How to setup a secure (kerberos) NFS share ?

In this article I am going to show the steps to configure secure NFS server.

Below are the setup details.

* Two RHEL 6.5 Machines (dns1 and dns2).

* dns1 is DNS server, IPA server and NFS server.

* dns2 playing the role of IPA client and NFS client.

Step 1 : I have configured the IPA server on node dns1 following redhat documentation. Trust me its very easy setup. Before setting up IPA I have manually configured the DNS by making dns1 as server and dns2 as client.

Step 2 : After installing IPA server I added NFS as a prinicpal on IPA server.

[root@dns1 ~]# ipa service-add nfs/dns1.abc.com
—————————————-
Added service “nfs/dns1.abc.com@ABC.COM”
—————————————-
Principal: nfs/dns1.abc.com@ABC.COM
Managed by: dns1.abc.com

[root@dns1 ~]# ipa service-add nfs/dns2.abc.com
—————————————-
Added service “nfs/dns2.abc.com@ABC.COM”
—————————————-
Principal: nfs/dns2.abc.com@ABC.COM
Managed by: dns2.abc.com

Step 3  : We need to perform the following steps for key related to NFS prinicpal.

[root@dns1 ~]# ipa-getkeytab -s dns1.abc.com -p nfs/dns1.abc.com -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Step 4 : Configure nfs configuration file to use the SECURE_NFS by default.

[root@dns1 ~]# cat /etc/sysconfig/nfs |grep SECURE
SECURE_NFS=”yes”

Step 5 : I have exported the filesystem using kerberos option from NFS server i.e dns1.

[root@dns1 ~]# cat /etc/exports
/vicky *(rw,sync,sec=sys:krb5:krb5i:krb5p)

[root@dns1 ~]# /etc/init.d/nfs status
rpc.svcgssd (pid 2710) is running…
rpc.mountd (pid 2720) is running…
nfsd (pid 2736 2735 2734 2733 2732 2731 2730 2729) is running…
rpc.rquotad (pid 2716) is running…

[root@dns2 ~]# cat /etc/sysconfig/nfs | grep SECURE
#SECURE_NFS=”yes”
SECURE_NFS=”yes”

Make sure that idmapd.conf is having the domain name set correctly.

[root@dns2 ~]# cat /etc/idmapd.conf | grep -v ^# | grep -i domain
Domain = abc.com

[root@dns2 ~]# /etc/init.d/rpcidmapd start
Starting RPC idmapd:                                       [  OK  ]

Step 6 : Get the kerberos key on NFS client.

[root@dns2 ~]# kinit admin
Password for admin@ABC.COM:

Step 7 : Retrieve the principal keytab.

[root@dns2 ~]# ipa-getkeytab -s dns1.abc.com -p nfs/dns2.abc.com -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

[root@dns2 ~]# /etc/init.d/rpcsvcgssd start
Starting RPC svcgssd:                                      [  OK  ]

[root@dns2 ~]# /etc/init.d/rpcgssd start
Starting RPC gssd:                                         [  OK  ]

Step 8 : Mount the nfs4 share on client using kerberos option.

[root@dns2 ~]# mount -t nfs4 -o sec=krb5 192.168.111.149:/vicky /mnt

[root@dns2 ~]# df -h /mnt
Filesystem              Size  Used Avail Use% Mounted on
192.168.111.149:/vicky   97M  5.5M   87M   6% /mnt

[root@dns2 ~]# cat /etc/mtab | grep -i nfs4
192.168.111.149:/vicky /mnt nfs4 rw,sec=krb5,addr=192.168.111.149,clientaddr=192.168.111.150 0 0

[root@dns2 ~]# umount /mnt

[root@dns2 ~]# mount -a

[root@dns2 ~]# df -h /mnt
Filesystem              Size  Used Avail Use% Mounted on
192.168.111.149:/vicky   97M  5.5M   87M   6% /mnt

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s