NFS with Kerberos authentication by example

Task: NFS configuration with Kerberos authentication

you are required to host /nfsshare in server1, which should forward SELinux context to client. You are requite to use kerberos based authenticaiton. your keytab file can be downloaded from (this domain doesn’t exist):
Similarly, in Desktop1, you are require to persistently mount the share in /nfsmnt folder.

Solution:

In server1


  1. NFS server should be automatically install, if not:
    yum -y nfs-utils
  2. To enable SELinux label forwarding to client needs to add “-V 4.2″ in /etc/sysconfig/nfs
    RDCNFSDARGS=”-V 4.2″
  3. Add NFS entry:
    echo “/nfsshare 192.168.122.0/24(sec=krb5p,v4.2,rw)” >> /etc/exports
  4. Add services to startup
    systemctl enable nfs-server
    systemctl enable nfs-secure-server
  5. generate and download keytab file from IPA server (if /etc/krb5.keytab file exists, rename it)
    mv /etc/krb5.keytab /etc/krb5.org
    wget -O /etc/krb5.keytab ftp://ipa.shiba.local/server1.keytab
  6. Start service
    systemctl start nfs-server
    systemctl start nfs-secure-server
  7. Change ownership and selinux context
    chown nfsnobody.nfsnobody /nfsshare
    semanage fcontext public_content_rw_t “/nfsshare(/.*)?”
    restorecon -vR /nfsshare

Note: if you have to frequently change in /etc/exports, you can use “exportfs -r“, without need to restart nfs daemons


In Desktop1:


  1. Enable nfs-secure service and start it.
    systemctl enable nfs-secure
    systemctl start nfs-secure
  2. rename keytab file, if exist and download new keytab file
    mv /etc/krb5.keytab /etc/krb5.org
    wget -O /etc/krb5.keytab ftp://ipa.shiba.local/desktop1.keytab
  3. Mount NFS share:
    mount -o sec=krb5p,v4.2 server1:/nfsshare /nfsmnt
    if successful add to fstab,
    echo “server1:/nfsshare¬†¬† ¬†/nfsmnt nfs _netdev,v4.2,sec=krb5p 0 0″>> /etc/fstab
Recent Posts
Recent Comments
    Archives
    Categories
    Updates on Recent activieies
    Meta