Search
SupportConsoleDevelopersStart a trialContact

34.3. Setting up a Kerberos-aware NFS Server

download PDF
  1. If any of your NFS clients support only weak cryptography, such as Red Hat Enterprise Linux 5 clients:
    1. Update the IdM server Kerberos configuration to enable the weak des-cbc-crc encryption type: 
      $ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389

dn: cn=REALM_NAME,cn=kerberos,dc=example,dc=com
changetype: modify
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: des-cbc-crc:normal
-
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: des-cbc-crc:special
-
add: krbDefaultEncSaltTypes
krbDefaultEncSaltTypes: des-cbc-crc:special
    2. On the NFS server, add the following entry to the /etc/krb5.conf file of the NFS server enable weak cryptography support: 
      allow_weak_crypto = true
  2. Obtain a Kerberos ticket: 
    [root@nfs-server ~]# kinit admin
  3. If the NFS host machine has not been added as a client to the IdM domain, create the host entry. See Section 12.3, “Adding Host Entries”.
  4. Create the NFS service entry: 
    [root@nfs-server ~]# ipa service-add nfs/nfs-server.example.com
    For more information, see Section 16.1, “Adding and Editing Service Entries and Keytabs”.
  5. Retrieve an NFS service keytab for the NFS server using the following ipa-getkeytab command that saves the keys in the /etc/krb5.keytab file: 
    [root@nfs-server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
    If any of your NFS clients support only weak cryptography, additionally pass the -e des-cbc-crc option to the command to request a DES-encrypted keytab.
  6. Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry: 
    [root@nfs-server ~]# ipa service-show nfs/nfs-server.example.com
  Principal name: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
  Principal alias: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
  Keytab: True
  Managed by: nfs-server.example.com
  7. Install the nfs-utils package: 
    [root@nfs-server ~]# yum install nfs-utils
  8. Run the ipa-client-automount utility to configure the NFS settings: 
    [root@nfs-server ~] ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs
    By default, this command enables secure NFS and sets the Domain parameter in the /etc/idmapd.conf file to the IdM DNS domain. If you use a different domain, specify it using the --idmap-domain domain_name parameter.
  9. Configure the nfs-idmapd service to start automatically when the system boots: 
    # systemctl enable nfs-idmapd
  10. Edit the /etc/exports file and add shares with the krb5p Kerberos security setting: 
    /export  *(rw,sec=krb5:krb5i:krb5p)
/home  *(rw,sec=krb5:krb5i:krb5p)
    This example shares the /export and /home directories in read-write mode with Kerberos authentication enabled.
  11. Re-export the shared directories: 
    [root@nfs-server ~]# exportfs -rav
  12. Optionally, configure the NFS server as an NFS client. See Section 34.4, “Setting up a Kerberos-aware NFS Client”.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.