This is an old revision of the document!
Use Kerberos To Control Access To NFS Network Shares
General Information
Kerberos with NFS.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → NFS Client and Kerberos Client
- server2.example.com (192.168.1.151) → NFS Server and Kerberos KDC
Pre-requisites
-
- server1 → Kerberos Client
- server2 → Kerberos KDC
NFS Server: Initial Setup
-
- Call the exported directory: /krbdata
NFS Client: Initial Setup
NFS Server
Add Kerberos NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server2.example.com kadmin: ktadd nfs/server2.example.com kadmin: exit
Add “sec=krb5” as an export option
vim /etc/exports /krbdata 192.168.1.10(rw,no_root_squash,sec=krb5)
- Other sec options
- sys → No kerberos
- krb5 → Kerberos user authentication
- krb5i → Kerberos user authentication and integrity checking
- krb5p → Kerberos user authentication, integrity checking, and traffic encryption
Ensure proper SELinux file context
semanage fcontext -at nfs_t "/krbdata(/.*)?" restorecon -Rv /krbdata
Re-export the directory to reflect the export option changes
exportfs -var
LinuxAcademy.com says a reboot is needed at this point for the client to work consistently. → TO INVESTIGATE
NFS Client
Add NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server1.example.com kadmin: ktadd nfs/server1.example.com kadmin: exit
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
systemctl enable nfs-client.target
systemctl start nfs-client.target
Temporary mount
mount -t nfs4 -o sec=krb5 server2.example.com:/krbdata /mnt
Permanent mount
vim /etc/fstab server2.example.com:/krbdata /mnt nfs4 sec=krb5 0 0
Login as a kerberos user, initialize a kerberos ticket, and write a file
su - rjones kinit rjones echo "Hello krb world" > /mnt/krbtestfile