linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2018/04/14 16:27]
billdozor [NFS Client: Initial Setup] 		linux_wiki:use_kerberos_to_control_access_to_nfs_network_shares [2019/05/25 23:50] (current)
Line 25: Line 25:
 ====== NFS Server: Initial Setup ====== ====== NFS Server: Initial Setup ======
  
-  * [[linux_wiki:provide_network_shares_to_specific_clients|Setup a NFS server with an exported directory]].+  * [[linux_wiki:provide_network_shares_to_specific_clients#nfs_serverinstall_and_configure|Setup a NFS server with an exported directory]].
     * Call the exported directory: /krbdata     * Call the exported directory: /krbdata
- 
-\\ 
-SELinux file context label 
-<code bash> 
-semanage fcontext -a -t nfs_t "/krbdata(/.*)?" 
-restorecon -R /krbdata 
-</code> 
  
 ---- ----
Line 43: Line 36:
 ---- ----
  
-====== NFS Server: Kerberos ======+====== NFS Server ======
  
-===== Manual Kerberos Keytab Setup ===== +**On server2** (NFS Server/KDC).
- +
-**NOTE:** These steps are most likely not needed on the exam. You will probably be provided a keytab file. +
- +
-\\ +
-Install krb5 workstation package<code bash>yum install krb5-workstation</code> +
- +
-\\ +
-Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server<code bash>vim /etc/krb5.conf</code>+
  
 \\ \\
-Add host as a principal+Add Kerberos NFS principal and add local copy of keytab file
 <code bash> <code bash>
 kadmin kadmin
  
-addprinc -randkey host/nfsserver.example.com +kadmin: addprinc -randkey nfs/server2.example.com 
-ktadd host/nfsserver.example.com+kadmin: ktadd nfs/server2.example.com
  
-quit +kadmin: exit
-</code> +
-  * kadmin -> prompted for root/admin password +
- +
-\\ +
-Edit SSH GSSAPI settings +
-<code bash> +
-vim /etc/ssh/sshd_config +
- +
-GSSAPIAuthenticaion yes +
-GSSAPIDelegateCredentials yes +
-</code> +
- +
-\\ +
-Reload the ssh daemon +
-<code bash> +
-systemctl reload sshd +
-</code> +
- +
-\\ +
-Enable Kerberos authentication +
-<code bash> +
-authconfig --enablekrb5 --update +
-</code> +
- +
-\\ +
-Add Kerberos NFS principal +
-<code bash> +
-kadmin +
- +
-addprinc -randkey nfs/nfsserver.example.com +
-ktadd nfs/nfsserver.example.com +
-</code> +
- +
----- +
- +
-===== Kerberos Keytab Provided Steps ===== +
- +
-\\ +
-Install krb5 workstation package<code bash>yum install krb5-workstation</code> +
- +
-\\ +
-Edit krb5.conf and change 'EXAMPLE.COM' domains, kdc, and admin_server<code bash>vim /etc/krb5.conf</code> +
- +
-\\ +
-If provided a keytab file to download (most likely), simply restore the file context. +
-<code bash> +
-restorecon -Rv /etc/krb5.keytab+
 </code> </code>
  
Line 120: Line 58:
 /krbdata  192.168.1.10(rw,no_root_squash,sec=krb5) /krbdata  192.168.1.10(rw,no_root_squash,sec=krb5)
 </code> </code>
 +  * Other sec options
 +    * sys  -> No kerberos
 +    * krb5 -> Kerberos user authentication
 +    * krb5i -> Kerberos user authentication and integrity checking
 +    * krb5p -> Kerberos user authentication, integrity checking, and traffic encryption
  
 \\ \\
Line 133: Line 76:
 exportfs -var exportfs -var
 </code> </code>
- 
-\\ 
-LinuxAcademy says a reboot is needed at this point for the client to work consistently. -> **TO INVESTIGATE** 
  
 ---- ----
  
-====== NFS Client: Kerberos ======+====== NFS Client ======
  
-Add NFS principal and re-generate keytab file+**On server1** (NFS Client/Kerberos Client) 
 + 
 +\\ 
 +Add NFS principal and add local copy of keytab file
 <code bash> <code bash>
 kadmin kadmin
  
-addprinc -randkey nfs/server1.example.com +kadmin: addprinc -randkey nfs/server1.example.com 
-ktadd nfs/server1.example.com+kadmin: ktadd nfs/server1.example.com 
 + 
 +kadmin: exit
 </code> </code>
-  * **NOTE:** You will most likely be provided a keytab file on the exam and will not need to do this part. (Instead, you will probably just need to copy the keytab file to the client from a source) 
-    * If that is the case, simply ensure that the file context is correct<code bash>restorecon -Rv /etc/krb5.keytab</code> 
  
 \\ \\
Line 156: Line 99:
 systemctl enable nfs-client.target systemctl enable nfs-client.target
 systemctl start nfs-client.target systemctl start nfs-client.target
 +
 +# If it was already running, restart it
 +systemctl restart nfs-client.target
 +</code>
 +
 +\\
 +Persistent mount
 +<code bash>vim /etc/fstab
 +
 +server2.example.com:/krbdata  /mnt  _netdev,nfs4  sec=krb5  0  0
 </code> </code>
  
 \\ \\
-Temporary mount+Mount the filesystem
 <code bash> <code bash>
-mount -t nfs4 -o sec=krb5 nfsserver.example.com:/krbdata /mnt/krbtest+mount -a
 </code> </code>
 +  * If you see this error message "mount.nfs: an incorrect mount option was specified" -> Ensure that you restarted the 'nfs-client.target' service.
  
 \\ \\
-Login as the kerberos/ldap user, initialize a kerberos ticket, and write a file+Login as kerberos user, initialize a kerberos ticket, and write a file
 <code bash> <code bash>
 su - rjones su - rjones
 kinit rjones kinit rjones
-touch /mnt/krbtest/testfile+echo "Hello krb world" > /mnt/krbtestfile
 </code> </code>
  
 ---- ----
  
  • linux_wiki/use_kerberos_to_control_access_to_nfs_network_shares.1523737642.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)