Configure Kerberized NFS Server in RHEL 7

Secure your data like a pro! Learn how to configure a Kerberized NFS server in RHEL 7 and avoid critical vulnerabilities. Don’t miss this essential guide trusted by seasoned sysadmins. #centlinux #linux #nfs #kerberos

What is Kerberos?

Kerberos is a computer network authentication protocol that uses tickets to authenticate computers and let them communicate over a non-secure network. Whereas, NFS is the distributed file system to share files among Linux based computers. We can combine the Kerberos with NFS to configure more secure network shares.

In this article, we will configure a Kerberized NFS Server and configure a client to access that share. To configure a Kerberized NFS Server, we must have an Identity Management Server such as FreeIPA, that provides Kerberos tickets to clients. We have already written about configuring a FreeIPA server in our previous post. Therefore, we are not going to reinvent the wheel here. However, the reader can refer to following articles to understand the Kerberos authentication.

Linux Server Specification

We are using two Red Hat Enterprise Linux (RHEL) 7 servers. One as the NFS Server as well as Identity Management Server and the other as the NFS Client.

• Identity Management Server – ipaserver.example.com
• Kerberized NFS Server – ipaserver.example.com
• Kerberized NFS Client – client2.example.com

Note: we are configuring our same FreeIPA server as the Kerberized NFS Server.

Recommended Training: Complete Linux Training Course to Get Your Dream IT Job 2025 from Imran Afzal

Configure Kerberized NFS Server

Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)

Now, add NFS service to our FreeIPA server to create Kerberized NFS service as follows.

kinit admin
ipa service-add nfs/ipaserver.example.com

Output:

-----------------------------------------------------
Added service "nfs/ipaserver.example.com@EXAMPLE.COM"
-----------------------------------------------------
  Principal: nfs/ipaserver.example.com@EXAMPLE.COM
  Managed by: ipaserver.example.com

Connect to Kerberos server.

kadmin.local

Add NFS Server Entry in Kerberos Server.

ktadd nfs/ipaserver.example.com
quit

Output:

Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.

Display the list of keys in a Kerberos keytab file.

klist -k

Output:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM

To configure NFS Service, we have to install nfs-utils package. Usually, this package is automatically installed during installation of Red Hat Enterprise Linux (RHEL) 7. However, you can install it anytime using yum command.

yum install -y nfs-utils

nfs-utils is already installed on our system.

Create a directory to share with other clients.

mkdir /nfsshare
chgrp nfsnobody /nfsshare/
chmod g+w /nfsshare/

We have created a directory nfsshare, change its group to nfsnobody and w rights has been given to group. So, the anonymous users can create files on this shared directory.

Adjust SELinux type of the /nfsshare directory.

semanage fcontext -a -t nfs_t "/nfsshare(/.*)?"
restorecon -Rv /nfsshare/

Output:

restorecon reset /nfsshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:nfs_t:s0

If semanage command does not available on your system then install policycoreutils-python package.

Now export/share this directory to specific clients.

echo '/nfsshare client2.example.com(rw,sec=krb5p,sync)' >> /etc/exports
exportfs -r

Enable and Start the nfs-server and nfs-secure-server services.

systemctl start nfs-server
systemctl enable nfs-server
systemctl start nfs-secure-server
systemctl enable nfs-secure-server

Allow nfs and other supplementary services through Linux firewall.

firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind}
firewall-cmd --reload

Acer USB C Docking Station Dual HDMI Monitor, Laptop Multiport Adapter with 4K HDMI, USB A&C 3.0 Ports, SD/Micro SD, 100W PD Charging, USBC Dock Compatible with Mac/Acer/Dell XPS/HP/Surface etc

(435248)

$37.99 (as of July 5, 2025 20:48 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Configure Kerberized NFS Client

Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)

Connect to the client2.example.com. and install nfs-utils package.

yum install -y nfs-utils

Create a directory, to mount the shared directory from ipaserver.example.com.

mkdir /mnt/nfsshare

Check the shared directories from ipaserver.example.com.

showmount -e ipaserver.example.com

Output:

Export list for ipaserver.example.com:
/nfsshare client2.example.com

Start and enable the nfs-secure service.

systemctl start nfs-secure
systemctl enable nfs-secure

Persistently mount this shared directory by adding following entry in /etc/fstab.

echo 'ipaserver.example.com:/nfsshare /mnt/nfsshare nfs sec=krb5p,_netdev 0 0' >> /etc/fstab
mount -a

Check the status of mounted directory.

mount | grep nfs

Output:

sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
ipaserver.example.com:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.116.202,local_lock=none,addr=192.168.116.200,_netdev)

Create a file in this shared directory, to verify the file permissions.

cd /mnt/nfsshare/
touch test1
ls -al

Output:

total 0
drwxrwxr-x. 2 root      nfsnobody 18 Jul 31 07:32 .
drwxr-xr-x. 4 root      root      31 Jul 31 07:23 ..
-rw-r--r--. 1 nfsnobody nfsnobody  0 Jul 31 07:32 test1

We have successfully configured our Kerberized NFS Server.

Frequently Asked Questions (FAQs)

What is Kerberized NFS?
Kerberized NFS enhances security by using Kerberos authentication to verify users and services before allowing access to NFS shares, preventing unauthorized access.

Why use Kerberos with NFS?
Standard NFS relies on host-based trust, which is less secure. Kerberos adds encryption and strong authentication, protecting data integrity and confidentiality.

What are the prerequisites for setting up Kerberized NFS?
You need:

• A working Kerberos (KDC) server.
• Properly configured DNS and hostname resolution.
• NFS and Kerberos client-server packages installed.

What are the key configuration files involved?

• /etc/krb5.conf (Kerberos configuration).
• /etc/exports (NFS shares configuration).
• /etc/idmapd.conf (ID mapping for NFSv4).

How do I verify if Kerberized NFS is working?
Test access from a client using kinit (Kerberos authentication) and then attempt to mount the NFS share. Check logs (/var/log/messages or journalctl) for errors.

Mastering Linux Device Driver Development: Write custom device drivers to support computer peripherals in Linux operating systems

(47526)

$38.64 (as of July 5, 2025 20:48 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Conclusion

Configuring a Kerberized NFS server in RHEL 7 is more than just a technical task—it’s a vital step toward securing your enterprise environment. You’ve now seen how to set up a robust, encrypted file-sharing system that uses Kerberos authentication for top-tier security. Imagine the peace of mind knowing your data is shielded against unauthorized access. Thousands of sysadmins are already leveraging this setup—are you going to be the one left behind?

Take action now: apply what you’ve learned, lock down your NFS server, and stay ahead of the curve. Because when it comes to security, falling behind isn’t an option.

Looking for a Linux server expert? I provide top-tier administration, performance tuning, and security solutions for your Linux systems. Explore my Fiverr profile for details!