RHCE - Part4 - nfs Kerberos
Make sure to review RHCSA topic on nfs https://sysadminplayfield.github.io/rhcsa/centos7/2020/02/20/rhcsa-18-nfs-samba.html
KDC: kdc.example.local
Server: srv.example.local
Client: client.example.local
NFS SERVER CONFIGURATION
Create directory:
# mkdir /srv/nfskerberos
Set SELinux context:
# semanage fcontext -at nfs_t "/srv/nfskerberos(/.*)?"
# restorecon -v /srv/nfskerberos
Edit /etc/exports:
# vi /etc/exports /srv/nfskerberos client.example.local(sec=krb5p,rw,sync)
Retrieve keytab file from the KDC:
# wget -O /etc/krb5.keytab ftp://kdc.example.local/pub/srv.keytab
or, if ipa-client is installed
# ipa-getkeytab -s kdc.example.local -p nfs/srv.example.local -k /etc/krb5.keytab
Optional: Enable NFS version 4.2:
# vi /etc/sysconfig/nfs [...] RPCNFSDARGS="-V 4.2" [...]
Enable and start nfs-server and nfs-secure-server:
# systemctl enable nfs-server nfs-secure-server
# systemctl start nfs-server nfs-secure-server
Allow nfs in firewall:
# firewall-cmd --permanent --add-service=nfs
# firewall-cmd --reload
Optional: In some cases, mountd and rpc-bind are required in firewalld:
- The server is NFS3
- The server is NFS4 and allows the remote clients to discover exported shares
# firewall-cmd --permanent --add-service={mountd,rpc-bind}
# firewall-cmd --reload
NFS CLIENT CONFIGURATION
Install nfs-utils:
# yum install -y nfs-utils
Create mountpoint:
# mkdir /mnt/nfs
Retrieve keytab file from the KDC:
# wget -O /etc/krb5.keytab ftp://kdc.example.local/pub/client.keytab
or, if ipa-client is installed
# ipa-getkeytab -s kdc.example.local -p nfs/client.example.local -k /etc/krb5.keytab
Enable and start nfs-secure:
# systemctl enable nfs-secure
# systemctl start nfs-secure
Temporarily mount the nfs share:
For nfs3
# mount -v -t nfs -o vers=3,sec=krb5p,rw,sync srv.example.local:/srv/nfskerberos /mnt/nfs
For nfs4
# mount -v -t nfs4 -o sec=krb5p,rw,sync srv.example.local:/srv/nfskerberos /mnt/nfs
For nfs4.2
# mount -v -t nfs4 -o sec=krb5p,rw,sync srv.example.local:/srv/nfskerberos /mnt/nfs
Permanently mount the nfs share by editing /etc/fstab:
# vi /etc/fstab [...] #For nfs3 srv.example.local:/srv/nfskerberos /mnt/nfs nfs vers=3,sec=krb5p,rw,sync 0 0 #For nfs4 srv.example.local:/srv/nfskerberos /mnt/nfs nfs vers=4,sec=krb5p,rw,sync 0 0 #For nfs4.2 srv.example.local:/srv/nfskerberos /mnt/nfs nfs vers=4.2,sec=krb5p,rw,sync 0 0
Mount from /etc/fstab entries:
# mount -av