====== Use Kerberos To Control Access To NFS Network Shares ======
**General Information**
Kerberos with NFS.
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> NFS Client and Kerberos Client
* server2.example.com (192.168.1.151) -> NFS Server and Kerberos KDC
----
====== Pre-requisites ======
* [[https://www.owlbearconsulting.com/doku.php?id=linux_wiki:setup_a_kdc_server|Kerberos Server setup]]
* server1 -> Kerberos Client
* server2 -> Kerberos KDC
----
====== NFS Server: Initial Setup ======
* [[linux_wiki:provide_network_shares_to_specific_clients#nfs_serverinstall_and_configure|Setup a NFS server with an exported directory]].
* Call the exported directory: /krbdata
----
====== NFS Client: Initial Setup ======
[[linux_wiki:provide_network_shares_to_specific_clients#nfs_clientinstall_and_configure|Setup a NFS client and mount the export]]
----
====== NFS Server ======
**On server2** (NFS Server/KDC).
\\
Add Kerberos NFS principal and add local copy of keytab file
kadmin
kadmin: addprinc -randkey nfs/server2.example.com
kadmin: ktadd nfs/server2.example.com
kadmin: exit
\\
Add "sec=krb5" as an export option
vim /etc/exports
/krbdata 192.168.1.10(rw,no_root_squash,sec=krb5)
* Other sec options
* sys -> No kerberos
* krb5 -> Kerberos user authentication
* krb5i -> Kerberos user authentication and integrity checking
* krb5p -> Kerberos user authentication, integrity checking, and traffic encryption
\\
Ensure proper SELinux file context
semanage fcontext -at nfs_t "/krbdata(/.*)?"
restorecon -Rv /krbdata
\\
Re-export the directory to reflect the export option changes
exportfs -var
----
====== NFS Client ======
**On server1** (NFS Client/Kerberos Client)
\\
Add NFS principal and add local copy of keytab file
kadmin
kadmin: addprinc -randkey nfs/server1.example.com
kadmin: ktadd nfs/server1.example.com
kadmin: exit
\\
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
systemctl enable nfs-client.target
systemctl start nfs-client.target
# If it was already running, restart it
systemctl restart nfs-client.target
\\
Persistent mount
vim /etc/fstab
server2.example.com:/krbdata /mnt _netdev,nfs4 sec=krb5 0 0
\\
Mount the filesystem
mount -a
* If you see this error message "mount.nfs: an incorrect mount option was specified" -> Ensure that you restarted the 'nfs-client.target' service.
\\
Login as a kerberos user, initialize a kerberos ticket, and write a file
su - rjones
kinit rjones
echo "Hello krb world" > /mnt/krbtestfile
----