General Information

Kerberos with NFS.

The following virtual machines will be used:

• server1.example.com (192.168.1.150) → Perform all NFS client tests from here
• server2.example.com (192.168.1.151) → Install the NFS server here
• ipa.example.com (192.168.1.152) → FreeIPA/authentication server

• LDAP/Kerberos Server setup
• Both the nfs server and nfs client can authenticate to the LDAP/Kerberos server.

• Setup a NFS server with an exported directory.
  • Call the exported directory: /krbdata

SELinux file context label

semanage fcontext -a -t nfs_t "/krbdata(/.*)?"
restorecon -R /krbdata

Setup a NFS client and mount the export

NOTE: These steps are most likely not needed on the exam. You will probably be provided a keytab file.

Install krb5 workstation package

yum install krb5-workstation

Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server

vim /etc/krb5.conf

Add host as a principal

kadmin
 
addprinc -randkey host/nfsserver.example.com
ktadd host/nfsserver.example.com
 
quit

• kadmin → prompted for root/admin password

Edit SSH GSSAPI settings

vim /etc/ssh/sshd_config
 
GSSAPIAuthenticaion yes
GSSAPIDelegateCredentials yes

Reload the ssh daemon

systemctl reload sshd

Enable Kerberos authentication

authconfig --enablekrb5 --update

Add Kerberos NFS principal

kadmin
 
addprinc -randkey nfs/nfsserver.example.com
ktadd nfs/nfsserver.example.com

Install krb5 workstation package

yum install krb5-workstation

If provided a keytab file to download (most likely), simply restore the file context.

restorecon -Rv /etc/krb5.keytab

Add “sec=krb5” as an export option

vim /etc/exports
 
/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5)

Ensure proper SELinux file context

semanage fcontext -at nfs_t "/krbdata(/.*)?"
restorecon -Rv /krbdata

Re-export the directory to reflect the export option changes

exportfs -var

LinuxAcademy says a reboot is needed at this point for the client to work consistently. → TO INVESTIGATE

Add NFS principal and re-generate keytab file

kadmin
 
addprinc -randkey nfs/server1.example.com
ktadd nfs/server1.example.com

• NOTE: You will most likely be provided a keytab file on the exam and will not need to do this part. (Instead, you will probably just need to copy the keytab file to the client from a source)
  • If that is the case, simply ensure that the file context is correct

    restorecon -Rv /etc/krb5.keytab

Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)

systemctl enable nfs-client.target
systemctl start nfs-client.target

Temporary mount

mount -t nfs4 -o sec=krb5 nfsserver.example.com:/krbdata /mnt/krbtest

Login as the kerberos/ldap user, initialize a kerberos ticket, and write a file

su - rjones
kinit rjones
touch /mnt/krbtest/testfile