Why we have to use kerberized NFS Server

NFS Server without kerberos is not secure

NFS share can be accessed by multiple users from NFS client because there is no user
level authentication when not using kerberos
Wihtout Kerberos NFS Server and client communication is not encrypted
Kerberos will provide an token based authentication
NFS with kerberos will use Keytab file to authenticate securely
All the communication from client to server fully encrypted

Prerequisites

1. Kerberos Server for token issue authority

2. Keytab Files
3. Kerberos principles should be in place (if you want to use krb5p authentication method)
4. LDAP server for user authentication along with kerberos
5. NFS Server should be part of LDAP client and Kerberos Client
6. Both the machines NFS Server and NFS Client should be part of kerberos clients
7. DNS name resolution should be in working condition (In case of NO DNS name
resolution, We will add hosts file entries) Master DNS Setup Guide
8. NFS server and NFS client should be in sync with NTP server (Should be NTP clients)

Scenario 1: We can install DNS, Kerberos, KDC server, 365 Directory Service, Token issue
authority and LDAP. We use this single server as a main server.

Scenario 2: We can install and configure One DNS server, One Kerberos Server and One LDAP
Server separately. This Scenario required more hardware resource but performance will be
good.

why i am explaining above two scenarios because we are going to see the kerberized NFS with
single server all services included in one.

Environment :

Server 1 : DNS, and LDAP service

Server 2 : NFS Server

Server 3 : NFS Client

Main Server Side in Kerberos Server Side

We have to generate keytab files and add NFS principles in kerberos server.
# kadmin
Authenticating as principal admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
kadmin: addprinc -randkey nfs/nfserv.arki.co.in
kadmin: addprinc -randkey nfs/nfsclient.arki.co.in
kadmin: ktadd nfs/nfserv.arki.co.in
kadmin: ktadd nfs/nfsclient.arki.co.in
kadmin: quit
[root@TechTutorials ~]# cp /etc/krb5.keytab /var/www/html/keytabs/nfserv.keytab
[root@TechTutorials ~]# cp /etc/kerb5.keytab /vat/www/html/keytabs/nfsclient.keytab

Keytab file should be available for download

NFS Server Side Configuration

[root@nfserv.example.com~]# yum install sssd* authconfig-gtk krb5-workstation

[root@nfserv.example.com~]# yum install nfs*

After installing above packages we have to run below command in GUI interface

[root@nfserv.example.com]# system-config-authentication
Provide the details

User Account Database: LDAP

LDAP Search Base DN: DC=example,DC=co.in

LDAP Server: ldap://ldap.example.comOr ldaps://example.com

Use TLS encryption connections

Authentication Method: Kerberos Password

KDCs : ldap.example.com

## Download keytab file

[root@nfserv.example.com~]# wget -O /etc/krb5.keytab
http://ldap.example.com/pub/keytabs/nfserv.keytab
[root@nfserv.example.com~]# vim /etc/sysconfig/nfs
## Default line number 13
RPCNFSDARGS = "-V 4.2"

:wq

## Enable and Start NFS Server and NFS Secure Server

[root@nfserv.example.com~]# systemctl enable nfs-secure.service
[root@nfserv.example.com~]# systemctl start nfs-secure.service
[root@nfserv.example.com~]# systemctl enable nfs-server.service
[root@nfserv.example.com~]# systemctl start nfs-server.service
[root@nfserv.example.com~]# systemctl enable nfs-secure-server.service
[root@nfserv.example.com~]# systemctl start nfs-secure-server.service

## Create Directory to share using NFS

[root@nfserv.example.com~]# mkdir /nfssecure

## Change Directory ownership

[root@nfserv.example.com~]# chown ldapuser1 /nfssecure

## Applu SELinux Policy to Directory

[root@nfserv.example.com~]# semanage fcontext -a -t public_content_rw_t "/nfssecure(/.*)?"
[root@nfserv.example.com~]# restorecon -R /nfs
[root@nfserv.example.com~]# setsebool -P nfs_export_all_rw on
[root@nfserv.example.com~]# setsebool -P nfs_export_all_ro on

Now Create NFS export and export it

[root@nfserv.example.com~]# vim /etc/exports

/nfssecure *.example.com(rw,sec=krb5p)

:wq

The security option accepts four different values:

sec=sys (no Kerberos use)
sec=krb5 (Kerberos user authentication only)
sec=krb5i (Kerberos user authentication and integrity checking)
sec=krb5p (Kerberos user authentication, integrity checking and NFS traffic encryption)
If you want to use sec=sys, you also need to run

# setsebool -P nfsd_anon_write 1

Now restart NFS services to reflect the changes

[root@nfserv.example.com~]# systemctl restart nfs-server.service

[root@nfserv.example.com~]# systemctl restart nfs-secure-server.service
[root@nfserv.example.com~]# systemctl restart nfs-secure.service

Enable Firewall ports to communicate with NFS clients

[root@nfserv.example.com~]# firewall-cmd --permanent --add-service=nfs

[root@nfserv.example.com~]# firewall-cmd --permanent --add-service=mountd
[root@nfserv.example.com~]# firewallc-cmd --permanent --add-service=rpc-bind

In order to complete Kerberized NFS Server configuration, We are done in NFS Server we have
to switch to NFS client

NFS Client Side configuration

Now start the NFS client side setup. We have to join NFS client also as LDAP and Kerberos Client

repeat first step from NFS server configuration

## Download keytab file

[root@nfsclient.example.com~]# wget -O /etc/krb5.keytab
http://ldap.example.com/pub/keytabs/nfserv.keytab
[root@nfsclient.example.com~]# vim /etc/sysconfig/nfs
## Default line number 13
RPCNFSDARGS = "-V 4.2"

:wq

[root@nfsclient.example.com~]# yum install nfs-utils*

[root@nfsclient.example.com~]# systemctl enable nfs-secure.service
[root@nfsclient.example.com~]# systemctl start nfs-secure.service
[root@nfsclient.example.com~]# mkdir /mnt/nfsmount

Now edit fstab configuration file to mount NFS share permanently

[root@nfsclient.example.com~]# vim /etc/fstab

nfserv.example.com:/nfssecure /mnt/nfsmount nfs defaults,sec=kerb5p,v4.2 0 0

:wq

[root@nfsclient.example.com~]# mount -a

Now login as ldapuser1 and try to access the nfssecure share it will be accessible. You can also
write data to that share path.