====== Use Kerberos To Control Access To NFS Network Shares ======

**General Information**

Kerberos with NFS. 

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> NFS Client and Kerberos Client
  * server2.example.com (192.168.1.151) -> NFS Server and Kerberos KDC

----

====== Pre-requisites ======

  * [[https://www.owlbearconsulting.com/doku.php?id=linux_wiki:setup_a_kdc_server|Kerberos Server setup]]
    * server1 -> Kerberos Client
    * server2 -> Kerberos KDC

----

====== NFS Server: Initial Setup ======

  * [[linux_wiki:provide_network_shares_to_specific_clients#nfs_serverinstall_and_configure|Setup a NFS server with an exported directory]].
    * Call the exported directory: /krbdata

----

====== NFS Client: Initial Setup ======

[[linux_wiki:provide_network_shares_to_specific_clients#nfs_clientinstall_and_configure|Setup a NFS client and mount the export]]

----

====== NFS Server ======

**On server2** (NFS Server/KDC).

\\
Add Kerberos NFS principal and add local copy of keytab file
<code bash>
kadmin

kadmin: addprinc -randkey nfs/server2.example.com
kadmin: ktadd nfs/server2.example.com

kadmin: exit
</code>

\\
Add "sec=krb5" as an export option
<code bash>
vim /etc/exports

/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5)
</code>
  * Other sec options
    * sys  -> No kerberos
    * krb5 -> Kerberos user authentication
    * krb5i -> Kerberos user authentication and integrity checking
    * krb5p -> Kerberos user authentication, integrity checking, and traffic encryption

\\
Ensure proper SELinux file context
<code bash>
semanage fcontext -at nfs_t "/krbdata(/.*)?"
restorecon -Rv /krbdata
</code>

\\
Re-export the directory to reflect the export option changes
<code bash>
exportfs -var
</code>

----

====== NFS Client ======

**On server1** (NFS Client/Kerberos Client)

\\
Add NFS principal and add local copy of keytab file
<code bash>
kadmin

kadmin: addprinc -randkey nfs/server1.example.com
kadmin: ktadd nfs/server1.example.com

kadmin: exit
</code>

\\
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
<code bash>
systemctl enable nfs-client.target
systemctl start nfs-client.target

# If it was already running, restart it
systemctl restart nfs-client.target
</code>

\\
Persistent mount
<code bash>vim /etc/fstab

server2.example.com:/krbdata  /mnt  _netdev,nfs4  sec=krb5  0  0
</code>

\\
Mount the filesystem
<code bash>
mount -a
</code>
  * If you see this error message "mount.nfs: an incorrect mount option was specified" -> Ensure that you restarted the 'nfs-client.target' service.

\\
Login as a kerberos user, initialize a kerberos ticket, and write a file
<code bash>
su - rjones
kinit rjones
echo "Hello krb world" > /mnt/krbtestfile
</code>

----