Configuring a Kerberos-authenticated server for NFS on a Linux client

in this article we will cover the entire process of configuring an NFS share based on Kerberos authentication. Suppose you have configured an NFS server and a client. If not, you can refer to installing and configuring server for NFS [2]-it lists the dependent packages that need to be installed and explains how to initialize the configuration on the server before proceeding to the next step.

In addition, you may also need to configure SELinux[3] and Firewalld[4] to allow file sharing over NFS.

The following example assumes that your NFS shared directory is in the Box2/nfs:

# semanage fcontext -a -t public_content_rw_t "/nfs(/.*)?"# restorecon -R /nfs# setsebool -P nfs_export_all_rw on# setsebool -P nfs_export_all_ro on

(where the-p flag indicates that the restart is persistent).

Finally, don't forget:

Create an NFS group and configure the NFS shared directory

1. Create a new group named NFS and add the user nfsnobody to it, then change the/NFS directory permission to 0770, the group owner is NFS. Therefore, nfsnobody (corresponding request user) in the shared directory has write permissions, you do not need to use the/etc/exports file Norootsquash (LCTT: Set to Root_squash means that when accessing files on the NFS server, the client The root user is not treated as a root user).

# groupadd nfs# usermod -a -G nfs nfsnobody# chmod 0770 /nfs# chgrp nfs /nfs

2. Change the export file (/etc/exports) to only allow access from box1 using Kerberos security Authentication (SEC=KRB5) as follows.

Note : The value of Anongid is set to the previously created Group of NFS GID:

exports– Adding an NFS share

/nfs box1(rw,sec=krb5,anongid=1004)

3, again Exprot (-R) all (-a) NFS shares. Adding details to the output (-V) is a good idea because it provides useful information to resolve problems when an error occurs:

# exportfs -arv

4. Restart and enable server for NFS and related services. Note that you do not need to start nfs-lock and NFS-IDMAPD, because other services will start automatically when the system starts:

# systemctl restart rpcbind nfs-server nfs-lock nfs-idmap# systemctl enable rpcbind nfs-server

test environment and other prerequisite requirements

In this guide we use the following test environment:

• Client machine [box1:192.168.0.18]
• Nfs/kerberos Server [box2:192.168.0.20] (also known as the Key Distribution center, referred to as the KDC).

Note : The Kerberos service is a critical authentication scheme.

As you can see, for the sake of simplicity, the NFS server and the KDC are on the same machine, and of course if you have more available machines you may also install them on different machines. Both machines are in the mydomain.com domain.

Finally, it is also important that Kerberos requires that the client and server have at least one basic way of resolving the domain name and the network Time Protocol [5] service, because the security part of Kerberos authentication is based on timestamps.

In order to configure domain name resolution, we edit the/etc/hosts file in the client and server:

Host file – Adding DNS to the domain

192.168.0.18    box1.mydomain.com    box1192.168.0.20    box2.mydomain.com    box2

In RHEL 7, Chrony is the default software for NTP synchronization:

# yum install chrony# systemctl start chronyd# systemctl enable chronyd

To ensure that Chrony does synchronize your system's time with the time server, you may want to enter the following commands two to three times to ensure that the time skew is as close as possible to 0:

# chronyc tracking

Synchronizing server time with Chrony

Installing and configuring Kerberos

To set up the KDC, first install the following packages on both the client and the server (the client does not need the server package):

# yum update && yum install krb5-server krb5-workstation pam_krb5

After the installation is complete, edit the configuration files (/etc/krb5.conf and/var/kerberos/krb5kdc/kadm5.acl), mydomain.com replacing all example.com as follows.

Next, make sure that Kerberos can be a firewall and start/enable related services.

Important : The client must also start and enable Nfs-secure:

# firewall-cmd --permanent --add-service=kerberos# systemctl start krb5kdc kadmin nfs-secure   # systemctl enable krb5kdc kadmin nfs-secure       

Now create the Kerberos database (note that this may take a little time because it will interact with your system multiple times). To speed up the process, I opened the other terminal and ran for ping -f localhost 30-45 seconds):

# kdb5_util create -s

Create a Kerberos database

Next, use the Kadmin.local tool to create administrative permissions for root:

# kadmin.local# addprinc root/admin

To add a Kerberos server to the database:

# addprinc -randkey host/box2.mydomain.com

The same operation is done on the client (box1) and server (BOX2) for NFS services. Please note that in the following I forgot to do the operation on Box1 before exiting:

# addprinc -randkey nfs/box2.mydomain.com# addprinc -randkey nfs/box1.mydomain.com

Enter quit and enter to exit:

Add Kerberos to server for NFS

Get and cache ticket authorization tickets for Root/admin ticket-granting ticket:

# kinit root/admin# klist

Cache Kerberos

The last step before you really use Kerberos is to save the rules that are authorized to use Kerberos authentication to a key table file (on the server):

# kdadmin.local# ktadd host/box2.mydomain.com# ktadd nfs/box2.mydomain.com# ktadd nfs/box1.mydomain.com

Finally, mount the shared directory and perform a write test:

# mount -t nfs4 -o sec=krb5 box2:/nfs /mnt# echo "Hello from Tecmint.com" > /mnt/greeting.txt

Mount NFS shares

Now let's uninstall the share, rename the key table file in the client (impersonate it doesn't exist) and then try to mount the shared directory again:

# umount /mnt# mv /etc/krb5.keytab /etc/krb5.keytab.orig

Mount/Uninstall Kerberos NFS share

Now you can use the NFS share based on Kerberos authentication.

Summarize

In this article we describe how to set up NFS with Kerberos authentication. This topic has a lot to do with what we've described in this guide, and can be viewed in the Kerberos manual [6]

Read the original

Configuring a Kerberos-authenticated server for NFS on a Linux client