linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares

Use Kerberos To Control Access To NFS Network Shares

General Information

Kerberos with NFS.


Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → NFS Client and Kerberos Client
  • server2.example.com (192.168.1.151) → NFS Server and Kerberos KDC

Pre-requisites


NFS Server: Initial Setup


NFS Client: Initial Setup

NFS Server

On server2 (NFS Server/KDC).


Add Kerberos NFS principal and add local copy of keytab file

kadmin
 
kadmin: addprinc -randkey nfs/server2.example.com
kadmin: ktadd nfs/server2.example.com
 
kadmin: exit


Add “sec=krb5” as an export option

vim /etc/exports
 
/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5)
  • Other sec options
    • sys → No kerberos
    • krb5 → Kerberos user authentication
    • krb5i → Kerberos user authentication and integrity checking
    • krb5p → Kerberos user authentication, integrity checking, and traffic encryption


Ensure proper SELinux file context

semanage fcontext -at nfs_t "/krbdata(/.*)?"
restorecon -Rv /krbdata


Re-export the directory to reflect the export option changes

exportfs -var

NFS Client

On server1 (NFS Client/Kerberos Client)


Add NFS principal and add local copy of keytab file

kadmin
 
kadmin: addprinc -randkey nfs/server1.example.com
kadmin: ktadd nfs/server1.example.com
 
kadmin: exit


Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)

systemctl enable nfs-client.target
systemctl start nfs-client.target
 
# If it was already running, restart it
systemctl restart nfs-client.target


Persistent mount

vim /etc/fstab
 
server2.example.com:/krbdata  /mnt  _netdev,nfs4  sec=krb5  0  0


Mount the filesystem

mount -a
  • If you see this error message “mount.nfs: an incorrect mount option was specified” → Ensure that you restarted the 'nfs-client.target' service.


Login as a kerberos user, initialize a kerberos ticket, and write a file

su - rjones
kinit rjones
echo "Hello krb world" > /mnt/krbtestfile

  • linux_wiki/use_kerberos_to_control_access_to_nfs_network_shares.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)