How to configure Kerberized NFS Server in RHEL 7

Share on Social Media

In this tutorial, you will learn, how to configure Kerberized NFS Server in RHEL 7. #centlinux #linux #nfs #kerberos

What is Kerberos?

Kerberos is a computer network authentication protocol that uses tickets to authenticate computers and let them communicate over a non-secure network. Whereas, NFS is the distributed file system to share files among Linux based computers. We can combine the Kerberos with NFS to configure more secure network shares.

In this article, we will configure a Kerberized NFS Server and configure a client to access that share. To configure a Kerberized NFS Server, we must have an Identity Management Server such as FreeIPA, that provides Kerberos tickets to clients. We have already written about configuring a FreeIPA server in our previous post. Therefore, we are not going to reinvent the wheel here. However, the reader can refer to following articles to understand the Kerberos authentication.

Read Also:	Install FreeIPA on CentOS 7
	Configure a Linux Machine as FreeIPA Client
	Configure Single Sign-on with Kerberos 5

Linux Server Specification

We are using two Red Hat Enterprise Linux (RHEL) 7 servers. One as the NFS Server as well as Identity Management Server and the other as the NFS Client.

Identity Management Server – ipaserver.example.com
Kerberized NFS Server – ipaserver.example.com
Kerberized NFS Client – client2.example.com

Note: we are configuring our same FreeIPA server as the Kerberized NFS Server.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Configure Kerberized NFS Server

Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)

Now, add NFS service to our FreeIPA server to create Kerberized NFS service as follows.

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa service-add nfs/ipaserver.example.com
-----------------------------------------------------
Added service "nfs/ipaserver.example.com@EXAMPLE.COM"
-----------------------------------------------------
  Principal: nfs/ipaserver.example.com@EXAMPLE.COM
  Managed by: ipaserver.example.com

# kadmin.local
Authenticating as principal admin/admin@EXAMPLE.COM with password.
kadmin.local:  ktadd nfs/ipaserver.example.com
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM

To configure NFS Service, we have to install nfs-utils package. Usually, this package is automatically installed during installation of Red Hat Enterprise Linux (RHEL) 7. However, you can install it anytime using yum command.

# yum install -y nfs-utils

nfs-utils is already installed on our system.

Create a directory to share with other clients.

# mkdir /nfsshare
# chgrp nfsnobody /nfsshare/
# chmod g+w /nfsshare/

We have created a directory nfsshare, change its group to nfsnobody and w rights has been given to group. So, the anonymous users can create files on this shared directory.

Adjust SELinux type of the /nfsshare directory.

# semanage fcontext -a -t nfs_t "/nfsshare(/.*)?"
# restorecon -Rv /nfsshare/
restorecon reset /nfsshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:nfs_t:s0

If semanage command does not available on your system then install policycoreutils-python package.

Now export/share this directory to specific clients.

# echo '/nfsshare client2.example.com(rw,sec=krb5p,sync)' >> /etc/exports
# exportfs -r

Enable and Start the nfs-server and nfs-secure-server services.

# systemctl start nfs-server ; systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'

# systemctl start nfs-secure-server; systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'

Allow nfs and other supplementary services through Linux firewall.

# firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind}
success
# firewall-cmd --reload
success

Configure Kerberized NFS Client

Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)

Connect to the client2.example.com. and install nfs-utils package.

# yum install -y nfs-utils

Create a directory, to mount the shared directory from ipaserver.example.com.

# mkdir /mnt/nfsshare

Check the shared directories from ipaserver.example.com.

# showmount -e ipaserver.example.com
Export list for ipaserver.example.com:
/nfsshare client2.example.com

Start and enable the nfs-secure service.

# systemctl start nfs-secure ; systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'

Persistently mount this shared directory by adding following entry in /etc/fstab.

# echo 'ipaserver.example.com:/nfsshare /mnt/nfsshare nfs sec=krb5p,_netdev 0 0' >> /etc/fstab
# mount -a

Check the status of mounted directory.

# mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
ipaserver.example.com:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.116.202,local_lock=none,addr=192.168.116.200,_netdev)

Create a file in this shared directory, to verify the file permissions.

# cd /mnt/nfsshare/
# touch test1
# ls -al
total 0
drwxrwxr-x. 2 root      nfsnobody 18 Jul 31 07:32 .
drwxr-xr-x. 4 root      root      31 Jul 31 07:23 ..
-rw-r--r--. 1 nfsnobody nfsnobody  0 Jul 31 07:32 test1

We have successfully configured our Kerberized NFS Server.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Conclusion

In this tutorial, you will learn, how to configure Kerberized NFS Server in RHEL 7.

Alaric Bird

Alaric Bird is a seasoned Linux System Administrator with over a decade of experience in managing and optimizing Linux-based servers and infrastructure. Known for his expertise in server deployment, security hardening, and performance tuning, Alaric has a deep understanding of various Linux distributions, including Ubuntu, CentOS, and Red Hat Enterprise Linux. His skills extend to cloud platforms like AWS, where he effectively manages virtual private servers and services. Alaric is also proficient in scripting languages such as Bash and Python, which he uses to automate routine tasks, enhancing efficiency and reliability. With a strong commitment to continuous learning, he stays updated with the latest developments in open-source technologies and best practices. His problem-solving abilities, combined with excellent communication skills, make him a valuable asset to any IT team. In addition to his technical expertise, Alaric is passionate about mentoring junior administrators and fostering a collaborative environment.

Next Configure NFS Share for Group Collaboration »

Previous « How to configure NFS Server in Linux

View Comments

Unknown says:

June 3, 2019 at 1:28 pm

Dear Ahmer Bhai,

Can you please let me know why did not you added service for client ? as i have gone through a blog where the service for client is also added
Ahmer M says:

June 3, 2019 at 1:30 pm

Service for client is not required to be add. However, the client host must be added to kerberos, that we have already added in our previous post.
Mot says:

October 2, 2019 at 1:58 pm

Hello Ahmer, I have a Windows NFS server and Linux CentOS client protecting NFS with Kerberos do you have any suggestions or if you have a recipe for something similar?
Ahmer M says:

October 2, 2019 at 2:00 pm

Hi,I do not prefer to work on MS Windows. You should see the product documentation.
Unknown says:

November 20, 2019 at 7:58 pm

Hello Ahmer,

First of all, I would like to thank you for this documentation!

I would like to know if I can replace the "Identity Management Server" with SSSD joined identity management realm running on the NFS server?
Because I have SSSD configured on both NFS server and client servers.
I need your help to figure out how to use it
Ahmer M says:

November 20, 2019 at 8:04 pm

You cannot replace an IDM server with SSSD. Because SSSD is a local service that provides local (offline) and remote authentication services, and it requires an IDM server.
Anonymous says:

August 4, 2022 at 2:19 pm

Service for client is needed. we had a situation where things did not work and we had to add a nfs service for the client. I dont understand the logic but we had to do it.
Ahmer M says:

August 4, 2022 at 2:24 pm

Usually nfs-secure service is quiet enough to handle Kerberos. Pls share the service name that you have created and what Linux version you are using.