linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/04/15 23:42]
billdozor [NFS Client] 		linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2019/05/25 23:50]
Line 1: Line 1:
-====== Use Kerberos To Control Access To NFS Network Shares ====== 
- 
-**General Information** 
- 
-Kerberos with NFS.  
- 
----- 
- 
-====== Lab Setup ====== 
- 
-The following virtual machines will be used: 
-  * server1.example.com (192.168.1.150) -> NFS Client and Kerberos Client 
-  * server2.example.com (192.168.1.151) -> NFS Server and Kerberos KDC 
- 
----- 
- 
-====== Pre-requisites ====== 
- 
-  * [[https://www.owlbearconsulting.com/doku.php?id=linux_wiki:setup_a_kdc_server|Kerberos Server setup]] 
-    * server1 -> Kerberos Client 
-    * server2 -> Kerberos KDC 
- 
----- 
- 
-====== NFS Server: Initial Setup ====== 
- 
-  * [[linux_wiki:provide_network_shares_to_specific_clients#nfs_serverinstall_and_configure|Setup a NFS server with an exported directory]]. 
-    * Call the exported directory: /krbdata 
- 
----- 
- 
-====== NFS Client: Initial Setup ====== 
- 
-[[linux_wiki:provide_network_shares_to_specific_clients#nfs_clientinstall_and_configure|Setup a NFS client and mount the export]] 
- 
----- 
- 
-====== NFS Server ====== 
- 
-\\ 
-Add Kerberos NFS principal and add local copy of keytab file 
-<code bash> 
-kadmin 
- 
-kadmin: addprinc -randkey nfs/server2.example.com 
-kadmin: ktadd nfs/server2.example.com 
- 
-kadmin: exit 
-</code> 
- 
-\\ 
-Add "sec=krb5" as an export option 
-<code bash> 
-vim /etc/exports 
- 
-/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5) 
-</code> 
-  * Other sec options 
-    * sys  -> No kerberos 
-    * krb5 -> Kerberos user authentication 
-    * krb5i -> Kerberos user authentication and integrity checking 
-    * krb5p -> Kerberos user authentication, integrity checking, and traffic encryption 
- 
-\\ 
-Ensure proper SELinux file context 
-<code bash> 
-semanage fcontext -at nfs_t "/krbdata(/.*)?" 
-restorecon -Rv /krbdata 
-</code> 
- 
-\\ 
-Re-export the directory to reflect the export option changes 
-<code bash> 
-exportfs -var 
-</code> 
- 
-\\ 
-LinuxAcademy.com says a reboot is needed at this point for the client to work consistently. -> **TO INVESTIGATE** 
- 
----- 
- 
-====== NFS Client ====== 
- 
-Add NFS principal and add local copy of keytab file 
-<code bash> 
-kadmin 
- 
-kadmin: addprinc -randkey nfs/server1.example.com 
-kadmin: ktadd nfs/server1.example.com 
- 
-kadmin: exit 
-</code> 
- 
-\\ 
-Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication) 
-<code bash> 
-systemctl enable nfs-client.target 
-systemctl start nfs-client.target 
- 
-# If it was already running, restart it 
-systemctl restart nfs-client.target 
-</code> 
- 
-\\ 
-Temporary mount 
-<code bash> 
-mount -t nfs4 -o sec=krb5 server2.example.com:/krbdata /mnt 
-</code> 
- 
-\\ 
-Permanent mount 
-<code bash>vim /etc/fstab 
- 
-server2.example.com:/krbdata  /mnt  nfs4  sec=krb5  0  0 
-</code> 
- 
-\\ 
-Login as a kerberos user, initialize a kerberos ticket, and write a file 
-<code bash> 
-su - rjones 
-kinit rjones 
-echo "Hello krb world" > /mnt/krbtestfile 
-</code> 
- 
----- 
  
  • linux_wiki/use_kerberos_to_control_access_to_nfs_network_shares.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)