34.3. Setting up a Kerberos-aware NFS Server
- If any of your NFS clients support only weak cryptography, such as Red Hat Enterprise Linux 5 clients:
- Update the IdM server Kerberos configuration to enable the weak
des-cbc-crc
encryption type:$ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389 dn: cn=REALM_NAME,cn=kerberos,dc=example,dc=com changetype: modify add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:normal - add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:special - add: krbDefaultEncSaltTypes krbDefaultEncSaltTypes: des-cbc-crc:special
- On the NFS server, add the following entry to the
/etc/krb5.conf
file of the NFS server enable weak cryptography support:allow_weak_crypto = true
- Obtain a Kerberos ticket:
[root@nfs-server ~]# kinit admin
- If the NFS host machine has not been added as a client to the IdM domain, create the host entry. See Section 12.3, “Adding Host Entries”.
- Create the NFS service entry:
[root@nfs-server ~]# ipa service-add nfs/nfs-server.example.com
For more information, see Section 16.1, “Adding and Editing Service Entries and Keytabs”. - Retrieve an NFS service keytab for the NFS server using the following ipa-getkeytab command that saves the keys in the
/etc/krb5.keytab
file:[root@nfs-server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
If any of your NFS clients support only weak cryptography, additionally pass the-e des-cbc-crc
option to the command to request a DES-encrypted keytab. - Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry:
[root@nfs-server ~]# ipa service-show nfs/nfs-server.example.com Principal name: nfs/nfs-server.example.com@IDM.EXAMPLE.COM Principal alias: nfs/nfs-server.example.com@IDM.EXAMPLE.COM Keytab: True Managed by: nfs-server.example.com
- Install the nfs-utils package:
[root@nfs-server ~]# yum install nfs-utils
- Run the ipa-client-automount utility to configure the NFS settings:
[root@nfs-server ~] ipa-client-automount Searching for IPA server... IPA server: DNS discovery Location: default Continue to configure the system with these values? [no]: yes Configured /etc/sysconfig/nfs Configured /etc/idmapd.conf Started rpcidmapd Started rpcgssd Restarting sssd, waiting for it to become available. Started autofs
By default, this command enables secure NFS and sets theDomain
parameter in the/etc/idmapd.conf
file to the IdM DNS domain. If you use a different domain, specify it using the--idmap-domain domain_name
parameter. - Configure the
nfs-idmapd
service to start automatically when the system boots:# systemctl enable nfs-idmapd
- Edit the
/etc/exports
file and add shares with the krb5p Kerberos security setting:/export *(rw,sec=krb5:krb5i:krb5p) /home *(rw,sec=krb5:krb5i:krb5p)
This example shares the/export
and/home
directories in read-write mode with Kerberos authentication enabled. - Re-export the shared directories:
[root@nfs-server ~]# exportfs -rav
- Optionally, configure the NFS server as an NFS client. See Section 34.4, “Setting up a Kerberos-aware NFS Client”.