Task: NFS configuration with Kerberos authentication
you are required to host /nfsshare in server1, which should forward SELinux context to client. You are requite to use kerberos based authenticaiton. your keytab file can be downloaded from (this domain doesn’t exist):
Similarly, in Desktop1, you are require to persistently mount the share in /nfsmnt folder.
Solution:
In server1
- NFS server should be automatically install, if not:
yum -y nfs-utils - To enable SELinux label forwarding to client needs to add “-V 4.2″ in /etc/sysconfig/nfs
RDCNFSDARGS=”-V 4.2″ - Add NFS entry:
echo “/nfsshare 192.168.122.0/24(sec=krb5p,v4.2,rw)” >> /etc/exports - Add services to startup
systemctl enable nfs-server
systemctl enable nfs-secure-server - generate and download keytab file from IPA server (if /etc/krb5.keytab file exists, rename it)
mv /etc/krb5.keytab /etc/krb5.org
wget -O /etc/krb5.keytab ftp://ipa.shiba.local/server1.keytab - Start service
systemctl start nfs-server
systemctl start nfs-secure-server - Change ownership and selinux context
chown nfsnobody.nfsnobody /nfsshare
semanage fcontext public_content_rw_t “/nfsshare(/.*)?”
restorecon -vR /nfsshare
Note: if you have to frequently change in /etc/exports, you can use “exportfs -r“, without need to restart nfs daemons
In Desktop1:
- Enable nfs-secure service and start it.
systemctl enable nfs-secure
systemctl start nfs-secure - rename keytab file, if exist and download new keytab file
mv /etc/krb5.keytab /etc/krb5.org
wget -O /etc/krb5.keytab ftp://ipa.shiba.local/desktop1.keytab - Mount NFS share:
mount -o sec=krb5p,v4.2 server1:/nfsshare /nfsmnt
if successful add to fstab,
echo “server1:/nfsshare /nfsmnt nfs _netdev,v4.2,sec=krb5p 0 0″>> /etc/fstab