In this tutorial, you will learn, how to configure Kerberized NFS Server in RHEL 7. #centlinux #linux #nfs #kerberos
Table of Contents
What is Kerberos?
Kerberos is a computer network authentication protocol that uses tickets to authenticate computers and let them communicate over a non-secure network. Whereas, NFS is the distributed file system to share files among Linux based computers. We can combine the Kerberos with NFS to configure more secure network shares.
In this article, we will configure a Kerberized NFS Server and configure a client to access that share. To configure a Kerberized NFS Server, we must have an Identity Management Server such as FreeIPA, that provides Kerberos tickets to clients. We have already written about configuring a FreeIPA server in our previous post. Therefore, we are not going to reinvent the wheel here. However, the reader can refer to following articles to understand the Kerberos authentication.
Read Also: | Install FreeIPA on CentOS 7 |
Configure a Linux Machine as FreeIPA Client | |
Configure Single Sign-on with Kerberos 5 |
Linux Server Specification
We are using two Red Hat Enterprise Linux (RHEL) 7 servers. One as the NFS Server as well as Identity Management Server and the other as the NFS Client.
- Identity Management Server – ipaserver.example.com
- Kerberized NFS Server – ipaserver.example.com
- Kerberized NFS Client – client2.example.com
Note: we are configuring our same FreeIPA server as the Kerberized NFS Server.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
Configure Kerberized NFS Server
Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)
Now, add NFS service to our FreeIPA server to create Kerberized NFS service as follows.
# kinit admin Password for admin@EXAMPLE.COM: # ipa service-add nfs/ipaserver.example.com ----------------------------------------------------- Added service "nfs/ipaserver.example.com@EXAMPLE.COM" ----------------------------------------------------- Principal: nfs/ipaserver.example.com@EXAMPLE.COM Managed by: ipaserver.example.com # kadmin.local Authenticating as principal admin/admin@EXAMPLE.COM with password. kadmin.local: ktadd nfs/ipaserver.example.com Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. kadmin.local: quit # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/ipaserver.example.com@EXAMPLE.COM 3 host/ipaserver.example.com@EXAMPLE.COM 3 host/ipaserver.example.com@EXAMPLE.COM 3 host/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM 1 nfs/ipaserver.example.com@EXAMPLE.COM
To configure NFS Service, we have to install nfs-utils package. Usually, this package is automatically installed during installation of Red Hat Enterprise Linux (RHEL) 7. However, you can install it anytime using yum command.
# yum install -y nfs-utils
nfs-utils is already installed on our system.
Create a directory to share with other clients.
# mkdir /nfsshare # chgrp nfsnobody /nfsshare/ # chmod g+w /nfsshare/
We have created a directory nfsshare, change its group to nfsnobody and w rights has been given to group. So, the anonymous users can create files on this shared directory.
Adjust SELinux type of the /nfsshare directory.
# semanage fcontext -a -t nfs_t "/nfsshare(/.*)?" # restorecon -Rv /nfsshare/ restorecon reset /nfsshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:nfs_t:s0
If semanage command does not available on your system then install policycoreutils-python package.
Now export/share this directory to specific clients.
# echo '/nfsshare client2.example.com(rw,sec=krb5p,sync)' >> /etc/exports # exportfs -r
Enable and Start the nfs-server and nfs-secure-server services.
# systemctl start nfs-server ; systemctl enable nfs-server ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service' # systemctl start nfs-secure-server; systemctl enable nfs-secure-server ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
Allow nfs and other supplementary services through Linux firewall.
# firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind} success # firewall-cmd --reload success
Configure Kerberized NFS Client
Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)
Connect to the client2.example.com. and install nfs-utils package.
# yum install -y nfs-utils
Create a directory, to mount the shared directory from ipaserver.example.com.
# mkdir /mnt/nfsshare
Check the shared directories from ipaserver.example.com.
# showmount -e ipaserver.example.com Export list for ipaserver.example.com: /nfsshare client2.example.com
Start and enable the nfs-secure service.
# systemctl start nfs-secure ; systemctl enable nfs-secure ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
Persistently mount this shared directory by adding following entry in /etc/fstab.
# echo 'ipaserver.example.com:/nfsshare /mnt/nfsshare nfs sec=krb5p,_netdev 0 0' >> /etc/fstab # mount -a
Check the status of mounted directory.
# mount | grep nfs sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) ipaserver.example.com:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.116.202,local_lock=none,addr=192.168.116.200,_netdev)
Create a file in this shared directory, to verify the file permissions.
# cd /mnt/nfsshare/ # touch test1 # ls -al total 0 drwxrwxr-x. 2 root nfsnobody 18 Jul 31 07:32 . drwxr-xr-x. 4 root root 31 Jul 31 07:23 .. -rw-r--r--. 1 nfsnobody nfsnobody 0 Jul 31 07:32 test1
We have successfully configured our Kerberized NFS Server.
If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.
Conclusion
In this tutorial, you will learn, how to configure Kerberized NFS Server in RHEL 7.