Latest

Saturday, 1 December 2018

Configure a Kerberized NFS Server in RHEL / CentOS 7

Configure a Kerberized NFS Server in RHEL 7

Kerberos is a computer network authentication protocol that uses tickets to authenticate computers and let them communicate over a non-secure network. Whereas, NFS is the distributed file system to share files among Linux based computers. We can combine the Kerberos with NFS to configure more secure network shares.

In this article, we will configure a Kerberized NFS Server and configure a client to access that share. To configure a Kerberized NFS Server, we must have an Identity Management Server such as FreeIPA, that provides Kerberos tickets to clients. We have already written about configuring a FreeIPA server in our previous post. Therefore, we are not going to reinvent the wheel here. However, the reader can refer to following articles to understand the Kerberos authentication.

Read Also: Configure Identity Management (IdM) with FreeIPA Server
  Configure a Linux Machine as FreeIPA Client
  Configure SSO (Single Sign-on) with Kerberos 5

Configure a Kerberized NFS Server in RHEL 7

Table of Contents:

 

System Specification:

We are using two Red Hat Enterprise Linux (RHEL) 7 servers. One as the NFS Server as well as Identity Management Server and the other as the NFS Client.

  • Identity Management Server - ipaserver.example.com
  • Kerberized NFS Server - ipaserver.example.com
  • Kerberized NFS Client - client2.example.com

Note: we are configuring our same FreeIPA server as the Kerberized NFS Server.

 

Configure Kerberized NFS Server:

Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)

Now, add NFS service to our FreeIPA server to create Kerberized NFS service as follows.

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa service-add nfs/ipaserver.example.com
-----------------------------------------------------
Added service "nfs/ipaserver.example.com@EXAMPLE.COM"
-----------------------------------------------------
  Principal: nfs/ipaserver.example.com@EXAMPLE.COM
  Managed by: ipaserver.example.com

# kadmin.local
Authenticating as principal admin/admin@EXAMPLE.COM with password.
kadmin.local:  ktadd nfs/ipaserver.example.com
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   3 host/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM
   1 nfs/ipaserver.example.com@EXAMPLE.COM

To configure NFS Service, we have to install nfs-utils package. Usually, this package is automatically installed during installation of Red Hat Enterprise Linux (RHEL) 7. However, you can install it anytime using yum command.

# yum install -y nfs-utils

nfs-utils is already installed on our system.

Create a directory to share with other clients.

# mkdir /nfsshare
# chgrp nfsnobody /nfsshare/
# chmod g+w /nfsshare/

We have created a directory nfsshare, change its group to nfsnobody and w rights has been given to group. So, the anonymous users can create files on this shared directory.

Adjust SELinux type of the /nfsshare directory.

# semanage fcontext -a -t nfs_t "/nfsshare(/.*)?"
# restorecon -Rv /nfsshare/
restorecon reset /nfsshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:nfs_t:s0

If semanage command does not available on your system then install policycoreutils-python package.

Now export/share this directory to specific clients.

# echo '/nfsshare client2.example.com(rw,sec=krb5p,sync)' >> /etc/exports
# exportfs -r

Enable and Start the nfs-server and nfs-secure-server services.

# systemctl start nfs-server ; systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'

# systemctl start nfs-secure-server; systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'

Allow nfs and other supplementary services through Linux firewall.

# firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind}
success
# firewall-cmd --reload
success

 

Configure Kerberized NFS Client:

Make sure that you have already configured this machine as FreeIPA Client. (refer to Configure a Linux Machine as FreeIPA Client)

Connect to the client2.example.com. and install nfs-utils package.

# yum install -y nfs-utils

Create a directory, to mount the shared directory from ipaserver.example.com.

# mkdir /mnt/nfsshare

Check the shared directories from ipaserver.example.com.

# showmount -e ipaserver.example.com
Export list for ipaserver.example.com:
/nfsshare client2.example.com

Start and enable the nfs-secure service.

# systemctl start nfs-secure ; systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'

Persistently mount this shared directory by adding following entry in /etc/fstab.

# echo 'ipaserver.example.com:/nfsshare /mnt/nfsshare nfs sec=krb5p,_netdev 0 0' >> /etc/fstab
# mount -a

Check the status of mounted directory.

# mount | grep nfs
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
ipaserver.example.com:/nfsshare on /mnt/nfsshare type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.116.202,local_lock=none,addr=192.168.116.200,_netdev)

Create a file in this shared directory, to verify the file permissions.

# cd /mnt/nfsshare/
# touch test1
# ls -al
total 0
drwxrwxr-x. 2 root      nfsnobody 18 Jul 31 07:32 .
drwxr-xr-x. 4 root      root      31 Jul 31 07:23 ..
-rw-r--r--. 1 nfsnobody nfsnobody  0 Jul 31 07:32 test1

We have successfully configured our Kerberized NFS Server.

If you find this article useful? Don't you mind support us by Buy Me A Coffee


8 comments:

  1. Dear Ahmer Bhai,

    Can you please let me know why did not you added service for client ? as i have gone through a blog where the service for client is also added

    ReplyDelete
    Replies
    1. Service for client is not required to be add. However, the client host must be added to kerberos, that we have already added in our previous post.

      Delete
    2. Service for client is needed. we had a situation where things did not work and we had to add a nfs service for the client. I dont understand the logic but we had to do it.

      Delete
    3. Usually nfs-secure service is quiet enough to handle Kerberos. Pls share the service name that you have created and what Linux version you are using.

      Delete
  2. Hello Ahmer, I have a Windows NFS server and Linux CentOS client protecting NFS with Kerberos do you have any suggestions or if you have a recipe for something similar?

    ReplyDelete
    Replies
    1. Hi,I do not prefer to work on MS Windows. You should see the product documentation.

      Delete
  3. Hello Ahmer,

    First of all, I would like to thank you for this documentation!

    I would like to know if I can replace the "Identity Management Server" with SSSD joined identity management realm running on the NFS server?
    Because I have SSSD configured on both NFS server and client servers.
    I need your help to figure out how to use it

    ReplyDelete
    Replies
    1. You cannot replace an IDM server with SSSD. Because SSSD is a local service that provides local (offline) and remote authentication services, and it requires an IDM server.

      Delete

© 2022 CentLinux. All Rights Reserved.