Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

34.4. Setting up a Kerberos-aware NFS Client

  1. If the NFS clients supports only weak cryptography, such as a Red Hat Enterprise Linux 5 client, set the following entry in the /etc/krb5.conf file of the server to allow weak cryptography: 
    allow_weak_crypto = true
    Copy to Clipboard
  2. If the NFS client is not enrolled as a client in the IdM domain, set up the required host entries, as described in Section 12.3, “Adding Host Entries”.
  3. Install the nfs-utils package: 
    [root@nfs-client ~]# yum install nfs-utils
    Copy to Clipboard
  4. Obtain a Kerberos ticket before running IdM tools. 
    [root@nfs-client ~]# kinit admin
    Copy to Clipboard
  5. Run the ipa-client-automount utility to configure the NFS settings: 
    [root@nfs-client ~] ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs
    Copy to Clipboard
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.
  6. Configure the services to start automatically when the system boots: 
    [root@nfs-client ~]# systemctl enable rpc-gssd.service
[root@nfs-client ~]# systemctl enable rpcbind.service
    Copy to Clipboard
  7. Add the following entries to the /etc/fstab file to mount the NFS shares from the nfs-server.example.com host when the system boots: 
    nfs-server.example.com:/export  /mnt          nfs4  sec=krb5p,rw
nfs-server.example.com:/home    /home  nfs4  sec=krb5p,rw
    Copy to Clipboard
    These settings configure Red Hat Enterprise Linux to mount the /export share to the /mnt and the /home share to the /home directory.
  8. Create the mount points if they do not exist: 
    # mkdir -p /mnt/
# mkdir -p /home
    Copy to Clipboard
  9. Mount the NFS shares: 
    [root@nfs-client ~]# mount /mnt/
[root@nfs-client ~]# mount /home
    Copy to Clipboard
    The command uses the information from the /etc/fstab entry.
  10. Configure SSSD to renew Kerberos tickets:
    1. Set the following parameters in the IdM domain section of the /etc/sssd/sssd.conf file to configure SSSD to automatically renew tickets: 
      [domain/EXAMPLE.COM]
...
krb5_renewable_lifetime = 50d
krb5_renew_interval = 3600
      Copy to Clipboard
    2. Restart SSSD: 
      [root@nfs-client ~]# systemctl restart sssd
      Copy to Clipboard
Important
The pam_oddjob_mkhomedir module does not support automatic creation of home directories on an NFS share. Therefore, you must manually create the home directories on the server in the root of the share that contains the home directories.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat