General Information

Kerberos with NFS.

The following virtual machines will be used:

• server1.example.com (192.168.1.150) → NFS Client and Kerberos Client
• server2.example.com (192.168.1.151) → NFS Server and Kerberos KDC

• Kerberos Server setup
  • server1 → Kerberos Client
  • server2 → Kerberos KDC

• Setup a NFS server with an exported directory.
  • Call the exported directory: /krbdata

Setup a NFS client and mount the export

Add Kerberos NFS principal and add local copy of keytab file

kadmin
 
addprinc -randkey nfs/server2.example.com
ktadd nfs/server2.example.com

Add “sec=krb5” as an export option

vim /etc/exports
 
/krbdata  192.168.1.10(rw,no_root_squash,sec=krb5)

• Other sec options
  • sys → No kerberos
  • krb5 → Kerberos user authentication
  • krb5i → Kerberos user authentication and integrity checking
  • krb5p → Kerberos user authentication, integrity checking, and traffic encryption

Ensure proper SELinux file context

semanage fcontext -at nfs_t "/krbdata(/.*)?"
restorecon -Rv /krbdata

Re-export the directory to reflect the export option changes

exportfs -var

LinuxAcademy.com says a reboot is needed at this point for the client to work consistently. → TO INVESTIGATE

Add NFS principal and add local copy of keytab file

kadmin
 
addprinc -randkey nfs/server1.example.com
ktadd nfs/server1.example.com

Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)

systemctl enable nfs-client.target
systemctl start nfs-client.target

Temporary mount

mount -t nfs4 -o sec=krb5 server2.example.com:/krbdata /mnt

Permanent mount

vim /etc/fstab
 
server2.example.com:/krbdata  /mnt  nfs4  sec=krb5  0  0

Login as a kerberos user, initialize a kerberos ticket, and write a file

su - rjones
kinit rjones
echo "Hello krb world" > /mnt/krbtestfile