34.4. Setting up a Kerberos-aware NFS Client

  1. If the NFS clients supports only weak cryptography, such as a Red Hat Enterprise Linux 5 client, set the following entry in the /etc/krb5.conf file of the server to allow weak cryptography:
    allow_weak_crypto = true
  2. If the NFS client is not enrolled as a client in the IdM domain, set up the required host entries, as described in Section 12.3, “Adding Host Entries”.
  3. Install the nfs-utils package:
    [root@nfs-client ~]# yum install nfs-utils
  4. Obtain a Kerberos ticket before running IdM tools.
    [root@nfs-client ~]# kinit admin
  5. Run the ipa-client-automount utility to configure the NFS settings:
    [root@nfs-client ~] ipa-client-automount
    Searching for IPA server...
    IPA server: DNS discovery
    Location: default
    Continue to configure the system with these values? [no]: yes
    Configured /etc/sysconfig/nfs
    Configured /etc/idmapd.conf
    Started rpcidmapd
    Started rpcgssd
    Restarting sssd, waiting for it to become available.
    Started autofs
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.
  6. Configure the services to start automatically when the system boots:
    [root@nfs-client ~]# systemctl enable rpc-gssd.service
    [root@nfs-client ~]# systemctl enable rpcbind.service
  7. Add the following entries to the /etc/fstab file to mount the NFS shares from the nfs-server.example.com host when the system boots:
    nfs-server.example.com:/export  /mnt          nfs4  sec=krb5p,rw
    nfs-server.example.com:/home    /home  nfs4  sec=krb5p,rw
    These settings configure Red Hat Enterprise Linux to mount the /export share to the /mnt and the /home share to the /home directory.
  8. Create the mount points if they do not exist:
    # mkdir -p /mnt/
    # mkdir -p /home
  9. Mount the NFS shares:
    [root@nfs-client ~]# mount /mnt/
    [root@nfs-client ~]# mount /home
    The command uses the information from the /etc/fstab entry.
  10. Configure SSSD to renew Kerberos tickets:
    1. Set the following parameters in the IdM domain section of the /etc/sssd/sssd.conf file to configure SSSD to automatically renew tickets:
      [domain/EXAMPLE.COM]
      ...
      krb5_renewable_lifetime = 50d
      krb5_renew_interval = 3600
    2. Restart SSSD:
      [root@nfs-client ~]# systemctl restart sssd

Important

The pam_oddjob_mkhomedir module does not support automatic creation of home directories on an NFS share. Therefore, you must manually create the home directories on the server in the root of the share that contains the home directories.