Differences
This shows you the differences between two versions of the page.
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/04/15 23:44] billdozor [NFS Client] |
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Use Kerberos To Control Access To NFS Network Shares ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Kerberos with NFS. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Lab Setup ====== | ||
- | |||
- | The following virtual machines will be used: | ||
- | * server1.example.com (192.168.1.150) -> NFS Client and Kerberos Client | ||
- | * server2.example.com (192.168.1.151) -> NFS Server and Kerberos KDC | ||
- | |||
- | ---- | ||
- | |||
- | ====== Pre-requisites ====== | ||
- | |||
- | * [[https:// | ||
- | * server1 -> Kerberos Client | ||
- | * server2 -> Kerberos KDC | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Server: Initial Setup ====== | ||
- | |||
- | * [[linux_wiki: | ||
- | * Call the exported directory: /krbdata | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Client: Initial Setup ====== | ||
- | |||
- | [[linux_wiki: | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Server ====== | ||
- | |||
- | \\ | ||
- | Add Kerberos NFS principal and add local copy of keytab file | ||
- | <code bash> | ||
- | kadmin | ||
- | |||
- | kadmin: addprinc -randkey nfs/ | ||
- | kadmin: ktadd nfs/ | ||
- | |||
- | kadmin: exit | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add " | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | / | ||
- | </ | ||
- | * Other sec options | ||
- | * sys -> No kerberos | ||
- | * krb5 -> Kerberos user authentication | ||
- | * krb5i -> Kerberos user authentication and integrity checking | ||
- | * krb5p -> Kerberos user authentication, | ||
- | |||
- | \\ | ||
- | Ensure proper SELinux file context | ||
- | <code bash> | ||
- | semanage fcontext -at nfs_t "/ | ||
- | restorecon -Rv /krbdata | ||
- | </ | ||
- | |||
- | \\ | ||
- | Re-export the directory to reflect the export option changes | ||
- | <code bash> | ||
- | exportfs -var | ||
- | </ | ||
- | |||
- | \\ | ||
- | LinuxAcademy.com says a reboot is needed at this point for the client to work consistently. -> **TO INVESTIGATE** | ||
- | |||
- | ---- | ||
- | |||
- | ====== NFS Client ====== | ||
- | |||
- | Add NFS principal and add local copy of keytab file | ||
- | <code bash> | ||
- | kadmin | ||
- | |||
- | kadmin: addprinc -randkey nfs/ | ||
- | kadmin: ktadd nfs/ | ||
- | |||
- | kadmin: exit | ||
- | </ | ||
- | |||
- | \\ | ||
- | Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication) | ||
- | <code bash> | ||
- | systemctl enable nfs-client.target | ||
- | systemctl start nfs-client.target | ||
- | |||
- | # If it was already running, restart it | ||
- | systemctl restart nfs-client.target | ||
- | </ | ||
- | |||
- | \\ | ||
- | Temporary mount | ||
- | <code bash> | ||
- | mount -t nfs4 -o sec=krb5 server2.example.com:/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Permanent mount | ||
- | <code bash>vim /etc/fstab | ||
- | |||
- | server2.example.com:/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Mount the filesystem | ||
- | <code bash> | ||
- | mount -a | ||
- | </ | ||
- | * If you see this error message " | ||
- | |||
- | \\ | ||
- | Login as a kerberos user, initialize a kerberos ticket, and write a file | ||
- | <code bash> | ||
- | su - rjones | ||
- | kinit rjones | ||
- | echo "Hello krb world" > / | ||
- | </ | ||
- | |||
- | ---- | ||