General Information
Kerberos with NFS.
The following virtual machines will be used:
On server2 (NFS Server/KDC).
Add Kerberos NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server2.example.com kadmin: ktadd nfs/server2.example.com kadmin: exit
Add “sec=krb5” as an export option
vim /etc/exports /krbdata 192.168.1.10(rw,no_root_squash,sec=krb5)
Ensure proper SELinux file context
semanage fcontext -at nfs_t "/krbdata(/.*)?" restorecon -Rv /krbdata
Re-export the directory to reflect the export option changes
exportfs -var
On server1 (NFS Client/Kerberos Client)
Add NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server1.example.com kadmin: ktadd nfs/server1.example.com kadmin: exit
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
systemctl enable nfs-client.target systemctl start nfs-client.target # If it was already running, restart it systemctl restart nfs-client.target
Persistent mount
vim /etc/fstab server2.example.com:/krbdata /mnt _netdev,nfs4 sec=krb5 0 0
Mount the filesystem
mount -a
Login as a kerberos user, initialize a kerberos ticket, and write a file
su - rjones kinit rjones echo "Hello krb world" > /mnt/krbtestfile