In this tutorial, you will learn, how to configure Kerberized NFS Server in RHEL 7. #centlinux #linux #nfs #kerberos
Table of Contents
What is Kerberos?
Kerberos is a computer network authentication protocol that uses tickets to authenticate computers and let them communicate over a non-secure network. Whereas, NFS is the distributed file system to share files among Linux based computers. We can combine the Kerberos with NFS to configure more secure network shares.
In this article, we will configure a Kerberized NFS Server and configure a client to access that share. To configure a Kerberized NFS Server, we must have an Identity Management Server such as FreeIPA, that provides Kerberos tickets to clients. We have already written about configuring a FreeIPA server in our previous post. Therefore, we are not going to reinvent the wheel here. However, the reader can refer to following articles to understand the Kerberos authentication.
Read Also: | Install FreeIPA on CentOS 7 |
Configure a Linux Machine as FreeIPA Client | |
Configure Single Sign-on with Kerberos 5 |
Linux Server Specification
We are using two Red Hat Enterprise Linux (RHEL) 7 servers. One as the NFS Server as well as Identity Management Server and the other as the NFS Client.
- Identity Management Server – ipaserver.example.com
- Kerberized NFS Server – ipaserver.example.com
- Kerberized NFS Client – client2.example.com
Note: we are configuring our same FreeIPA server as the Kerberized NFS Server.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
Configure Kerberized NFS Server
Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)
Now, add NFS service to our FreeIPA server to create Kerberized NFS service as follows.
# kinit admin Password for admin@EXAMPLE.COM: # ipa service-add nfs/ipaserver.example.com ----------------------------------------------------- Added service "nfs/ipaserver.example.com@EXAMPLE.COM" ----------------------------------------------------- Principal: nfs/ipaserver.example.com@EXAMPLE.COM Managed by: ipaserver.example.com # kadmin.local Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: ktadd nfs/ipaserver.example.com Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. kadmin.local: quit # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/ipaserver.example.com@EXAMPLE.COM 3 host/ipaserver.example.com@EXAMPLE.COM 3 host/ipaserver.example.com@EXAMPLE.COM 3 host/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM
To configure NFS Service, we have to install nfs-utils package. Usually, this package is automatically installed during installation of Red Hat Enterprise Linux (RHEL) 7. However, you can install it anytime using yum command.
# yum install -y nfs-utils
nfs-utils is already installed on our system.
Create a directory to share with other clients.
# mkdir /nfsshare # chgrp nfsnobody /nfsshare/ # chmod g+w /nfsshare/
We have created a directory nfsshare, change its group to nfsnobody and w rights has been given to group. So, the anonymous users can create files on this shared directory.
Adjust SELinux type of the /nfsshare directory.
# semanage fcontext -a -t nfs_t "/nfsshare(/.*)?" # restorecon -Rv /nfsshare/ restorecon reset /nfsshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:nfs_t:s0
If semanage command does not available on your system then install policycoreutils-python package.
Now export/share this directory to specific clients.
# echo '/nfsshare client2.example.com(rw,sec=krb5p,sync)' >> /etc/exports # exportfs -r
Enable and Start the nfs-server and nfs-secure-server services.
# systemctl start nfs-server ; systemctl enable nfs-server ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service' # systemctl start nfs-secure-server; systemctl enable nfs-secure-server ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
Allow nfs and other supplementary services through Linux firewall.
# firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind} success # firewall-cmd --reload success
Configure Kerberized NFS Client
Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)
Connect to the client2.example.com. and install nfs-utils package.
# yum install -y nfs-utils
Create a directory, to mount the shared directory from ipaserver.example.com.
# mkdir /mnt/nfsshare
Check the shared directories from ipaserver.example.com.
# showmount -e ipaserver.example.com Export list for ipaserver.example.com: /nfsshare client2.example.com
Start and enable the nfs-secure service.
# systemctl start nfs-secure ; systemctl enable nfs-secure ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
Persistently mount this shared directory by adding following entry in /etc/fstab.
# echo 'ipaserver.example.com:/nfsshare /mnt/nfsshare nfs sec=krb5p,_netdev 0 0' >> /etc/fstab # mount -a
Check the status of mounted directory.
# mount | grep nfs sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) ipaserver.example.com:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.116.202,local_lock=none,addr=192.168.116.200,_netdev)
Create a file in this shared directory, to verify the file permissions.
# cd /mnt/nfsshare/ # touch test1 # ls -al total 0 drwxrwxr-x. 2 root nfsnobody 18 Jul 31 07:32 . drwxr-xr-x. 4 root root 31 Jul 31 07:23 .. -rw-r--r--. 1 nfsnobody nfsnobody 0 Jul 31 07:32 test1
We have successfully configured our Kerberized NFS Server.
If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.
Conclusion
In this tutorial, you will learn, how to configure Kerberized NFS Server in RHEL 7.
Dear Ahmer Bhai,
Can you please let me know why did not you added service for client ? as i have gone through a blog where the service for client is also added
Service for client is not required to be add. However, the client host must be added to kerberos, that we have already added in our previous post.
Hello Ahmer, I have a Windows NFS server and Linux CentOS client protecting NFS with Kerberos do you have any suggestions or if you have a recipe for something similar?
Hi,I do not prefer to work on MS Windows. You should see the product documentation.
Hello Ahmer,
First of all, I would like to thank you for this documentation!
I would like to know if I can replace the "Identity Management Server" with SSSD joined identity management realm running on the NFS server?
Because I have SSSD configured on both NFS server and client servers.
I need your help to figure out how to use it
You cannot replace an IDM server with SSSD. Because SSSD is a local service that provides local (offline) and remote authentication services, and it requires an IDM server.
Service for client is needed. we had a situation where things did not work and we had to add a nfs service for the client. I dont understand the logic but we had to do it.
Usually nfs-secure service is quiet enough to handle Kerberos. Pls share the service name that you have created and what Linux version you are using.