Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

34.3. Setting up a Kerberos-aware NFS Server

Identity Management can be used to set up a Kerberos-aware NFS server.

Note

The NFS server does not need to be running on Red Hat Enterprise Linux.

34.3.1. Setting up a Kerberos-aware NFS Server

  1. Obtain a Kerberos ticket before running IdM tools.
    [jsmith@server ~]$ kinit admin
  2. If the NFS host machine has not been added as a client to the IdM domain, then create the host entry. See Section 12.3, “Adding Host Entries”.
  3. Create the NFS service entry in the IdM domain. For example:
    [jsmith@server ~]$ ipa service-add nfs/nfs-server.example.com
  4. Generate an NFS service keytab for the NFS server using the ipa-getkeytab command, and save the keys directly to the host keytab. For example:
    [jsmith@server ~]$ ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab

    Note

    Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry:
    [jsmith@server ~]$ ipa service-show nfs/nfs-server.example.com
    Principal: NFS/nfs-server.example.com@EXAMPLE.COM
    Keytab: True

    Note

    This procedure assumes that the NFS server is running on a Red Hat Enterprise Linux system or a UNIX system which can run ipa-getkeytab.
    If the NFS server is running on a system which cannot run ipa-getkeytab, then create the keytab using system tools. Two things must be done:
    • The key must be created in the /root (or equivalent) directory.
    • The ktutil command can merge the keys into the system /etc/krb5.keytab file. The ktutil man page describes how to use the tool.
  5. Install the NFS packages. For example:
    [root@nfs-server ~]# yum install nfs-utils
  6. Configure weak crypto support. This is required for every NFS client if any client (such as a Red Hat Enterprise Linux 5 client) in the domain will use older encryption options like DES.
    1. Edit the krb5.conf file to allow weak crypto.
      [root@nfs-server ~]# vim /etc/krb5.conf
      
      allow_weak_crypto = true
    2. Update the IdM server Kerberos configuration to support the DES encryption type.
      [jsmith@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389
      
      dn: cn=EXAMPLEREALM,cn=kerberos,dc=example,dc=com
      changetype: modify
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:normal
      -
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:special
      -
      add: krbDefaultEncSaltTypes
      krbDefaultEncSaltTypes: des-cbc-crc:special
  7. Run the ipa-client-automount command to configure the NFS settings.
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.
  8. Edit the /etc/exports file and add the Kerberos information:
    /export  *(rw,sec=krb5:krb5i:krb5p)
    
  9. Restart the NFS server and related services.
    [root@nfs-server ~]# systemctl restart nfs.service
    [root@nfs-server ~]# systemctl restart nfs-server.service
    [root@nfs-server ~]# systemctl restart nfs-secure.service
    [root@nfs-server ~]# systemctl restart nfs-secure-server.service
  10. Configure the NFS server as an NFS client, following the directions in Section 34.3.2, “Setting up a Kerberos-aware NFS Client”.

34.3.2. Setting up a Kerberos-aware NFS Client

  1. Obtain a Kerberos ticket before running IdM tools.
    [jsmith@server ~]$ kinit admin
  2. If the NFS client is not enrolled as a client in the IdM domain, then set up the required host entries, as described in Section 12.3, “Adding Host Entries”.
  3. Run the ipa-client-automount command to configure the NFS settings.
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.
  4. Start the GSS daemon.
    [root@nfs-client-server ~]# systemctl start rpc-gssd.service
    [root@nfs-client-server ~]# systemctl start rpcbind.service
    [root@nfs-client-server ~]# systemctl start nfs-idmapd.service
  5. Mount the directory.
    [root@nfs-client-server ~]# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049"  >>/etc/fstab
    [root@nfs-client-server ~]# mount -av
  6. Configure SSSD on the client system to manage home directories and renew Kerberos tickets.
    1. Enable SSSD with the --enablemkhomedir option.
      [root@nfs-client-server ~]# authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
    2. Restart the OpenSSH client.
      [root@nfs-client-server ~]# systemctl restart sshd.service
    3. Edit the IdM domain section in the SSSD configuration file to set the keytab renewal options.
      [root@nfs-client-server ~]# vim /etc/sssd/sssd.conf
      
      [domain/EXAMPLE.COM]
      cache_credentials = True
      krb5_store_password_if_offline = True
      ipa_domain = example.com
      id_provider = ipa
      auth_provider = ipa
      ...
      krb5_renewable_lifetime = 50d
      krb5_renew_interval = 3600
    4. Restart SSSD.
      [root@nfs-client-server ~]# systemctl restart sssd.service