Differences
This shows you the differences between two versions of the page.
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/04/13 00:25] billdozor [Kerberos Keytab Provided Steps] |
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Use Kerberos To Control Access To NFS Network Shares ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Kerberos with NFS. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Lab Setup ====== | ||
- | |||
- | The following virtual machines will be used: | ||
- | * server1.example.com (192.168.1.150) -> Perform all NFS client tests from here | ||
- | * server2.example.com (192.168.1.151) -> Install the NFS server here | ||
- | * ipa.example.com (192.168.1.152) -> FreeIPA/ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Pre-requisites ====== | ||
- | |||
- | * LDAP/ | ||
- | * Both the nfs server and nfs client can authenticate to the LDAP/ | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Server: Initial Setup ====== | ||
- | |||
- | * [[linux_wiki: | ||
- | * Call the exported directory: /krbdata | ||
- | |||
- | \\ | ||
- | SELinux file context label | ||
- | <code bash> | ||
- | semanage fcontext -a -t nfs_t "/ | ||
- | restorecon -R /krbdata | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Client: Initial Setup ====== | ||
- | |||
- | [[linux_wiki: | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Server: Kerberos ====== | ||
- | |||
- | ===== Manual Kerberos Keytab Setup ===== | ||
- | |||
- | **NOTE:** These steps are most likely not needed on the exam. You will probably be provided a keytab file. | ||
- | |||
- | \\ | ||
- | Install krb5 workstation package< | ||
- | |||
- | \\ | ||
- | Edit krb5.conf and change ' | ||
- | |||
- | \\ | ||
- | Add host as a principal | ||
- | <code bash> | ||
- | kadmin | ||
- | |||
- | addprinc -randkey host/ | ||
- | ktadd host/ | ||
- | |||
- | quit | ||
- | </ | ||
- | * kadmin -> prompted for root/admin password | ||
- | |||
- | \\ | ||
- | Edit SSH GSSAPI settings | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | GSSAPIAuthenticaion yes | ||
- | GSSAPIDelegateCredentials yes | ||
- | </ | ||
- | |||
- | \\ | ||
- | Reload the ssh daemon | ||
- | <code bash> | ||
- | systemctl reload sshd | ||
- | </ | ||
- | |||
- | \\ | ||
- | Enable Kerberos authentication | ||
- | <code bash> | ||
- | authconfig --enablekrb5 --update | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add Kerberos NFS principal | ||
- | <code bash> | ||
- | kadmin | ||
- | |||
- | addprinc -randkey nfs/ | ||
- | ktadd nfs/ | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Kerberos Keytab Provided Steps ===== | ||
- | |||
- | \\ | ||
- | Install krb5 workstation package< | ||
- | |||
- | \\ | ||
- | Edit krb5.conf and change ' | ||
- | |||
- | \\ | ||
- | If provided a keytab file to download (most likely), simply restore the file context. | ||
- | <code bash> | ||
- | restorecon -Rv / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add " | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Ensure proper SELinux file context | ||
- | <code bash> | ||
- | semanage fcontext -at nfs_t "/ | ||
- | restorecon -Rv /krbdata | ||
- | </ | ||
- | |||
- | \\ | ||
- | Re-export the directory to reflect the export option changes | ||
- | <code bash> | ||
- | exportfs -var | ||
- | </ | ||
- | |||
- | \\ | ||
- | LinuxAcademy says a reboot is needed at this point for the client to work consistently. -> **TO INVESTIGATE** | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Client: Kerberos ====== | ||
- | |||
- | Add NFS principal and re-generate keytab file | ||
- | <code bash> | ||
- | kadmin | ||
- | |||
- | addprinc -randkey nfs/ | ||
- | ktadd nfs/ | ||
- | </ | ||
- | * **NOTE:** You will most likely be provided a keytab file on the exam and will not need to do this part. (Instead, you will probably just need to copy the keytab file to the client from a source) | ||
- | * If that is the case, simply ensure that the file context is correct< | ||
- | |||
- | \\ | ||
- | Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication) | ||
- | <code bash> | ||
- | systemctl enable nfs-client.target | ||
- | systemctl start nfs-client.target | ||
- | </ | ||
- | |||
- | \\ | ||
- | Temporary mount | ||
- | <code bash> | ||
- | mount -t nfs4 -o sec=krb5 nfsserver.example.com:/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Login as the kerberos/ | ||
- | <code bash> | ||
- | su - rjones | ||
- | kinit rjones | ||
- | touch / | ||
- | </ | ||
- | |||
- | ---- | ||