If you need to configure file sharing for a group of Unix-like clients, it's natural for you to think of a network file system, or NFS.
In this article we will cover the entire process of configuring NFS sharing based on Kerberos authentication. Let's say you've configured an NFS server and a client. If not, you can refer to installing and configuring an NFS server-it lists the dependent packages that need to be installed and explains how to initialize the configuration on the server before proceeding to the next step.
In addition, you may also need to configure SELinux and FIREWALLD to allow file sharing over NFS.
The following example assumes that your NFS shared directory is in the Box2/nfs:
# semanage Fcontext-a-T public_content_rw_t "/nfs (/.*)?"
# Restorecon-r/nfs
# setsebool-p NFS_EXPORT_ALL_RW on
# setsebool-p Nfs_export_all_ro on
(where the-p tag indicates that the reboot is persistent and valid).
In the end, don't forget:
Create NFS groups and configure NFS shared directories
1, create a new group called NFS and add user nfsnobody to it, and then change the/nfs directory permissions to 0770, the group owner for NFS. As a result, nfsnobody (the requesting user) has permission to write in the shared directory, and you do not need to use Norootsquash in the/etc/exports file (LCTT: Set to Root_squash means that when accessing files on an NFS server, the client Root user is not treated as root user.
# Groupadd NFS
# Usermod-a-G NFS Nfsnobody
# chmod 0770/nfs
# CHGRP Nfs/nfs
2. Changing the export file (/etc/exports) as follows only allows access (SEC=KRB5) from box1 to use Kerberos security authentication.
Note: The Anongid value is set to the previously created group NFS GID:
exports? Add NFS Share
/nfs Box1 (rw,sec=krb5,anongid=1004)
3. Exprot (-R) all (-a) NFS share again. Adding details for the output (-V) is a good idea because it provides useful information for troubleshooting problems when an error occurs:
# Exportfs-arv
4, restart and enable server for NFS and related services. Note that you do not need to start nfs-lock and NFS-IDMAPD, because other services will automatically start when the system starts:
# systemctl Restart Rpcbind nfs-server nfs-lock nfs-idmap
# Systemctl Enable Rpcbind Nfs-server
test environment and other prerequisites
In this guide we use the following test environment:
Client machine [box1:192.168.0.18]
The Nfs/kerberos server [box2:192.168.0.20] (also known as the Key Distribution center, the KDC).
Note: The Kerberos service is a critical authentication scheme.
As you can see, for simplicity, the NFS server and KDC are on the same machine, and of course if you have more machines available, you may be able to install them on different machines. Both machines are in the mydomain.com domain.
Last but not least, Kerberos requires a minimum of one domain name resolution and a Network Time protocol service in the client and server, because the security part of Kerberos authentication is based on the timestamp.
To configure domain name resolution, we edit the/etc/hosts file in both the client and server:
Host file? To add DNS for a domain
192.168.0.18 box1.mydomain.com Box1
192.168.0.20 box2.mydomain.com Box2
In RHEL 7, Chrony is the default software for NTP synchronization:
# yum Install Chrony
# Systemctl Start Chronyd
# Systemctl Enable Chronyd
To ensure that Chrony does synchronize your system time with the time server, you may want to enter the following command two or three times to ensure that the time warp is as close to 0 as possible:
# CHRONYC Tracking
Synchronizing server time with Chrony
Installing and configuring Kerberos
To set up the KDC, first install the following package on the client and server (the client does not need the server package):
# Yum Update && yum install krb5-server krb5-workstation pam_krb5
After the installation is complete, edit the configuration files (/etc/krb5.conf and/var/kerberos/krb5kdc/kadm5.acl), replacing all example.com with mydomain.com as follows.
Next, make sure Kerberos is able to do the firewall and start/enable the related services.
Important: Clients must also start and enable Nfs-secure:
# Firewall-cmd--permanent--add-service=kerberos
# systemctl start KRB5KDC kadmin nfs-secure
# Systemctl Enable KRB5KDC kadmin nfs-secure
Now create the Kerberos database (note that this may take a little time because it will interact with your system multiple times). To speed up the process, I opened another terminal and ran ping-f localhost for 30-45 seconds):
# Kdb5_util Create-s
To create a Kerberos database
Next, use the Kadmin.local tool to create administrative permissions for root:
# kadmin.local
# Addprinc Root/admin
To add a Kerberos server to a database:
# Addprinc-randkey Host/box2.mydomain.com
The NFS service is also operated on both the client (BOX1) and the server (BOX2). Please note that in the screenshot below I forgot to do the operation on the box1 before exiting:
# Addprinc-randkey Nfs/box2.mydomain.com
# Addprinc-randkey Nfs/box1.mydomain.com
Enter quit and enter exit:
Add Kerberos to NFS server
To obtain and cache a ticket authorization ticket for Root/admin:
# kinit Root/admin
# klist
Cache Kerberos
The final step before you really use Kerberos is to save a rule that is authorized to use Kerberos authentication to a key table file (on the server):
# kdadmin.local
# Ktadd Host/box2.mydomain.com
# Ktadd Nfs/box2.mydomain.com
# Ktadd Nfs/box1.mydomain.com
Finally, mount the shared directory and perform a write test:
# mount-t Nfs4-o sec=krb5 box2:/nfs/mnt
# echo "Hello from tecmint.com" >/mnt/greeting.txt
Mount an NFS share
Now let's uninstall the share, rename the key table file in the client (simulate it doesn't exist), and then try to mount the shared directory again:
# umount/mnt
# Mv/etc/krb5.keytab/etc/krb5.keytab.orig
Mount/Uninstall Kerberos NFS share
Now you can use NFS sharing based on Kerberos authentication.
Summarize
In this article we describe how to set up NFS with Kerberos authentication. Compared to what we have described in this guide, the topic also has a lot of relevant content that can be viewed in the Kerberos manual, and at the very least Kerberos is a bit tricky, and if you have any problems or need help in the test or implementation, don't hesitate to let us know in the comments box below.
How does Linux know that NFS configuration is successful?
Linux Client Hook (Mount) NFS sharing for other Linux systems or UNIX systems
# mkdir? p/mnt/nfs
Note: Create a directory for hanging contacts (mount point)
#mount-t Nfs-o RW 10.140.133.9:/export/home/sunky/mnt/nfs
/etc/exports the syntax and parameters of the set file
Log on to the Linux server as root, edit the shared directory profile exports in the/etc directory, specify shared directories and permissions, and so on.
Perform the following command to edit the file/etc/exports:
# Vi/etc/exports
Add the following content to the file:
/home/work 192.168.0.* (Rw,sync,no_root_squash)
Then save the exit.
Added: Allows a computer with an IP address range to access the/home/work directory with read-write access to the 192.168.0.*.
/home/work is also known as the server output share directory.
The parameter meanings in parentheses are described as follows:
RW: Read/write permission, read-only permission parameter is ro;
Sync: Data is written to memory and hard drives, or async, where data is temporarily stored in memory and not written to the hard disk immediately.
The NO_ROOT_SQUASH:NFS server shares the user's attributes of the directory and, if the user is root, has root permissions for the shared directory.
Then execute the following command to start the port mapping:
#/etc/rc.d/init.d/portmap Start
Finally, execute the following command to start the NFS service, at which time NFS activates the daemon and then starts listening on client side requests:
#/etc/rc.d/init.d/nfs Start
Users can also restart the Linux server and start the NFS service automatically.
After the NFS server is started, you will also need to check settings such as the firewall for the Linux server (typically shutting down the Firewall service) to ensure that the ports used for NFS and the hosts that allow traffic are not shielded, primarily by checking the settings of options such as Linux server Iptables,ipchains, and/ Etc/hosts.deny,/etc/hosts.allow files.
We first test the loopback server on the Linux server to verify that the shared directory can be accessed. Run the following command on the Linux server:
# Mount T NFS 192.168.0.20:/home/work/mnt
# ls/mnt
command to mount the NFS output share directory of the Linux server to the/MNT directory, so if NFS is working properly, you should be able to see the contents of the/home/work shared directory in the/MNT directory.