How To Set up NFS Server with Kerberos-based Authentication
To set up NFS Server with Kerberos-based Authentication for Linux Clients
Kerberos is an authentication protocol which allows the clients to access the Kerberos Server on the basis of “ tickets” to provide a secure communication. It provides a ticket for the clients to communicate with each other until a valid period. Steps to set up Server with Kerberos-based Authentication for Linux Clients.
Prerequisites
To configure Kerberos we need to get NTP synchronization via a NTP Server, and we need to have a DNS Server for the hostname resolution. In this set up we are using three Linux Machines as follows,
| Host IP | Hostname |
| 192.168.7.235 | kbserver.kdc.com |
| 192.168.7.236 | nfsserver.kdc.com |
| 192.168.7.15 | nfsclient.kdc.com |
Instead of setting DNS we can create the above entry in /etc/hosts file.
To Configure Kerberos Server
Now install the following package to configure the Kerberos server on your first machine.
[root@kbserver ~]# yum install krb5-server krb5-workstation pam_krb5 -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.mirror.net.in
* extras: mirrors.vonline.vn
* updates: mirrors.vonline.vn
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.13.2-12.el7_2 will be installed
.
.
.
workstation.x86_64 0:1.13.2-12.el7_2 pam_krb5.x86_64 0:2.4.8-4.el7
Dependency Installed:
libverto-tevent.x86_64 0:0.2.5-4.el7
Dependency Updated:
krb5-libs.x86_64 0:1.13.2-12.el7_2
Complete!
Edit the /var/Kerberos/krb5kdc/kdc.conf file and replace your domain instead of EXAMPLE.COM under the [realms] column. In this case, we need to replace with KDC.COM and add the line “ default_principal_flags = +preauth” under the master_key_type line in the configuration file as follows.
[root@kbserver ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
KDC.COM = {
master_key_type = aes256-cts
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Now edit the /etc/krb5.conf file, like we did in the previous file and uncomment all the lines as follows.
[root@kbserver ~]# vim /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = KDC.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
KDC.COM = {
kdc = kbserver.kdc.com
admin_server = kbserver.kdc.com
}
[domain_realm]
# .kdc.com = KDC.COM
# kdc.com = KDC.COM
Finally edit the /var/Kerberos/krb5kdc/kadm5.acl and replace EXAMPLE.COM.
[root@kbserver ~]# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@KDC.COM *
Create the Kerberos database and set the password.
[root@kbserver ~]# kdb5_util create -s -r KDC.COM
Loading random data
Initializing database ' /var/kerberos/krb5kdc/principal' for realm ' KDC.COM' ,
master key name ' K/M@KDC.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Start and enable the Kerberos services.
[root@kbserver ~]# systemctl start krb5kdc kadmin
[root@kbserver ~]# systemctl enable krb5kdc kadmin
ln -s ' /usr/lib/systemd/system/krb5kdc.service' ' /etc/systemd/system/multi-user.target.wants/krb5kdc.service'
ln -s ' /usr/lib/systemd/system/kadmin.service' ' /etc/systemd/system/multi-user.target.wants/kadmin.service'
Now run the following command to execute the Kerberos administration tools, here we are going to create admin principal and user principal for “ user1” as follows.
[root@kbserver ~]# kadmin.local
Authenticating as principal root/admin@KDC.COM with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@KDC.COM defaulting to no policy
Enter password for principal " root/admin@KDC.COM" :
Re-enter password for principal " root/admin@KDC.COM" :
Principal " root/admin@KDC.COM" created.
kadmin.local: addprinc user1
WARNING: no policy specified for user1@KDC.COM defaulting to no policy
Enter password for principal " user1@KDC.COM" :
Re-enter password for principal " user1@KDC.COM" :
Principal " user1@KDC.COM" created.
Add the Kerberos server hostname to Kerberos database. And then generate the keytab file for the Kerberos server. After finishing, type “ quit” to exit.
kadmin.local: addprinc -randkey host/kbserver.kdc.com WARNING: no policy specified for host/kbserver.kdc.com@KDC.COM defaulting to no policy Principal " host/kbserver.kdc.com@KDC.COM" created. kadmin.local: ktadd host/kbserver.kdc.com Entry for principal host/kbserver.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kbserver.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab. kadmin.local: quit
We need to uncomment two lines in /etc/ssh/ssh_config file as follows and the values should be set to “ yes” for that two lines.
[root@kbserver ~]# vim /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Reload the sshd service and configure the PAM component.
[root@kbserver ~]# systemctl reload sshd
[root@kbserver ~]# authconfig --enablekrb5 &ndash update
Set the firewall configuration to allow the port for Kerberos, by creating the /etc/firewalld/services/Kerberos.xml file and add the following lines.
[root@kbserver ~]# vim /etc/firewalld/services/kerberos.xml
Kerberos
Kerberos network authentication protocol server
Then add the Kerberos service in the firewall.
[root@kbserver ~]# firewall-cmd --permanent --add-service=kerberos success [root@kbserver ~]# firewall-cmd --reload Success
Now the configuration is done for the Kerberos server in the first machine (kbserver.kdc.com). To verify about the configuration, login to the user1 account and run the below mentioned commands.
[root@kbserver ~]# su - user1 [user1@kbserver ~]$ kinit Password for user1@KDC.COM: [user1@kbserver ~]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: user1@KDC.COM Valid starting Expires Service principal 06/13/2016 18:30:24 06/14/2016 18:30:23 krbtgt/KDC.COM@KDC.COM
To Configure NFS Server for Kerberos
Install the following package for nfs server.
[root@nfsserver ~]# yum groupinstall file-server -y
Loaded plugins: fastestmirror, langpacks
There is no installed groups file.
Maybe run: yum groups mark convert (see man yum)
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* extras: mirror.nbrc.ac.in
.
.
.
libtevent.x86_64 0:0.9.26-1.el7_2.1
libwbclient.x86_64 0:4.2.10-6.el7_2 lvm2.x86_64 7:2.02.130-5.el7_2.2
lvm2-libs.x86_64 7:2.02.130-5.el7_2.2 pytalloc.x86_64 0:2.1.5-1.el7_2
samba-common.noarch 0:4.2.10-6.el7_2 samba-libs.x86_64 0:4.2.10-6.el7_2
Complete!
And create a new directory for nfs share and change the permissions as follows.
[root@nfsserver ~]# mkdir /kerberos
[root@nfsserver ~]# chmod 0777 /kerberos/
To assign the SELinux context for the new directory, install the following package.
[root@nfsserver ~]# yum install setroubleshoot-server -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* extras: mirror.nbrc.ac.in
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package setroubleshoot-server.x86_64 0:3.2.17-2.el7 will be updated
.
.
.
Updated:
setroubleshoot-server.x86_64 0:3.2.24-1.1.el7
Dependency Updated:
setroubleshoot.x86_64 0:3.2.24-1.1.el7
Complete!
[root@nfsserver ~]# semanage fcontext -a -t public_content_rw_t " /kerberos(/.*)?"
[root@nfsserver ~]# restorecon -R /kerberos/
Set the SELinux Booleans.
[root@nfsserver ~]# setsebool -P nfs_export_all_rw on
[root@nfsserver ~]# setsebool -P nfs_export_all_ro on
[root@nfsserver ~]# setsebool -P use_nfs_home_dirs on
Export the nfs shares in the /etc/exports file as follows.
[root@nfsserver ~]# vim /etc/exports /kerberos nfsclient.kdc.com(rw,sync,no_root_squash,sec=krb5p) [root@nfsserver ~]# exportfs -arv exporting nfsclient.kdc.com:/Kerberos
Add the following services in the firewall to allow permanent.
[root@nfsserver ~]# firewall-cmd --permanent --add-service=nfs success [root@nfsserver ~]# firewall-cmd --permanent --add-service=rpc-bind success [root@nfsserver ~]# firewall-cmd --permanent --add-service=mountd success [root@nfsserver ~]# firewall-cmd --reload Success
Start and enable the rpcbind service.
[root@nfsserver ~]# systemctl start rpcbind nfs-server
[root@nfsserver ~]# systemctl enable rpcbind nfs-server
ln -s ' /usr/lib/systemd/system/nfs-server.service' ' /etc/systemd/system/nfs.target.wants/nfs-server.service'
To verify the exported shares
[root@nfsserver ~]# showmount -e localhost
Export list for localhost:
/kerberos nfsclient.kdc.com
Install the Kerberos client package in the nfs server.
[root@nfsserver ~]# yum install krb5-workstation pam_krb5 -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* extras: mirror.nbrc.ac.in
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package krb5-workstation.x86_64 0:1.13.2-12.el7_2 will be installed
.
.
.
Installed:
krb5-workstation.x86_64 0:1.13.2-12.el7_2 pam_krb5.x86_64 0:2.4.8-4.el7
Complete!
Edit the same configuration file /etc/krb5.conf, as we did in the Kerberos server. Copy the /etc/krb5.conf file from the Kerberos server to nfs server.
[root@nfsserver ~]# scp root@kbserver.kdc.com:/etc/krb5.conf /etc/krb5.conf The authenticity of host ' kbserver.kdc.com (192.168.7.235)' can' t be established. ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ' kbserver.kdc.com,192.168.7.235' (ECDSA) to the list of known hosts. root@kbserver.kdc.com' s password: krb5.conf 100% 458 0.5KB/s 00:00
Add the nfs server machine' s host name to kadmin principal as follows. And then add the keytab file.
[root@nfsserver ~]# kadmin
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM:
kadmin: addprinc -randkey host/nfsserver.kdc.com
WARNING: no policy specified for host/nfsserver.kdc.com@KDC.COM defaulting to no policy
Principal " host/nfsserver.kdc.com@KDC.COM" created.
kadmin: ktadd host/nfsserver.kdc.com
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin: quit
Edit the sshd configuration file as we did in the Kerberos server as follows.
[root@nfsserver ~]# vim /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Now reload the sshd configuration and configure the PAM component.
[root@nfsserver ~]# systemctl reload sshd
[root@nfsserver ~]# authconfig --enablekrb5 &ndash update
To verify about the configuration, login to the user1' s account and run the below command.
[root@nfsserver ~]# su - user1 [user1@nfsserver ~]$ kinit Password for user1@KDC.COM: [user1@nfsserver ~]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: user1@KDC.COM Valid starting Expires Service principal 06/13/2016 19:03:10 06/14/2016 19:03:08 krbtgt/KDC.COM@KDC.COM
You can try to take SSH connection for your Kerberos server, it should not require for any password to login.
[user1@nfsserver ~]$ ssh kbserver.kdc.com The authenticity of host ' kbserver.kdc.com (192.168.7.235)' can' t be established. ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ' kbserver.kdc.com,192.168.7.235' (ECDSA) to the list of known hosts. Last login: Mon Jun 13 18:30:14 2016 [user1@kbserver ~]$ exit logout Connection to kbserver.kdc.com closed. [user1@nfsserver ~]$ exit
Specify the principals for nfs in the kadmin command as follows,
[root@nfsserver ~]# kadmin
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM:
kadmin: addprinc -randkey nfs/nfsserver.kdc.com
WARNING: no policy specified for nfs/nfsserver.kdc.com@KDC.COM defaulting to no policy
Principal " nfs/nfsserver.kdc.com@KDC.COM" created.
Generate the keytab file for the nfs share in nfs server as follows. And this file will be used while sharing from nfs to clients.
kadmin: ktadd nfs/nfsserver.kdc.com
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin: quit
Thus the configuration for nfs server is done. Now just restart the services to take effect.
[root@nfsserver ~]# systemctl restart nfs-server
[root@nfsserver ~]# systemctl restart nfs-secure-server
[root@nfsserver ~]# systemctl enable nfs-secure-server
ln -s ' /usr/lib/systemd/system/nfs-secure-server.service' ' /etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
To configure the NFS Client with Kerberos based Authentication. Install the client package to mount the nfs share from the nfs server.
[root@nfsclient ~]# yum install nfs-utils -y
Loaded plugins: fastestmirror, langpacks
adobe-linux | 951 B 00:00:00
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
updates/7/x86_64/primary_db | 4.9 MB 00:00:30
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* extras: mirror.nbrc.ac.in
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package nfs-utils.x86_64 1:1.3.0-0.el7 will be updated
.
.
.
Complete!
Install the client package for Kerberos in the nfs client machine.
[root@nfsclient ~]# yum install krb5-workstation pam_krb5 -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* extras: mirror.nbrc.ac.in
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package krb5-workstation.x86_64 0:1.13.2-12.el7_2 will be installed
.
.
.
Installed:
krb5-workstation.x86_64 0:1.13.2-12.el7_2 pam_krb5.x86_64 0:2.4.8-4.el7
Dependency Updated:
krb5-libs.x86_64 0:1.13.2-12.el7_2
Complete!
Now copy the /etc/krb5.conf file from the Kerberos server.
[root@nfsclient ~]# scp root@kbserver.kdc.com:/etc/krb5.conf /etc/krb5.conf
The authenticity of host ' kbserver.kdc.com (192.168.7.235)' can' t be established.
ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' kbserver.kdc.com,192.168.7.235' (ECDSA) to the list of known hosts.
root@kbserver.kdc.com' s password:
krb5.conf 100% 458 0.5KB/s 00:00
Add the principal and keytab file for nfs client machine using the kadmin command.
[root@nfsclient ~]# kadmin
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM:
kadmin: addprinc -randkey host/nfsclient.kdc.com
WARNING: no policy specified for host/nfsclient.kdc.com@KDC.COM defaulting to no policy
Principal " host/nfsclient.kdc.com@KDC.COM" created.
kadmin: ktadd host/nfsclient.kdc.com
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin: quit
Edit the sshd configuration.
[root@nfsclient ~]# vim /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Reload the sshd service configuration. And configure the PAM component.
[root@kbserver ~]# systemctl reload sshd
[root@kbserver ~]# authconfig --enablekrb5 &ndash update
Test the configuration file in user1 account.
[root@nfsclient ~]# su - user1 [user1@nfsclient ~]$ kinit Password for user1@KDC.COM: [user1@nfsclient ~]$ klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: user1@KDC.COM Valid starting Expires Service principal 06/13/2016 19:17:01 06/14/2016 19:16:59 krbtgt/KDC.COM@KDC.COM
Try to log into Kerberos server via SSH.
[user1@nfsclient ~]$ ssh kbserver.kdc.com The authenticity of host ' kbserver.kdc.com (192.168.7.235)' can' t be established. ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ' kbserver.kdc.com,192.168.7.235' (ECDSA) to the list of known hosts. Last login: Mon Jun 13 19:03:42 2016 from nfsserver.kdc.com [user1@kbserver ~]$ exit logout Connection to kbserver.kdc.com closed. [user1@nfsclient ~]$ exit logout
Add the nfs principals and generate the keytab file for nfs cilent by using the kadmin command.
[root@nfsclient ~]# kadmin
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM:
kadmin: addprinc -randkey nfs/nfsclient.kdc.com
WARNING: no policy specified for nfs/nfsclient.kdc.com@KDC.COM defaulting to no policy
Principal " nfs/nfsclient.kdc.com@KDC.COM" created.
kadmin: ktadd nfs/nfsclient.kdc.com
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin: quit
Start and Enable the nfs-secure service for client.
[root@nfsclient ~]# systemctl start nfs-secure
[root@nfsclient ~]# systemctl enable nfs-secure
ln -s ' /usr/lib/systemd/system/nfs-secure.service' ' /etc/systemd/system/nfs.target.wants/nfs-secure.service'
To list available nfs share from the nfs server
[root@nfsclient ~]# showmount -e nfsserver.kdc.com
Export list for nfsserver.kdc.com:
/kerberos nfsclient.kdc.com
To mount the nfs share permanently, create an entry in /etc/fstab file.
[root@nfsclient ~]# vim /etc/fstab
nfsserver.kdc.com:/kerberos /mnt nfs sec=krb5p 0 0
Once the setup is done, mount all the entries mentioned in the fstab file.
[root@nfsclient ~]# mount -a
[root@nfsclient ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 18G 5.1G 13G 29% /
devtmpfs 486M 0 486M 0% /dev
tmpfs 494M 140K 494M 1% /dev/shm
tmpfs 494M 7.0M 487M 2% /run
tmpfs 494M 0 494M 0% /sys/fs/cgroup
/dev/sda1 497M 116M 382M 24% /boot
nfsserver.kdc.com:/kerberos 18G 5.1G 13G 29% /mnt
Tag :
Kerberos
nagarajamurugan
Sep 18 2017
nice work
pushpendra
Aug 18 2017
Very Informative , Thanks for Sharing , keep Good Work.
Q
Is NFS is platform dependent?
A
Yes, NFS can only be configured in Linux Distributions.
Q
Where does kerberos configuration file lies for NFS server?
A
Kerberos configuration file lies under "/var/Kerberos/krb5kdc/kdc.conf "
Q
when I am trying to mount the filesystem on NFS, I am getting “mount.nfs4: Operation not permitted” error.
A
NTFS file system is also the same as another file system like ext4 and xfs, but NTFS falls under Windows.
Q
How to solve this error, while getting mount.nfs: access denied by the server?
A
if you are using Kerberos-based Authentication please make sure realm should be in a capital where it was in capital by default.
Q
I'm using RHEL 7.0 but also let me know the procedure for NFS resides same for centos 6 or not?
A
Only the daemon related like "systemctl" differ from version 6 and 7 rest remains same.