Use Kerberos To Control Access To NFS Network Shares
General Information
Kerberos with NFS.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → NFS Client and Kerberos Client
- server2.example.com (192.168.1.151) → NFS Server and Kerberos KDC
Pre-requisites
-
- server1 → Kerberos Client
- server2 → Kerberos KDC
NFS Server: Initial Setup
-
- Call the exported directory: /krbdata
NFS Client: Initial Setup
NFS Server
On server2 (NFS Server/KDC).
Add Kerberos NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server2.example.com kadmin: ktadd nfs/server2.example.com kadmin: exit
Add “sec=krb5” as an export option
vim /etc/exports /krbdata 192.168.1.10(rw,no_root_squash,sec=krb5)
- Other sec options
- sys → No kerberos
- krb5 → Kerberos user authentication
- krb5i → Kerberos user authentication and integrity checking
- krb5p → Kerberos user authentication, integrity checking, and traffic encryption
Ensure proper SELinux file context
semanage fcontext -at nfs_t "/krbdata(/.*)?" restorecon -Rv /krbdata
Re-export the directory to reflect the export option changes
exportfs -var
NFS Client
On server1 (NFS Client/Kerberos Client)
Add NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server1.example.com kadmin: ktadd nfs/server1.example.com kadmin: exit
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
systemctl enable nfs-client.target systemctl start nfs-client.target # If it was already running, restart it systemctl restart nfs-client.target
Persistent mount
vim /etc/fstab server2.example.com:/krbdata /mnt _netdev,nfs4 sec=krb5 0 0
Mount the filesystem
mount -a
- If you see this error message “mount.nfs: an incorrect mount option was specified” → Ensure that you restarted the 'nfs-client.target' service.
Login as a kerberos user, initialize a kerberos ticket, and write a file
su - rjones kinit rjones echo "Hello krb world" > /mnt/krbtestfile