34.3. Setting up a Kerberos-aware NFS Server

  1. If any of your NFS clients support only weak cryptography, such as Red Hat Enterprise Linux 5 clients:
    1. Update the IdM server Kerberos configuration to enable the weak des-cbc-crc encryption type:
      $ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389
      
      dn: cn=REALM_NAME,cn=kerberos,dc=example,dc=com
      changetype: modify
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:normal
      -
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:special
      -
      add: krbDefaultEncSaltTypes
      krbDefaultEncSaltTypes: des-cbc-crc:special
    2. On the NFS server, add the following entry to the /etc/krb5.conf file of the NFS server enable weak cryptography support:
      allow_weak_crypto = true
  2. Obtain a Kerberos ticket:
    [root@nfs-server ~]# kinit admin
  3. If the NFS host machine has not been added as a client to the IdM domain, create the host entry. See Section 12.3, “Adding Host Entries”.
  4. Create the NFS service entry:
    [root@nfs-server ~]# ipa service-add nfs/nfs-server.example.com
  5. Retrieve an NFS service keytab for the NFS server using the following ipa-getkeytab command that saves the keys in the /etc/krb5.keytab file:
    [root@nfs-server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
    If any of your NFS clients support only weak cryptography, additionally pass the -e des-cbc-crc option to the command to request a DES-encrypted keytab.
  6. Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry:
    [root@nfs-server ~]# ipa service-show nfs/nfs-server.example.com
      Principal name: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
      Principal alias: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
      Keytab: True
      Managed by: nfs-server.example.com
  7. Install the nfs-utils package:
    [root@nfs-server ~]# yum install nfs-utils
  8. Run the ipa-client-automount utility to configure the NFS settings:
    [root@nfs-server ~] ipa-client-automount
    Searching for IPA server...
    IPA server: DNS discovery
    Location: default
    Continue to configure the system with these values? [no]: yes
    Configured /etc/sysconfig/nfs
    Configured /etc/idmapd.conf
    Started rpcidmapd
    Started rpcgssd
    Restarting sssd, waiting for it to become available.
    Started autofs
    By default, this command enables secure NFS and sets the Domain parameter in the /etc/idmapd.conf file to the IdM DNS domain. If you use a different domain, specify it using the --idmap-domain domain_name parameter.
  9. Configure the nfs-idmapd service to start automatically when the system boots:
    # systemctl enable nfs-idmapd
  10. Edit the /etc/exports file and add shares with the krb5p Kerberos security setting:
    /export  *(rw,sec=krb5:krb5i:krb5p)
    /home  *(rw,sec=krb5:krb5i:krb5p)
    This example shares the /export and /home directories in read-write mode with Kerberos authentication enabled.
  11. Re-export the shared directories:
    [root@nfs-server ~]# exportfs -rav
  12. Optionally, configure the NFS server as an NFS client. See Section 34.4, “Setting up a Kerberos-aware NFS Client”.