This is an old revision of the document!
Use Kerberos To Control Access To NFS Network Shares
General Information
Kerberos with NFS.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Perform all NFS client tests from here
- server2.example.com (192.168.1.151) → Install the NFS server here
- ipa.example.com (192.168.1.152) → FreeIPA/authentication server
Pre-requisites
-
- server1 → Kerberos Client
- server2 → Kerberos KDC
NFS Server: Initial Setup
-
- Call the exported directory: /krbdata
SELinux file context label
semanage fcontext -a -t nfs_t "/krbdata(/.*)?" restorecon -R /krbdata
NFS Client: Initial Setup
NFS Server: Kerberos
Manual Kerberos Keytab Setup
NOTE: These steps are most likely not needed on the exam. You will probably be provided a keytab file.
Install krb5 workstation package
yum install krb5-workstation
Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server
vim /etc/krb5.conf
Add host as a principal
kadmin addprinc -randkey host/nfsserver.example.com ktadd host/nfsserver.example.com quit
- kadmin → prompted for root/admin password
Edit SSH GSSAPI settings
vim /etc/ssh/sshd_config GSSAPIAuthenticaion yes GSSAPIDelegateCredentials yes
Reload the ssh daemon
systemctl reload sshd
Enable Kerberos authentication
authconfig --enablekrb5 --update
Add Kerberos NFS principal
kadmin addprinc -randkey nfs/nfsserver.example.com ktadd nfs/nfsserver.example.com
Kerberos Keytab Provided Steps
Install krb5 workstation package
yum install krb5-workstation
Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server
vim /etc/krb5.conf
If provided a keytab file to download (most likely), simply restore the file context.
restorecon -Rv /etc/krb5.keytab
Add “sec=krb5” as an export option
vim /etc/exports /krbdata 192.168.1.10(rw,no_root_squash,sec=krb5)
Ensure proper SELinux file context
semanage fcontext -at nfs_t "/krbdata(/.*)?" restorecon -Rv /krbdata
Re-export the directory to reflect the export option changes
exportfs -var
LinuxAcademy says a reboot is needed at this point for the client to work consistently. → TO INVESTIGATE
NFS Client: Kerberos
Add NFS principal and re-generate keytab file
kadmin addprinc -randkey nfs/server1.example.com ktadd nfs/server1.example.com
- NOTE: You will most likely be provided a keytab file on the exam and will not need to do this part. (Instead, you will probably just need to copy the keytab file to the client from a source)
- If that is the case, simply ensure that the file context is correct
restorecon -Rv /etc/krb5.keytab
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
systemctl enable nfs-client.target
systemctl start nfs-client.target
Temporary mount
mount -t nfs4 -o sec=krb5 nfsserver.example.com:/krbdata /mnt/krbtest
Login as the kerberos/ldap user, initialize a kerberos ticket, and write a file
su - rjones kinit rjones touch /mnt/krbtest/testfile