Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/04/14 16:26] billdozor [Lab Setup] |
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/05/19 14:32] billdozor [NFS Client] |
||
---|---|---|---|
Line 25: | Line 25: | ||
====== NFS Server: Initial Setup ====== | ====== NFS Server: Initial Setup ====== | ||
- | * [[linux_wiki: | + | * [[linux_wiki: |
* Call the exported directory: /krbdata | * Call the exported directory: /krbdata | ||
- | |||
- | \\ | ||
- | SELinux file context label | ||
- | <code bash> | ||
- | semanage fcontext -a -t nfs_t "/ | ||
- | restorecon -R /krbdata | ||
- | </ | ||
---- | ---- | ||
Line 39: | Line 32: | ||
====== NFS Client: Initial Setup ====== | ====== NFS Client: Initial Setup ====== | ||
- | [[linux_wiki: | + | [[linux_wiki: |
---- | ---- | ||
- | ====== NFS Server: Kerberos | + | ====== NFS Server ====== |
- | ===== Manual Kerberos Keytab Setup ===== | + | **On server2** (NFS Server/KDC). |
- | + | ||
- | **NOTE:** These steps are most likely not needed on the exam. You will probably be provided a keytab file. | + | |
- | + | ||
- | \\ | + | |
- | Install krb5 workstation package< | + | |
- | + | ||
- | \\ | + | |
- | Edit krb5.conf and change ' | + | |
\\ | \\ | ||
- | Add host as a principal | + | Add Kerberos NFS principal |
<code bash> | <code bash> | ||
kadmin | kadmin | ||
- | addprinc -randkey | + | kadmin: |
- | ktadd host/nfsserver.example.com | + | kadmin: |
- | quit | + | kadmin: exit |
- | </ | + | |
- | * kadmin | + | |
- | + | ||
- | \\ | + | |
- | Edit SSH GSSAPI settings | + | |
- | <code bash> | + | |
- | vim / | + | |
- | + | ||
- | GSSAPIAuthenticaion yes | + | |
- | GSSAPIDelegateCredentials yes | + | |
- | </ | + | |
- | + | ||
- | \\ | + | |
- | Reload the ssh daemon | + | |
- | <code bash> | + | |
- | systemctl reload sshd | + | |
- | </ | + | |
- | + | ||
- | \\ | + | |
- | Enable Kerberos authentication | + | |
- | <code bash> | + | |
- | authconfig --enablekrb5 --update | + | |
- | </ | + | |
- | + | ||
- | \\ | + | |
- | Add Kerberos NFS principal | + | |
- | <code bash> | + | |
- | kadmin | + | |
- | + | ||
- | addprinc -randkey nfs/ | + | |
- | ktadd nfs/ | + | |
- | </ | + | |
- | + | ||
- | ---- | + | |
- | + | ||
- | ===== Kerberos Keytab Provided Steps ===== | + | |
- | + | ||
- | \\ | + | |
- | Install krb5 workstation package< | + | |
- | + | ||
- | \\ | + | |
- | Edit krb5.conf and change ' | + | |
- | + | ||
- | \\ | + | |
- | If provided a keytab file to download (most likely), simply restore the file context. | + | |
- | <code bash> | + | |
- | restorecon -Rv / | + | |
</ | </ | ||
Line 120: | Line 58: | ||
/ | / | ||
</ | </ | ||
+ | * Other sec options | ||
+ | * sys -> No kerberos | ||
+ | * krb5 -> Kerberos user authentication | ||
+ | * krb5i -> Kerberos user authentication and integrity checking | ||
+ | * krb5p -> Kerberos user authentication, | ||
\\ | \\ | ||
Line 133: | Line 76: | ||
exportfs -var | exportfs -var | ||
</ | </ | ||
- | |||
- | \\ | ||
- | LinuxAcademy says a reboot is needed at this point for the client to work consistently. -> **TO INVESTIGATE** | ||
---- | ---- | ||
- | ====== NFS Client: Kerberos | + | ====== NFS Client ====== |
- | Add NFS principal and re-generate | + | **On server1** (NFS Client/ |
+ | |||
+ | \\ | ||
+ | Add NFS principal and add local copy of keytab file | ||
<code bash> | <code bash> | ||
kadmin | kadmin | ||
- | addprinc -randkey nfs/ | + | kadmin: |
- | ktadd nfs/ | + | kadmin: |
+ | |||
+ | kadmin: exit | ||
</ | </ | ||
- | * **NOTE:** You will most likely be provided a keytab file on the exam and will not need to do this part. (Instead, you will probably just need to copy the keytab file to the client from a source) | ||
- | * If that is the case, simply ensure that the file context is correct< | ||
\\ | \\ | ||
Line 156: | Line 99: | ||
systemctl enable nfs-client.target | systemctl enable nfs-client.target | ||
systemctl start nfs-client.target | systemctl start nfs-client.target | ||
+ | |||
+ | # If it was already running, restart it | ||
+ | systemctl restart nfs-client.target | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Persistent mount | ||
+ | <code bash>vim /etc/fstab | ||
+ | |||
+ | server2.example.com:/ | ||
</ | </ | ||
\\ | \\ | ||
- | Temporary mount | + | Mount the filesystem |
<code bash> | <code bash> | ||
- | mount -t nfs4 -o sec=krb5 nfsserver.example.com:/ | + | mount -a |
</ | </ | ||
+ | * If you see this error message " | ||
\\ | \\ | ||
- | Login as the kerberos/ldap user, initialize a kerberos ticket, and write a file | + | Login as a kerberos user, initialize a kerberos ticket, and write a file |
<code bash> | <code bash> | ||
su - rjones | su - rjones | ||
kinit rjones | kinit rjones | ||
- | touch /mnt/krbtest/ | + | echo "Hello krb world" > /mnt/krbtestfile |
</ | </ | ||
---- | ---- | ||