linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/04/13 00:25]
billdozor [Kerberos Keytab Provided Steps] 		linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2019/05/25 23:50]
Line 1: Line 1:
-====== Use Kerberos To Control Access To NFS Network Shares ====== 
- 
-**General Information** 
- 
-Kerberos with NFS.  
- 
----- 
- 
-====== Lab Setup ====== 
- 
-The following virtual machines will be used: 
-  * server1.example.com (192.168.1.150) -> Perform all NFS client tests from here 
-  * server2.example.com (192.168.1.151) -> Install the NFS server here 
-  * ipa.example.com (192.168.1.152) -> FreeIPA/authentication server 
- 
----- 
- 
-====== Pre-requisites ====== 
- 
-  * LDAP/Kerberos Server setup 
-  * Both the nfs server and nfs client can authenticate to the LDAP/Kerberos server. 
- 
----- 
- 
-====== NFS Server: Initial Setup ====== 
- 
-  * [[linux_wiki:provide_network_shares_to_specific_clients|Setup a NFS server with an exported directory]]. 
-    * Call the exported directory: /krbdata 
- 
-\\ 
-SELinux file context label 
-<code bash> 
-semanage fcontext -a -t nfs_t "/krbdata(/.*)?" 
-restorecon -R /krbdata 
-</code> 
- 
----- 
- 
-====== NFS Client: Initial Setup ====== 
- 
-[[linux_wiki:provide_network_shares_to_specific_clients|Setup a NFS client and mount the export]] 
- 
----- 
- 
-====== NFS Server: Kerberos ====== 
- 
-===== Manual Kerberos Keytab Setup ===== 
- 
-**NOTE:** These steps are most likely not needed on the exam. You will probably be provided a keytab file. 
- 
-\\ 
-Install krb5 workstation package<code bash>yum install krb5-workstation</code> 
- 
-\\ 
-Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server<code bash>vim /etc/krb5.conf</code> 
- 
-\\ 
-Add host as a principal 
-<code bash> 
-kadmin 
- 
-addprinc -randkey host/nfsserver.example.com 
-ktadd host/nfsserver.example.com 
- 
-quit 
-</code> 
-  * kadmin -> prompted for root/admin password 
- 
-\\ 
-Edit SSH GSSAPI settings 
-<code bash> 
-vim /etc/ssh/sshd_config 
- 
-GSSAPIAuthenticaion yes 
-GSSAPIDelegateCredentials yes 
-</code> 
- 
-\\ 
-Reload the ssh daemon 
-<code bash> 
-systemctl reload sshd 
-</code> 
- 
-\\ 
-Enable Kerberos authentication 
-<code bash> 
-authconfig --enablekrb5 --update 
-</code> 
- 
-\\ 
-Add Kerberos NFS principal 
-<code bash> 
-kadmin 
- 
-addprinc -randkey nfs/nfsserver.example.com 
-ktadd nfs/nfsserver.example.com 
-</code> 
- 
----- 
- 
-===== Kerberos Keytab Provided Steps ===== 
- 
-\\ 
-Install krb5 workstation package<code bash>yum install krb5-workstation</code> 
- 
-\\ 
-Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server<code bash>vim /etc/krb5.conf</code> 
- 
-\\ 
-If provided a keytab file to download (most likely), simply restore the file context. 
-<code bash> 
-restorecon -Rv /etc/krb5.keytab 
-</code> 
- 
-\\ 
-Add "sec=krb5" as an export option 
-<code bash> 
-vim /etc/exports 
- 
-/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5) 
-</code> 
- 
-\\ 
-Ensure proper SELinux file context 
-<code bash> 
-semanage fcontext -at nfs_t "/krbdata(/.*)?" 
-restorecon -Rv /krbdata 
-</code> 
- 
-\\ 
-Re-export the directory to reflect the export option changes 
-<code bash> 
-exportfs -var 
-</code> 
- 
-\\ 
-LinuxAcademy says a reboot is needed at this point for the client to work consistently. -> **TO INVESTIGATE** 
- 
----- 
- 
-====== NFS Client: Kerberos ====== 
- 
-Add NFS principal and re-generate keytab file 
-<code bash> 
-kadmin 
- 
-addprinc -randkey nfs/server1.example.com 
-ktadd nfs/server1.example.com 
-</code> 
-  * **NOTE:** You will most likely be provided a keytab file on the exam and will not need to do this part. (Instead, you will probably just need to copy the keytab file to the client from a source) 
-    * If that is the case, simply ensure that the file context is correct<code bash>restorecon -Rv /etc/krb5.keytab</code> 
- 
-\\ 
-Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication) 
-<code bash> 
-systemctl enable nfs-client.target 
-systemctl start nfs-client.target 
-</code> 
- 
-\\ 
-Temporary mount 
-<code bash> 
-mount -t nfs4 -o sec=krb5 nfsserver.example.com:/krbdata /mnt/krbtest 
-</code> 
- 
-\\ 
-Login as the kerberos/ldap user, initialize a kerberos ticket, and write a file 
-<code bash> 
-su - rjones 
-kinit rjones 
-touch /mnt/krbtest/testfile 
-</code> 
- 
----- 
  
  • linux_wiki/use_kerberos_to_control_access_to_nfs_network_shares.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)