This is an old revision of the document!
Use Kerberos To Control Access To NFS Network Shares
General Information
Kerberos with NFS.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → NFS Client and Kerberos Client
- server2.example.com (192.168.1.151) → NFS Server and Kerberos KDC
Pre-requisites
-
- server1 → Kerberos Client
- server2 → Kerberos KDC
NFS Server: Initial Setup
-
- Call the exported directory: /krbdata
NFS Client: Initial Setup
NFS Server
On server2 (NFS Server/KDC).
Add Kerberos NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server2.example.com kadmin: ktadd nfs/server2.example.com kadmin: exit
Add “sec=krb5” as an export option
vim /etc/exports /krbdata 192.168.1.10(rw,no_root_squash,sec=krb5)
- Other sec options
- sys → No kerberos
- krb5 → Kerberos user authentication
- krb5i → Kerberos user authentication and integrity checking
- krb5p → Kerberos user authentication, integrity checking, and traffic encryption
Ensure proper SELinux file context
semanage fcontext -at nfs_t "/krbdata(/.*)?" restorecon -Rv /krbdata
Re-export the directory to reflect the export option changes
exportfs -var
NFS Client
On server1 (NFS Client/Kerberos Client)
Add NFS principal and add local copy of keytab file
kadmin kadmin: addprinc -randkey nfs/server1.example.com kadmin: ktadd nfs/server1.example.com kadmin: exit
Enable the NFS Client target (takes care of starting services needed for NFS mounts and kerberos authentication)
systemctl enable nfs-client.target systemctl start nfs-client.target # If it was already running, restart it systemctl restart nfs-client.target
Temporary mount
mount -t nfs4 -o sec=krb5 server2.example.com:/krbdata /mnt
Permanent mount
vim /etc/fstab server2.example.com:/krbdata /mnt nfs4 sec=krb5 0 0
Mount the filesystem
mount -a
- If you see this error message “mount.nfs: an incorrect mount option was specified” → Ensure that you restarted the 'nfs-client.target' service.
Login as a kerberos user, initialize a kerberos ticket, and write a file
su - rjones kinit rjones echo "Hello krb world" > /mnt/krbtestfile