이 콘텐츠는 선택한 언어로 제공되지 않습니다.

18.3. Setting up a Kerberized NFS Server


Identity Management can be used to set up a Kerberized NFS server, which does not need to be running on Red Hat Enterprise Linux.

18.3.1. Setting up a Kerberized NFS Server

  1. Obtain a Kerberos ticket before running IdM utilites.
    [user@server ~]$ kinit admin
  2. If the NFS host machine has not been added as a client to the IdM domain, then create the host entry in GUI as described in Section 5.4.2, “Other Examples of Adding a Host Entry”, or run a command such as:
    [user@server ~]$ ipa host-add --ip-address 192.0.2.10 nfs-server.example.org
  3. Create the NFS service entry in the IdM domain, for example:
    [user@server ~]$ ipa service-add nfs/nfs-server.example.com
  4. Generate an NFS service keytab for the NFS server using the ipa-getkeytab command.
    The NFS server may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. For a Red Hat Enterprise Linux machine, the ipa-getkeytab command can be run on the NFS server machine. Otherwise, the ipa-getkeytab command should be run on a Red Hat Enterprise Linux machine in the IdM domain and then copied over to the NFS server.
    If ipa-getkeytab command is run on the NFS server, then save the keys directly to the host keytab. For example:
    [user@server ~]$ ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /etc/krb5.keytab
    For a Red Hat Enterprise Linux machine, that's all you need to do.
    When generating keys to copy over to another system, then generate the key but do not save it in the host keytab. The key must be added separately to the keytab after it is copied to the NFS server:
    1. Save the keytab to a temporary file. For example:
      [user@server ~]$ ipa-getkeytab -s server.example.com -p nfs/nfs-server.example.com -k /root/nfs-server.keytab
    2. Copy the keytabs over to the NFS server.
    3. Set the file permissions to 0700.
    4. Add the service key to the keytab file.
      [root@nfs-server ~]#  ( echo rkt /root/nfs-server.keytab; echo wkt /etc/krb5.keytab ) | ktutil

    Note

    To verify that the NFS service has been properly configured in IdM with its keytab, check the service entry by using the following command:
    [user@server ~]$ ipa service-show nfs/ipaclient2.example.com
    Principal: NFS/ipaclient2.example.com@EXAMPLE.COM
    Keytab: True
  5. Install the NFS packages. For example:
    [root@nfs-server ~]# yum install nfs-utils
  6. Configure weak crypto support. This is required for every NFS client if any client (such as a Red Hat Enterprise Linux 5 client) in the domain uses older encryption options such as DES.
    1. Edit the krb5.conf file to include the following line to enable weak crypto:
      allow_weak_crypto = true
    2. Update the IdM server Kerberos configuration to support the DES encryption type.
      [user@ipaserver ~]$ ldapmodify -x -D "cn=directory manager" -w password -h ipaserver.example.com -p 389
      
      dn: cn=EXAMPLEREALM,cn=kerberos,dc=example,dc=com
      changetype: modify
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:normal
      -
      add: krbSupportedEncSaltTypes
      krbSupportedEncSaltTypes: des-cbc-crc:special
      -
      add: krbDefaultEncSaltTypes
      krbDefaultEncSaltTypes: des-cbc-crc:special
  7. Run the ipa-client-automount command to configure the NFS settings.
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.

    Note

    If the server is not member of the IdM domain (does not have the ipa-client package installed), this step needs to be done manually. See the NFS configuration section in the Storage Administration Guide for details.
  8. Edit the /etc/exports file and add the Kerberos information:
    /export  *(rw,sec=krb5:krb5i:krb5p)
  9. Restart the NFS server and related services.
    [root@nfs-server ~]# service nfs restart
    [root@nfs-server ~]# service rpcsvcgssd restart
  10. To configure the NFS server as an NFS client, see Section 18.3.2, “Setting up a Kerberized NFS Client”.

18.3.2. Setting up a Kerberized NFS Client

  1. Obtain a Kerberos ticket before running IdM tools.
    [user@server ~]$ kinit admin
  2. If the NFS client is not enrolled as a client in the IdM domain, then set up the required host entries in GUI as described in Section 5.4.2, “Other Examples of Adding a Host Entry”, or run a command such as:.
    [user@server ~]$ ipa host-add --ip-address 192.0.2.20 nfs-client.example.org
  3. Generate an NFS service keytab for the NFS client using the ipa-getkeytab utility.
    The NFS client may be on a Red Hat Enterprise Linux machine in the IdM domain or a different Unix machine. For a Red Hat Enterprise Linux machine, the ipa-getkeytab command can be run on the NFS client machine. Otherwise, the ipa-getkeytab command should be run on a Red Hat Enterprise Linux machine in the IdM domain and then copied over to the NFS client.
    If ipa-getkeytab command is run on the NFS client, then save the keys directly to the host keytab. For example:
    [user@server ~]$ ipa-getkeytab -k /etc/krb5.keytab -s ipa-server.example.org -p nfs/nfs-client-server.example.com@EXAMPLE.COM
    For a Red Hat Enterprise Linux machine, that's all you need to do.
    When generating keys to copy over to another system, then generate the key but do not save it in the host keytab. The key must be added separately to the keytab after it is copied to the NFS server:
    1. Save the keytab to a temporary file. For example:
      [user@server ~]$ ipa-getkeytab -s ipa-server.example.org -p host/nfs-client-server.example.com@EXAMPLE.COM -k /root/nfs-client.keytab
    2. Copy the keytabs over to the NFS client.
    3. Set the file permissions to 0700.
    4. Add the service key to the keytab file.
      [root@nfs-client-server ~]# ( echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab ) | ktutil
  4. Run the ipa-client-automount command to configure the NFS settings.
    By default, this enables secure NFS in the /etc/sysconfig/nfs file and sets the IdM DNS domain in the Domain parameter in the /etc/idmapd.conf file.

    Note

    If the client is not member of the IdM domain (does not have the ipa-client package installed), this step needs to be done manually. See the NFS configuration section in the Storage Administration Guide for details.
  5. Start the GSS daemon.
    [root@nfs-client-server ~]# service rpcgssd start
    [root@nfs-client-server ~]# service rpcbind start
    [root@nfs-client-server ~]# service rpcidmapd start
  6. Mount the directory.
    [root@nfs-client-server ~]# echo "$NFSSERVER:/this /mnt/this nfs4 sec=krb5i,rw,proto=tcp,port=2049"  >>/etc/fstab
    [root@nfs-client-server ~]# mount -av
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.