18.3. Setting up a Kerberized NFS Server
Identity Management can be used to set up a Kerberized NFS server, which does not need to be running on Red Hat Enterprise Linux.
18.3.1. Setting up a Kerberized NFS Server
- Obtain a Kerberos ticket before running IdM utilites.
[user@server ~]$ kinit admin
- If the NFS host machine has not been added as a client to the IdM domain, then create the host entry in GUI as described in Section 5.4.2, “Other Examples of Adding a Host Entry”, or run a command such as:
[user@server ~]$ ipa host-add --ip-address 192.0.2.10 nfs-server.example.org
- Create the NFS service entry in the IdM domain, for example:
[user@server ~]$ ipa service-add nfs/nfs-server.example.com
For more information, see Section 11.1, “Adding and Editing Service Entries and Keytabs”. - Generate an NFS service keytab for the NFS server using the
ipa-getkeytab
command.The NFS server may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. For a Red Hat Enterprise Linux machine, theipa-getkeytab
command can be run on the NFS server machine. Otherwise, theipa-getkeytab
command should be run on a Red Hat Enterprise Linux machine in the IdM domain and then copied over to the NFS server.Ifipa-getkeytab
command is run on the NFS server, then save the keys directly to the host keytab. For example:[user@server ~]$ ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
For a Red Hat Enterprise Linux machine, that's all you need to do.When generating keys to copy over to another system, then generate the key but do not save it in the host keytab. The key must be added separately to the keytab after it is copied to the NFS server:- Save the keytab to a temporary file. For example:
[user@server ~]$ ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /root/nfs-server.keytab
- Copy the keytabs over to the NFS server.
- Set the file permissions to
0700
. - Add the service key to the keytab file.
[root@nfs-server ~]# ( echo rkt /root/nfs-server.keytab; echo wkt /etc/krb5.keytab ) | ktutil
Note
To verify that the NFS service has been properly configured in IdM with its keytab, check the service entry by using the following command:[user@server ~]$ ipa service-show nfs/ipaclient2.example.com Principal: NFS/ipaclient2.example.com@EXAMPLE.COM Keytab: True
- Install the NFS packages. For example:
[root@nfs-server ~]# yum install nfs-utils
- Configure weak crypto support. This is required for every NFS client if any client (such as a Red Hat Enterprise Linux 5 client) in the domain uses older encryption options such as DES.
- Edit the
krb5.conf
file to include the following line to enable weak crypto:allow_weak_crypto = true
- Update the IdM server Kerberos configuration to support the DES encryption type.
[user@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389 dn: cn=EXAMPLEREALM,cn=kerberos,dc=example,dc=com changetype: modify add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:normal - add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:special - add: krbDefaultEncSaltTypes krbDefaultEncSaltTypes: des-cbc-crc:special
- Run the
ipa-client-automount
command to configure the NFS settings.By default, this enables secure NFS in the/etc/sysconfig/nfs
file and sets the IdM DNS domain in theDomain
parameter in the/etc/idmapd.conf
file.Note
If the server is not member of the IdM domain (does not have the ipa-client package installed), this step needs to be done manually. See the NFS configuration section in the Storage Administration Guide for details. - Edit the
/etc/exports
file and add the Kerberos information:/export *(rw,sec=krb5:krb5i:krb5p)
- Restart the NFS server and related services.
[root@nfs-server ~]# service nfs restart [root@nfs-server ~]# service rpcsvcgssd restart
- To configure the NFS server as an NFS client, see Section 18.3.2, “Setting up a Kerberized NFS Client”.
18.3.2. Setting up a Kerberized NFS Client
- Obtain a Kerberos ticket before running IdM tools.
[user@server ~]$ kinit admin
- If the NFS client is not enrolled as a client in the IdM domain, then set up the required host entries in GUI as described in Section 5.4.2, “Other Examples of Adding a Host Entry”, or run a command such as:.
[user@server ~]$ ipa host-add --ip-address 192.0.2.20 nfs-client.example.org
- Generate an NFS service keytab for the NFS client using the
ipa-getkeytab
utility.The NFS client may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. For a Red Hat Enterprise Linux machine, theipa-getkeytab
command can be run on the NFS client machine. Otherwise, theipa-getkeytab
command should be run on a Red Hat Enterprise Linux machine in the IdM domain and then copied over to the NFS client.Ifipa-getkeytab
command is run on the NFS client, then save the keys directly to the host keytab. For example:[user@server ~]$ ipa-getkeytab -k /etc/krb5.keytab -s ipa-server.example.org -p nfs/nfs-client-server.example.com@EXAMPLE.COM
For a Red Hat Enterprise Linux machine, that's all you need to do.When generating keys to copy over to another system, then generate the key but do not save it in the host keytab. The key must be added separately to the keytab after it is copied to the NFS server:- Save the keytab to a temporary file. For example:
[user@server ~]$ ipa-getkeytab -s ipa-server.example.org -p host/nfs-client-server.example.com@EXAMPLE.COM -k /root/nfs-client.keytab
- Copy the keytabs over to the NFS client.
- Set the file permissions to
0700
. - Add the service key to the keytab file.
[root@nfs-client-server ~]# ( echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab ) | ktutil
- Run the
ipa-client-automount
command to configure the NFS settings.By default, this enables secure NFS in the/etc/sysconfig/nfs
file and sets the IdM DNS domain in theDomain
parameter in the/etc/idmapd.conf
file.Note
If the client is not member of the IdM domain (does not have the ipa-client package installed), this step needs to be done manually. See the NFS configuration section in the Storage Administration Guide for details. - Start the GSS daemon.
[root@nfs-client-server ~]# service rpcgssd start [root@nfs-client-server ~]# service rpcbind start [root@nfs-client-server ~]# service rpcidmapd start
- Mount the directory.
[root@nfs-client-server ~]# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049" >>/etc/fstab [root@nfs-client-server ~]# mount -av