new Ticket is acquired.

I watched the "Robert Elder's Favourite Linux Command" YouTube playlist and learned a lot of ways to improve upon my scripts in Linux.

I know most people here regard electorialism as useless. I do too, but I didn't five years ago. And so I got roped into keeping a dying Electoral District Association on life support. I was the financial officer.

As part of the role I was supposed to file financial reports, but I discovered they must be done using some proprietary software (available for free) that ran only on Windows (which I don't have and haven't had for decades).

Long story short, I reached out for help (to the Green Party), mistakenly assumed they had taken care of it based on their email response... but now 5 years later the Elections Canada is likely fining me for failing to file these documents. Fine range is probably between $100 and $1,500 -- don't know yet.

Anyway, I'm annoyed that running Windows is a requirement for participating in our "democracy". Does anyone know any Canadian free software or other legal organizations that might be interested in filing a formal complaint?

Latest foss drama. Consequences of your actions........

the /r/linux subreddit thread about this is as awful as you would imagine.

The SJW's are coming for your toothbrush!!!-

It is understood that people attached to the Military Industrial Complex or close the Military Industrial Complex should be able to participate in NixCon, whether as organizers, speakers, or attendees. Their attachment to the Military Industrial Complex should not be taken against the individuals.

This is a bit of a "separating the art from the artist" issue. If some person works for MIC, they're part of the problem and they deffo shouldn't be allowed to participate. So I'd say this letter isn't fully being against MIC involvement, however, it's better than nothing. At least the direction is more correct than just accepting MIC sponsorship quietly.

Perhaps this has some effect if it gains a significant amount of signatures.

BTW: There is also a clowny NixOS Users For Western Military and Governments Support which hopefully gains no support, but hey, at least the imperialist lap dogs are outing themselves.

Quote from the article... "Take it with your usual little pinch of salt like any survey sampling though."

Hello!

I'm a CS student, have been a FOSS lover for a long time and am a commie since recently (a year or two). I was thinking of my future career and as much as I'd love for there to just be an easy, free and open approach to using my skills, capitalism just makes it all impossible. I know thay capitalism will make it impossible for me to exercise my profession in a good way, but is there no alternative that fits in the middle anywhere?

There just seems to be for profit software if I want to actually get a decent wage and a decent life. How can I get a decent job with free software? The idea of it just inhibits it while on the capitalist mode of production.

TLDR: how can I be a FOSS dev while not caving to the interests of big techs and corporations to provide for myself (aka be a hypocrite)?

Thank you for your time reading, cheers from Brazil!

as much i am enjoying pop!_os and used linux mint, i also like to explore other distros.

I've been struggling to come up with words to describe my frustrations with the definition of free software and how it ignores some of the nastiest behaviours of corporations.

Stuff like EEE, repositories that are technically free but owned by a corporation and too big to fork (chromium), and other hazier real life conditions. Could there be a "free software but dialectical" definition that would be more useful?

As I mentioned in My other post, my laptop broke and I am searching for a new one. The people in my comments said that the thinkpads aren't really good for gaming, so I'm looking at the lenovo legions but I am curious if there is other laptops that are good.

So my laptop broke and I am looking for a new laptop. And I am going for lenovo thinkpads because I seen a lot of linux communities recommend older and used lenovo thinkpads, but I wonder if the new thinkpads are worth getting or I should stick with getting a used thinkpad.

I'm really curious to see it in action so I downloaded it. There are two versions, Nova Escritorio (Nova Desktop) and Nova Ligero (Nova Lite/Lightweight).

Curiously Nova Ligero seems to be only 200MB smaller than Nova Escritorio. (1.9GB vs 1.7GB)

Here's some download links in Pixeldrain, for faster download speeds and in case the original servers are down when you want to download.

---

Nova Escritorio 9.0

https://pixeldrain.com/u/jf1TivHd

---

Nova Ligero 9.0

https://pixeldrain.com/u/7SipXJ2b

So I saw on this post the upsetting information that fedora is blocked on cuba, and I Wanted to check if the same was true of the downstream distributions, in particular open SUSE tumbleweed, as well.

Edit: By what it seems they put it there more as a way to reduce liability(once the us trade embargoes seem to include most anything with US developed technology, although I do not understand that very well or if it does apply to open source stuff), in case the US comes a looking, because it does not describe any tools or measures to prevent it, in fact it even states that it is not geoblocked anywhere.

Available on Linux and FreeBSD

I can use KDE connect over tailscale.

Hello there! I just managed to install and play Falcon BMS on my Linux machine (Arch), and as such I'll make a brief tutorial on how I did it.

Step 1: Buy Falcon 4.0 on Steam

Step 2: Open Falcon 4.0 on Steam

This is so the BMS installer can recognize that you aren't pirating Falcon 4.0.

Step 3: Close Falcon 4.0 after it reaches main menu.

Step 4: Download latest Proton-GE and install it on your Steam install.

This is a custom Proton fork by Glorious Eggroll. It is better than regular Proton for some reason.

Step 5: Run Falcon BMS 4.37 installer through Protontricks in Falcon 4.0's prefix.

If you haven't installed Protontricks, install it, since it is necessary for this tutorial.

Step 6: Update Falcon BMS to 4.37.2 using the updater through Protontricks (Falcon 4.0's prefix).

Step 7: Play Falcon BMS using the regular launcher (The alternative launcher did not work for me) through Protontricks, using Falcon 4.0's prefix.

Now it is done and you can play Falcon BMS.

Now I just need to figure out how to use TacView and Simple Radio Standalone so I can finish this tutorial.

edit: Tacview is pretty simple. Just install it using Protontricks and launch it also using Protontricks (on Falcon 4.0's prefix, as always).

This is about a month old, but this distro is now released. It's a completely independent distro from China.

Heyo comrades, I just bought a laptop with an Nvidia RTX 3060 (don't call me a capitalist, Italy discounts VAT on tech stuff if you're disabled) and was looking for a noob-friendly distro with a good Nvidia support (fuck those proprietary pigs)

I looked at Mint since I use it on my desktop, but it has an out of date kernel (I heard that you need 5.8 or above to game with Nvidia, once again fuck them. Never had an issue with my trusty rx580) would just updating the kernel be an option or should I be looking for a different distro?

My only 2 requirements are that:

It's noob friendly (something Debian-based maybe, with a .deb and APT based package management)

And that doesn't use a gnome DE, maybe something more like cinnamon, KDE of XFCE would be nice.

Thanks.

(sorry for long post, had to insult Nvidia)

cross-posted from: https://lemmy.ml/post/3776409

I'd just like to interject for a moment. What you're refering to as Israel, is in fact, USA/Israel, or as I've recently taken to calling it, USA plus Israel. Israel is not a country unto itself, but rather another illegal occupaton of a fully functioning USA empire made useful by the US Armed Forces, the Central Intelligence Agency and vital imperial components comprising a full empire as defined by any competent dictionary.

Many Palestinians get murdered by the USA empire every day, without realizing it. Through a peculiar turn of events, the illegal occupation which is widely used for murdering Palestinians today is often called Israel, and many of its victims are not aware that it is basically the USA empire, developed by the colonizers who genocided almost all of the Native Americans a few centuries ago.

There really is an Israel, and these people are getting murdered by it, but it is just a part of the empire they are victims of. Israel is the illegal occupation: a part of the empire which resides on land that belongs to someone else who did not consent to getting murdered or having their land taken away. The illegal occupation is an essential part of the empire, but useless by itself; it can only function in the context of a complete empire. Israel is normally used in combination with the USA empire: the whole empire is basically USA with Israel added, or USA/Israel. All the so-called Israel distributions are really distributions of USA/Israel!

My Predator Helios from 2018 is working just fine with win10, but I really want to move over to linux.

Probably I will start to have problems but I would like to hear comrades opinions.

This Laptop is mostly for gaming.