Show Table of Contents
34.3. Setting up a Kerberos-aware NFS Server
Identity Management can be used to set up a Kerberos-aware NFS server.
Note
The NFS server does not need to be running on Red Hat Enterprise Linux.
34.3.1. Setting up a Kerberos-aware NFS Server
- Obtain a Kerberos ticket before running IdM tools.
[jsmith@server ~]$ kinit admin
- If the NFS host machine has not been added as a client to the IdM domain, then create the host entry. See Section 12.3, “Adding Host Entries”.
- Create the NFS service entry in the IdM domain. For example:
[jsmith@server ~]$ ipa service-add nfs/nfs-server.example.com
For more information, see Section 16.1, “Adding and Editing Service Entries and Keytabs”. - Generate an NFS service keytab for the NFS server using the
ipa-getkeytabcommand, and save the keys directly to the host keytab. For example:[jsmith@server ~]$ ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
Note
Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry:[jsmith@server ~]$ ipa service-show nfs/nfs-server.example.com Principal: NFS/nfs-server.example.com@EXAMPLE.COM Keytab: True
Note
This procedure assumes that the NFS server is running on a Red Hat Enterprise Linux system or a UNIX system which can runipa-getkeytab.If the NFS server is running on a system which cannot runipa-getkeytab, then create the keytab using system tools. Two things must be done:- The key must be created in the
/root(or equivalent) directory. - The
ktutilcommand can merge the keys into the system/etc/krb5.keytabfile. The ktutil man page describes how to use the tool.
- Install the NFS packages. For example:
[root@nfs-server ~]# yum install nfs-utils
- Configure weak crypto support. This is required for every NFS client if any client (such as a Red Hat Enterprise Linux 5 client) in the domain will use older encryption options like DES.
- Edit the
krb5.conffile to allow weak crypto.[root@nfs-server ~]# vim /etc/krb5.conf allow_weak_crypto = true
- Update the IdM server Kerberos configuration to support the DES encryption type.
[jsmith@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389 dn: cn=EXAMPLEREALM,cn=kerberos,dc=example,dc=com changetype: modify add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:normal - add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:special - add: krbDefaultEncSaltTypes krbDefaultEncSaltTypes: des-cbc-crc:special
- Run the
ipa-client-automountcommand to configure the NFS settings.By default, this enables secure NFS in the/etc/sysconfig/nfsfile and sets the IdM DNS domain in theDomainparameter in the/etc/idmapd.conffile. - Edit the
/etc/exportsfile and add the Kerberos information:/export *(rw,sec=krb5:krb5i:krb5p)
- Restart the NFS server and related services.
[root@nfs-server ~]# systemctl restart nfs.service [root@nfs-server ~]# systemctl restart nfs-server.service [root@nfs-server ~]# systemctl restart nfs-secure.service [root@nfs-server ~]# systemctl restart nfs-secure-server.service
- Configure the NFS server as an NFS client, following the directions in Section 34.3.2, “Setting up a Kerberos-aware NFS Client”.
34.3.2. Setting up a Kerberos-aware NFS Client
- Obtain a Kerberos ticket before running IdM tools.
[jsmith@server ~]$ kinit admin
- If the NFS client is not enrolled as a client in the IdM domain, then set up the required host entries, as described in Section 12.3, “Adding Host Entries”.
- Run the
ipa-client-automountcommand to configure the NFS settings.By default, this enables secure NFS in the/etc/sysconfig/nfsfile and sets the IdM DNS domain in theDomainparameter in the/etc/idmapd.conffile. - Start the GSS daemon.
[root@nfs-client-server ~]# systemctl start rpc-gssd.service [root@nfs-client-server ~]# systemctl start rpcbind.service [root@nfs-client-server ~]# systemctl start nfs-idmapd.service
- Mount the directory.
[root@nfs-client-server ~]# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049" >>/etc/fstab [root@nfs-client-server ~]# mount -av
- Configure SSSD on the client system to manage home directories and renew Kerberos tickets.
- Enable SSSD with the
--enablemkhomediroption.[root@nfs-client-server ~]# authconfig --update --enablesssd --enablesssdauth --enablemkhomedir
- Restart the OpenSSH client.
[root@nfs-client-server ~]# systemctl restart sshd.service
- Edit the IdM domain section in the SSSD configuration file to set the keytab renewal options.
[root@nfs-client-server ~]# vim /etc/sssd/sssd.conf [domain/EXAMPLE.COM] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa ...
krb5_renewable_lifetime = 50dkrb5_renew_interval = 3600 - Restart SSSD.
[root@nfs-client-server ~]# systemctl restart sssd.service
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.