Use Kerberos To Control Access To NFS Network Shares

General Information

Kerberos with NFS.

Lab Setup

The following virtual machines will be used:

On server2 (NFS Server/KDC).

Add Kerberos NFS principal and add local copy of keytab file

kadmin
 
kadmin: addprinc -randkey nfs/server2.example.com
kadmin: ktadd nfs/server2.example.com
 
kadmin: exit

Add “sec=krb5” as an export option

vim /etc/exports
 
/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5)

Other sec options
- sys → No kerberos
- krb5 → Kerberos user authentication
- krb5i → Kerberos user authentication and integrity checking
- krb5p → Kerberos user authentication, integrity checking, and traffic encryption

Ensure proper SELinux file context

semanage fcontext -at nfs_t "/krbdata(/.*)?"
restorecon -Rv /krbdata

Re-export the directory to reflect the export option changes

exportfs -var

On server1 (NFS Client/Kerberos Client)

Add NFS principal and add local copy of keytab file

kadmin
 
kadmin: addprinc -randkey nfs/server1.example.com
kadmin: ktadd nfs/server1.example.com
 
kadmin: exit

Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)

systemctl enable nfs-client.target
systemctl start nfs-client.target
 
# If it was already running, restart it
systemctl restart nfs-client.target

Persistent mount

vim /etc/fstab
 
server2.example.com:/krbdata  /mnt  _netdev,nfs4  sec=krb5  0  0

Mount the filesystem

mount -a

If you see this error message “mount.nfs: an incorrect mount option was specified” → Ensure that you restarted the 'nfs-client.target' service.

su - rjones
kinit rjones
echo "Hello krb world" > /mnt/krbtestfile