18.3. Setting up a Kerberized NFS Server

Identity Management can be used to set up a Kerberized NFS server, which does not need to be running on Red Hat Enterprise Linux.

18.3.1. Setting up a Kerberized NFS Server

  1. Obtain a Kerberos ticket before running IdM utilites.
    [user@server ~]$ kinit admin
  2. If the NFS host machine has not been added as a client to the IdM domain, then create the host entry in GUI as described in Section 5.4.2, “Other Examples of Adding a Host Entry”, or run a command such as:
    [user@server ~]$ ipa host-add --ip-address 192.0.2.10 nfs-server.example.org
  3. Create the NFS service entry in the IdM domain, for example:
    [user@server ~]$ ipa service-add nfs/nfs-server.example.com
  4. Generate an NFS service keytab for the NFS server using the ipa-getkeytab command.
    The NFS server may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. For a Red Hat Enterprise Linux machine, the ipa-getkeytab command can be run on the NFS server machine. Otherwise, the ipa-getkeytab command should be run on a Red Hat Enterprise Linux machine in the IdM domain and then copied over to the NFS server.
    If ipa-getkeytab command is run on the NFS server, then save the keys directly to the host keytab. For example:
    [user@server ~]$ ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
    For a Red Hat Enterprise Linux machine, that's all you need to do.
    When generating keys to copy over to another system, then generate the key but do not save it in the host keytab. The key must be added separately to the keytab after it is copied to the NFS server:
    1. Save the keytab to a temporary file. For example:
      [user@server ~]$ ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /root/nfs-server.keytab
    2. Copy the keytabs over to the NFS server.
    3. Set the file permissions to 0700.
    4. Add the service key to the keytab file.
      [root@nfs-server ~]#  ( echo rkt /root/nfs-server.keytab; echo wkt /etc/krb5.keytab ) | ktutil

    Note

    To verify that the NFS service has been properly configured in IdM with its keytab, check the service entry by using the following command:
    [user@server ~]$ ipa service-show nfs/ipaclient2.example.com
    Principal: NFS/ipaclient2.example.com@EXAMPLE.COM
    Keytab: True
  5. Install the NFS packages. For example:
    [root@nfs-server ~]# yum install nfs-utils
  6. Configure weak crypto support. This is required for every NFS client if any client (such as a Red Hat Enterprise Linux 5 client) in the domain uses older encryption options such as DES.
    1. Edit the krb5.conf file to include the following line to enable weak crypto:
      allow_weak_crypto = true
    2. Update the IdM server Kerberos configuration to support the DES encryption type.
      [user@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389
      
      dn: cn=EXAMPLEREALM,cn=kerberos,dc=example,dc=com
      changetype: modify
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:normal
      -
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:special
      -
      add: krbDefaultEncSaltTypes
      krbDefaultEncSaltTypes: des-cbc-crc:special
  7. Run the ipa-client-automount command to configure the NFS settings.
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.

    Note

    If the server is not member of the IdM domain (does not have the ipa-client package installed), this step needs to be done manually. See the NFS configuration section in the Storage Administration Guide for details.
  8. Edit the /etc/exports file and add the Kerberos information:
    /export  *(rw,sec=krb5:krb5i:krb5p)
  9. Restart the NFS server and related services.
    [root@nfs-server ~]# service nfs restart
    [root@nfs-server ~]# service rpcsvcgssd restart
  10. To configure the NFS server as an NFS client, see Section 18.3.2, “Setting up a Kerberized NFS Client”.

18.3.2. Setting up a Kerberized NFS Client

  1. Obtain a Kerberos ticket before running IdM tools.
    [user@server ~]$ kinit admin
  2. If the NFS client is not enrolled as a client in the IdM domain, then set up the required host entries in GUI as described in Section 5.4.2, “Other Examples of Adding a Host Entry”, or run a command such as:.
    [user@server ~]$ ipa host-add --ip-address 192.0.2.20 nfs-client.example.org
  3. Generate an NFS service keytab for the NFS client using the ipa-getkeytab utility.
    The NFS client may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. For a Red Hat Enterprise Linux machine, the ipa-getkeytab command can be run on the NFS client machine. Otherwise, the ipa-getkeytab command should be run on a Red Hat Enterprise Linux machine in the IdM domain and then copied over to the NFS client.
    If ipa-getkeytab command is run on the NFS client, then save the keys directly to the host keytab. For example:
    [user@server ~]$ ipa-getkeytab -k /etc/krb5.keytab -s ipa-server.example.org -p nfs/nfs-client-server.example.com@EXAMPLE.COM
    For a Red Hat Enterprise Linux machine, that's all you need to do.
    When generating keys to copy over to another system, then generate the key but do not save it in the host keytab. The key must be added separately to the keytab after it is copied to the NFS server:
    1. Save the keytab to a temporary file. For example:
      [user@server ~]$ ipa-getkeytab -s ipa-server.example.org -p host/nfs-client-server.example.com@EXAMPLE.COM -k /root/nfs-client.keytab
    2. Copy the keytabs over to the NFS client.
    3. Set the file permissions to 0700.
    4. Add the service key to the keytab file.
      [root@nfs-client-server ~]# ( echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab ) | ktutil
  4. Run the ipa-client-automount command to configure the NFS settings.
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.

    Note

    If the client is not member of the IdM domain (does not have the ipa-client package installed), this step needs to be done manually. See the NFS configuration section in the Storage Administration Guide for details.
  5. Start the GSS daemon.
    [root@nfs-client-server ~]# service rpcgssd start
    [root@nfs-client-server ~]# service rpcbind start
    [root@nfs-client-server ~]# service rpcidmapd start
  6. Mount the directory.
    [root@nfs-client-server ~]# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049"  >>/etc/fstab
    [root@nfs-client-server ~]# mount -av