Scribd Logo
Upload

Welcome to Scribd!

  • Configure A Kerberized NFS Server in RHEL 7

    Uploaded by

    info info
    101 views4 pages
    The document describes how to configure a Kerberized NFS server and client in RHEL 7. It involves setting up an Identity Management server using FreeIPA, adding the NFS service, configuring the NFS server, exporting a shared directory, and installing and configuring the NFS client to mount the shared directory using Kerberos authentication for secure access.

    Original Description:

    Configure a Kerberized NFS Server in RHEL 7

    Original Title

    Configure a Kerberized NFS Server in RHEL 7

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document describes how to configure a Kerberized NFS server and client in RHEL 7. It involves setting up an Identity Management server using FreeIPA, adding the NFS service, configuring the NFS server, exporting a shared directory, and installing and configuring the NFS client to mount the shared directory using Kerberos authentication for secure access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    101 views4 pages

    Configure A Kerberized NFS Server in RHEL 7

    Uploaded by

    info info
    The document describes how to configure a Kerberized NFS server and client in RHEL 7. It involves setting up an Identity Management server using FreeIPA, adding the NFS service, configuring the NFS server, exporting a shared directory, and installing and configuring the NFS client to mount the shared directory using Kerberos authentication for secure access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Configure a Kerberized NFS Server in RHEL 7

    Kerberos is a computer network authentication protocol that uses tickets to


    authenticate computers and let them communicate over a non-secure network.
    Whereas, NFS is the distributed file system to share files among Linux based
    computers. We can combine the Kerberos with NFS to configure more secure network
    shares.
    In this article, we will configure a Kerberized NFS Server and configure a client to
    access that share. To configure a Kerberized NFS Server, we must have an Identity
    Management Server such as FreeIPA , that provides Kerberos tickets to clients. We
    have already written about configuring a FreeIPA server in our previous post.
    Therefore, we are not going to reinvent the wheel here. However, the reader can refer
    to following articles to understand the Kerberos authentication.
    Read Configure Identity Management (IdM) with FreeIPA Server
    Also:

    Configure a Linux Machine as FreeIPA Client

    Configure SSO (Single Sign-on) with Kerberos 5

    System Specification:
    We are using two Red Hat Enterprise Linux (RHEL) 7 servers. One as the NFS Server as
    well as Identity Management Server and the other as the NFS Client.
    Identity Management Server ipaserver.example.com
    Kerberized NFS Server ipaserver.example.com
    Kerberized NFS Client client2.example.com
    Note: we are configuring our same FreeIPA server as the Kerberized NFS Server.

    Configure Kerberized NFS Server:


    Make sure that you have already configured this machine as FreeIPA Client. (refer
    to Configure a Linux Machine as FreeIPA Client)
    Now, add NFS service to our FreeIPA server to create Kerberized NFS service as
    follows.
    [root@ipaserver ~]# kinit admin
    Password for admin@EXAMPLE.COM:
    [root@ipaserver ~]# ipa service-add nfs/ipaserver.example.com
    -----------------------------------------------------
    Added service "nfs/ipaserver.example.com@EXAMPLE.COM"
    -----------------------------------------------------
    Principal: nfs/ipaserver.example.com@EXAMPLE.COM
    Managed by: ipaserver.example.com
    [root@ipaserver ~]# kadmin.local
    Authenticating as principal admin/admin@EXAMPLE.COM with password.
    kadmin.local: ktadd nfs/ipaserver.example.com
    Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes256-cts-
    hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
    Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type aes128-cts-
    hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
    Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type des3-cbc-sha1
    added to keytab FILE:/etc/krb5.keytab.
    Entry for principal nfs/ipaserver.example.com with kvno 1, encryption type arcfour-hmac
    added to keytab FILE:/etc/krb5.keytab.
    kadmin.local: quit
    [root@ipaserver ~]# klist -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    3 host/ipaserver.example.com@EXAMPLE.COM
    3 host/ipaserver.example.com@EXAMPLE.COM
    3 host/ipaserver.example.com@EXAMPLE.COM
    3 host/ipaserver.example.com@EXAMPLE.COM
    1 nfs/ipaserver.example.com@EXAMPLE.COM
    1 nfs/ipaserver.example.com@EXAMPLE.COM
    1 nfs/ipaserver.example.com@EXAMPLE.COM
    1 nfs/ipaserver.example.com@EXAMPLE.COM
    To configure NFS Service, we have to install nfs-utils package. Usually, this
    package is automatically installed during installation of Red Hat Enterprise Linux
    (RHEL) 7. However, you can install it anytime using yum command.
    [root@ipaserver ~]# yum install -y nfs-utils
    Loaded plugins: langpacks, product-id, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use
    subscription-manager to register.
    Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version
    Nothing to do
    [root@ipaserver ~]#
    nfs-utils is already installed on our system.
    Create a directory to share with other clients.
    [root@ipaserver ~]# mkdir /nfsshare
    [root@ipaserver ~]# chgrp nfsnobody /nfsshare/
    [root@ipaserver ~]# chmod g+w /nfsshare/
    We have created a directory nfsshare , change its group to nfsnobody and w rights
    has been given to group. So, the anonymous users can create files on this shared
    directory.
    Adjust SELinux type of the /nfsshare directory.
    [root@ipaserver ~]# semanage fcontext -a -t nfs_t "/nfsshare(/.*)?"
    [root@ipaserver ~]# restorecon -Rv /nfsshare/
    restorecon reset /nfsshare context unconfined_u:object_r:default_t:s0-
    >unconfined_u:object_r:nfs_t:s0
    If semanage command does not available on your system then
    install policycoreutils-python package.
    Now export/share this directory to specific clients.
    [root@ipaserver ~]# echo '/nfsshare client2.example.com(rw,sec=krb5p,sync)' >>
    /etc/exports
    [root@ipaserver ~]# exportfs -r
    Enable and Start the nfs-server and nfs-secure-server services.
    [root@ipaserver ~]# systemctl start nfs-server ; systemctl enable nfs-server
    ln -s '/usr/lib/systemd/system/nfs-server.service'
    '/etc/systemd/system/nfs.target.wants/nfs-server.service'
    [root@ipaserver ~]# systemctl start nfs-secure-server; systemctl enable nfs-secure-server
    ln -s '/usr/lib/systemd/system/nfs-secure-server.service'
    '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
    Allow nfs and other supplementary services through Linux firewall.
    [root@ipaserver ~]# firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind}
    success
    [root@ipaserver ~]# firewall-cmd --reload
    success

    Configure Kerberized NFS Client:


    Make sure that you have already configured this machine as FreeIPA Client. (refer
    to Configure a Linux Machine as FreeIPA Client)
    Connect to the client2.example.com . and install nfs-utils package.
    [root@client2 ~]# yum install -y nfs-utils
    Loaded plugins: langpacks, product-id, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use
    subscription-manager to register.
    localyum | 4.1 kB 00:00
    Resolving Dependencies
    --> Running transaction check
    ---> Package nfs-utils.x86_64 1:1.3.0-0.el7 will be installed
    --> Processing Dependency: libtirpc >= 0.2.3-1 for package: 1:nfs-utils-1.3.0-
    0.el7.x86_64
    --> Processing Dependency: keyutils for package: 1:nfs-utils-1.3.0-0.el7.x86_64
    --> Processing Dependency: libevent for package: 1:nfs-utils-1.3.0-0.el7.x86_64
    --> Processing Dependency: libnfsidmap for package: 1:nfs-utils-1.3.0-0.el7.x86_64
    --> Processing Dependency: rpcbind for package: 1:nfs-utils-1.3.0-0.el7.x86_64
    --> Processing Dependency: libevent-2.0.so.5()(64bit) for package: 1:nfs-utils-1.3.0-
    0.el7.x86_64
    --> Processing Dependency: libnfsidmap.so.0()(64bit) for package: 1:nfs-utils-1.3.0-
    0.el7.x86_64
    --> Processing Dependency: libtirpc.so.1()(64bit) for package: 1:nfs-utils-1.3.0-
    0.el7.x86_64
    --> Running transaction check
    ---> Package keyutils.x86_64 0:1.5.8-3.el7 will be installed
    ---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed
    ---> Package libnfsidmap.x86_64 0:0.25-9.el7 will be installed
    ---> Package libtirpc.x86_64 0:0.2.4-0.3.el7 will be installed
    ---> Package rpcbind.x86_64 0:0.2.0-23.el7 will be installed
    --> Finished Dependency Resolution

    Dependencies Resolved

    ================================================================================
    Package Arch Version Repository Size
    ================================================================================
    Installing:
    nfs-utils x86_64 1:1.3.0-0.el7 localyum 357 k
    Installing for dependencies:
    keyutils x86_64 1.5.8-3.el7 localyum 54 k
    libevent x86_64 2.0.21-4.el7 localyum 214 k
    libnfsidmap x86_64 0.25-9.el7 localyum 45 k
    libtirpc x86_64 0.2.4-0.3.el7 localyum 85 k
    rpcbind x86_64 0.2.0-23.el7 localyum 55 k

    Transaction Summary
    ================================================================================
    Install 1 Package (+5 Dependent packages)

    Total download size: 810 k


    Installed size: 2.2 M
    Downloading packages:
    --------------------------------------------------------------------------------
    Total 1.0 MB/s | 810 kB 00:00
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
    Installing : libtirpc-0.2.4-0.3.el7.x86_64 1/6
    Installing : rpcbind-0.2.0-23.el7.x86_64 2/6
    Installing : keyutils-1.5.8-3.el7.x86_64 3/6
    Installing : libevent-2.0.21-4.el7.x86_64 4/6
    Installing : libnfsidmap-0.25-9.el7.x86_64 5/6
    Installing : 1:nfs-utils-1.3.0-0.el7.x86_64 6/6
    Verifying : 1:nfs-utils-1.3.0-0.el7.x86_64 1/6
    Verifying : libtirpc-0.2.4-0.3.el7.x86_64 2/6
    Verifying : libnfsidmap-0.25-9.el7.x86_64 3/6
    Verifying : libevent-2.0.21-4.el7.x86_64 4/6
    Verifying : keyutils-1.5.8-3.el7.x86_64 5/6
    Verifying : rpcbind-0.2.0-23.el7.x86_64 6/6

    Installed:
    nfs-utils.x86_64 1:1.3.0-0.el7

    Dependency Installed:
    keyutils.x86_64 0:1.5.8-3.el7 libevent.x86_64 0:2.0.21-4.el7
    libnfsidmap.x86_64 0:0.25-9.el7 libtirpc.x86_64 0:0.2.4-0.3.el7
    rpcbind.x86_64 0:0.2.0-23.el7

    Complete!
    [root@client2 ~]#
    Create a directory, to mount the shared directory from ipaserver.example.com .
    [root@client2 ~]# mkdir /mnt/nfsshare
    Check the shared directories from ipaserver.example.com .
    [root@client2 ~]# showmount -e ipaserver.example.com
    Export list for ipaserver.example.com:
    /nfsshare client2.example.com
    [root@client2 ~]#
    Start and enable the nfs-secure service.
    [root@client2 ~]# systemctl start nfs-secure ; systemctl enable nfs-secure
    ln -s '/usr/lib/systemd/system/nfs-secure.service'
    '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
    Persistently mount this shared directory by adding following entry in /etc/fstab .
    [root@client2 ~]# echo 'ipaserver.example.com:/nfsshare /mnt/nfsshare nfs
    sec=krb5p,_netdev 0 0' >> /etc/fstab
    [root@client2 ~]# mount -a
    [root@client2 ~]#
    Check the status of mounted directory.
    [root@client2 ~]# mount | grep nfs
    sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
    ipaserver.example.com:/nfsshare on /mnt/nfsshare type nfs4
    (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=60
    0,retrans=2,sec=krb5p,clientaddr=192.168.116.202,local_lock=none,addr=192.168.116.200,_ne
    tdev)
    Create a file in this shared directory, to verify the file permissions.
    [root@client2 ~]# cd /mnt/nfsshare/
    [root@client2 nfsshare]# touch test1
    [root@client2 nfsshare]# ls -al
    total 0
    drwxrwxr-x. 2 root nfsnobody 18 Jul 31 07:32 .
    drwxr-xr-x. 4 root root 31 Jul 31 07:23 ..
    -rw-r--r--. 1 nfsnobody nfsnobody 0 Jul 31 07:32 test1
    [root@client2 nfsshare]#
    We have successfully configured our Kerberized NFS Server.

    You might also like