Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

34.3. Setting up a Kerberos-aware NFS Server

  1. If any of your NFS clients support only weak cryptography, such as Red Hat Enterprise Linux 5 clients:
    1. Update the IdM server Kerberos configuration to enable the weak des-cbc-crc encryption type: 
      $ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389

dn: cn=REALM_NAME,cn=kerberos,dc=example,dc=com
changetype: modify
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: des-cbc-crc:normal
-
add: krbSupportedEncSaltTypes
krbSupportedEncSaltTypes: des-cbc-crc:special
-
add: krbDefaultEncSaltTypes
krbDefaultEncSaltTypes: des-cbc-crc:special
      Copy to Clipboard Toggle word wrap
    2. On the NFS server, add the following entry to the /etc/krb5.conf file of the NFS server enable weak cryptography support: 
      allow_weak_crypto = true
      Copy to Clipboard Toggle word wrap
  2. Obtain a Kerberos ticket: 
    [root@nfs-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap
  3. If the NFS host machine has not been added as a client to the IdM domain, create the host entry. See Section 12.3, “Adding Host Entries”.
  4. Create the NFS service entry: 
    [root@nfs-server ~]# ipa service-add nfs/nfs-server.example.com
    Copy to Clipboard Toggle word wrap
    For more information, see Section 16.1, “Adding and Editing Service Entries and Keytabs”.
  5. Retrieve an NFS service keytab for the NFS server using the following ipa-getkeytab command that saves the keys in the /etc/krb5.keytab file: 
    [root@nfs-server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
    Copy to Clipboard Toggle word wrap
    If any of your NFS clients support only weak cryptography, additionally pass the -e des-cbc-crc option to the command to request a DES-encrypted keytab.
  6. Verify that the NFS service has been properly configured in IdM, with its keytab, by checking the service entry: 
    [root@nfs-server ~]# ipa service-show nfs/nfs-server.example.com
  Principal name: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
  Principal alias: nfs/nfs-server.example.com@IDM.EXAMPLE.COM
  Keytab: True
  Managed by: nfs-server.example.com
    Copy to Clipboard Toggle word wrap
  7. Install the nfs-utils package: 
    [root@nfs-server ~]# yum install nfs-utils
    Copy to Clipboard Toggle word wrap
  8. Run the ipa-client-automount utility to configure the NFS settings: 
    [root@nfs-server ~] ipa-client-automount
Searching for IPA server...
IPA server: DNS discovery
Location: default
Continue to configure the system with these values? [no]: yes
Configured /etc/sysconfig/nfs
Configured /etc/idmapd.conf
Started rpcidmapd
Started rpcgssd
Restarting sssd, waiting for it to become available.
Started autofs
    Copy to Clipboard Toggle word wrap
    By default, this command enables secure NFS and sets the Domain parameter in the /etc/idmapd.conf file to the IdM DNS domain. If you use a different domain, specify it using the --idmap-domain domain_name parameter.
  9. Configure the nfs-idmapd service to start automatically when the system boots: 
    # systemctl enable nfs-idmapd
    Copy to Clipboard Toggle word wrap
  10. Edit the /etc/exports file and add shares with the krb5p Kerberos security setting: 
    /export  *(rw,sec=krb5:krb5i:krb5p)
/home  *(rw,sec=krb5:krb5i:krb5p)
    Copy to Clipboard Toggle word wrap
    This example shares the /export and /home directories in read-write mode with Kerberos authentication enabled.
  11. Re-export the shared directories: 
    [root@nfs-server ~]# exportfs -rav
    Copy to Clipboard Toggle word wrap
  12. Optionally, configure the NFS server as an NFS client. See Section 34.4, “Setting up a Kerberos-aware NFS Client”.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat