34.4. Setting up a Kerberos-aware NFS Client
- If the NFS clients supports only weak cryptography, such as a Red Hat Enterprise Linux 5 client, set the following entry in the
/etc/krb5.conf
file of the server to allow weak cryptography:allow_weak_crypto = true
- If the NFS client is not enrolled as a client in the IdM domain, set up the required host entries, as described in Section 12.3, “Adding Host Entries”.
- Install the nfs-utils package:
[root@nfs-client ~]# yum install nfs-utils
- Obtain a Kerberos ticket before running IdM tools.
[root@nfs-client ~]# kinit admin
- Run the ipa-client-automount utility to configure the NFS settings:
[root@nfs-client ~] ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started rpcidmapd Started rpcgssd Restarting sssd, waiting for it to become available. Started autofs
By default, this enables secure NFS in the/etc/sysconfig/nfs
file and sets the IdM DNS domain in theDomain
parameter in the/etc/idmapd.conf
file. - Configure the services to start automatically when the system boots:
[root@nfs-client ~]# systemctl enable rpc-gssd.service [root@nfs-client ~]# systemctl enable rpcbind.service
- Add the following entries to the
/etc/fstab
file to mount the NFS shares from thenfs-server.example.com
host when the system boots:nfs-server.example.com:/export /mnt nfs4 sec=krb5p,rw nfs-server.example.com:/home /home nfs4 sec=krb5p,rw
These settings configure Red Hat Enterprise Linux to mount the/export
share to the/mnt
and the/home
share to the/home
directory. - Create the mount points if they do not exist:
# mkdir -p /mnt/ # mkdir -p /home
- Mount the NFS shares:
[root@nfs-client ~]# mount /mnt/ [root@nfs-client ~]# mount /home
The command uses the information from the/etc/fstab
entry. - Configure SSSD to renew Kerberos tickets:
- Set the following parameters in the IdM domain section of the
/etc/sssd/sssd.conf
file to configure SSSD to automatically renew tickets:[domain/EXAMPLE.COM] ... krb5_renewable_lifetime = 50d krb5_renew_interval = 3600
- Restart SSSD:
[root@nfs-client ~]# systemctl restart sssd
Important
The
pam_oddjob_mkhomedir
module does not support automatic creation of home directories on an NFS share. Therefore, you must manually create the home directories on the server in the root of the share that contains the home directories.