34.4. Setting up a Kerberos-aware NFS Client
- If the NFS clients supports only weak cryptography, such as a Red Hat Enterprise Linux 5 client, set the following entry in the
/etc/krb5.conffile of the server to allow weak cryptography:allow_weak_crypto = true
- If the NFS client is not enrolled as a client in the IdM domain, set up the required host entries, as described in Section 12.3, “Adding Host Entries”.
- Install the nfs-utils package:
[root@nfs-client ~]# yum install nfs-utils
- Obtain a Kerberos ticket before running IdM tools.
[root@nfs-client ~]# kinit admin
- Run the ipa-client-automount utility to configure the NFS settings:
[root@nfs-client ~] ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started rpcidmapd Started rpcgssd Restarting sssd, waiting for it to become available. Started autofsBy default, this enables secure NFS in the/etc/sysconfig/nfsfile and sets the IdM DNS domain in theDomainparameter in the/etc/idmapd.conffile. - Configure the services to start automatically when the system boots:
[root@nfs-client ~]# systemctl enable rpc-gssd.service [root@nfs-client ~]# systemctl enable rpcbind.service
- Add the following entries to the
/etc/fstabfile to mount the NFS shares from thenfs-server.example.comhost when the system boots:nfs-server.example.com:/export /mnt nfs4 sec=krb5p,rw nfs-server.example.com:/home /home nfs4 sec=krb5p,rw
These settings configure Red Hat Enterprise Linux to mount the/exportshare to the/mntand the/homeshare to the/homedirectory. - Create the mount points if they do not exist:
# mkdir -p /mnt/ # mkdir -p /home
- Mount the NFS shares:
[root@nfs-client ~]# mount /mnt/ [root@nfs-client ~]# mount /home
The command uses the information from the/etc/fstabentry. - Configure SSSD to renew Kerberos tickets:
- Set the following parameters in the IdM domain section of the
/etc/sssd/sssd.conffile to configure SSSD to automatically renew tickets:[domain/EXAMPLE.COM] ... krb5_renewable_lifetime = 50d krb5_renew_interval = 3600
- Restart SSSD:
[root@nfs-client ~]# systemctl restart sssd
Important
The
pam_oddjob_mkhomedir module does not support automatic creation of home directories on an NFS share. Therefore, you must manually create the home directories on the server in the root of the share that contains the home directories.
