Tutorial News Comments FAQ Related Articles

How To Set up NFS Server with Kerberos-based Authentication

To set up NFS Server with Kerberos-based Authentication for Linux Clients

Kerberos is an authentication protocol which allows the clients to access the Kerberos Server on the basis of “ tickets” to provide a secure communication. It provides a ticket for the clients to communicate with each other until a valid period. Steps to set up Server with Kerberos-based Authentication for Linux Clients.

Prerequisites

To configure Kerberos we need to get NTP synchronization via a NTP Server, and we need to have a DNS Server for the hostname resolution. In this set up we are using three Linux Machines as follows,

Host IP	Hostname
192.168.7.235	kbserver.kdc.com
192.168.7.236	nfsserver.kdc.com
192.168.7.15	nfsclient.kdc.com

Instead of setting DNS we can create the above entry in /etc/hosts file.

To Configure Kerberos Server

Now install the following package to configure the Kerberos server on your first machine.

[root@kbserver ~]# yum install krb5-server krb5-workstation pam_krb5 -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: centos.mirror.net.in
 * extras: mirrors.vonline.vn
 * updates: mirrors.vonline.vn
Resolving Dependencies
-->  Running transaction check
--->  Package krb5-server.x86_64 0:1.13.2-12.el7_2 will be installed
.
.
.
workstation.x86_64 0:1.13.2-12.el7_2           pam_krb5.x86_64 0:2.4.8-4.el7          

Dependency Installed:
  libverto-tevent.x86_64 0:0.2.5-4.el7                                                                                                      

Dependency Updated:
  krb5-libs.x86_64 0:1.13.2-12.el7_2                                                                                                        

Complete!

Edit the /var/Kerberos/krb5kdc/kdc.conf file and replace your domain instead of EXAMPLE.COM under the [realms] column. In this case, we need to replace with KDC.COM and add the line “ default_principal_flags = +preauth” under the master_key_type line in the configuration file as follows.

[root@kbserver ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KDC.COM = {
  master_key_type = aes256-cts
  default_principal_flags = +preauth
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Now edit the /etc/krb5.conf file, like we did in the previous file and uncomment all the lines as follows.

[root@kbserver ~]# vim /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = KDC.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 KDC.COM = {
  kdc = kbserver.kdc.com
  admin_server = kbserver.kdc.com
 }

[domain_realm]
# .kdc.com = KDC.COM
# kdc.com = KDC.COM

Finally edit the /var/Kerberos/krb5kdc/kadm5.acl and replace EXAMPLE.COM.

[root@kbserver ~]# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@KDC.COM    *
Create the Kerberos database and set the password.

[root@kbserver ~]# kdb5_util create -s -r KDC.COM
Loading random data
Initializing database ' /var/kerberos/krb5kdc/principal'  for realm ' KDC.COM' ,
master key name ' K/M@KDC.COM' 
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:
Start and enable the Kerberos services.

[root@kbserver ~]# systemctl start krb5kdc kadmin
[root@kbserver ~]# systemctl enable krb5kdc kadmin
ln -s ' /usr/lib/systemd/system/krb5kdc.service'  ' /etc/systemd/system/multi-user.target.wants/krb5kdc.service' 
ln -s ' /usr/lib/systemd/system/kadmin.service'  ' /etc/systemd/system/multi-user.target.wants/kadmin.service'

Now run the following command to execute the Kerberos administration tools, here we are going to create admin principal and user principal for “ user1” as follows.

[root@kbserver ~]# kadmin.local 
Authenticating as principal root/admin@KDC.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@KDC.COM  defaulting to no policy
Enter password for principal " root/admin@KDC.COM" : 
Re-enter password for principal " root/admin@KDC.COM" : 
Principal " root/admin@KDC.COM"  created.
kadmin.local:  addprinc user1
WARNING: no policy specified for user1@KDC.COM  defaulting to no policy
Enter password for principal " user1@KDC.COM" : 
Re-enter password for principal " user1@KDC.COM" : 
Principal " user1@KDC.COM"  created.

Add the Kerberos server hostname to Kerberos database. And then generate the keytab file for the Kerberos server. After finishing, type “ quit” to exit.

kadmin.local:  addprinc -randkey host/kbserver.kdc.com
WARNING: no policy specified for host/kbserver.kdc.com@KDC.COM  defaulting to no policy
Principal " host/kbserver.kdc.com@KDC.COM"  created.
kadmin.local:  ktadd host/kbserver.kdc.com
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kbserver.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit

We need to uncomment two lines in /etc/ssh/ssh_config file as follows and the values should be set to “ yes” for that two lines.

[root@kbserver ~]# vim /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Reload the sshd service and configure the PAM component.

[root@kbserver ~]# systemctl reload sshd
[root@kbserver ~]# authconfig --enablekrb5 &ndash update

Set the firewall configuration to allow the port for Kerberos, by creating the /etc/firewalld/services/Kerberos.xml file and add the following lines.

[root@kbserver ~]# vim /etc/firewalld/services/kerberos.xml
  Kerberos
  Kerberos network authentication protocol server

Then add the Kerberos service in the firewall.

[root@kbserver ~]# firewall-cmd --permanent --add-service=kerberos
success
[root@kbserver ~]# firewall-cmd --reload 
Success

Now the configuration is done for the Kerberos server in the first machine (kbserver.kdc.com). To verify about the configuration, login to the user1 account and run the below mentioned commands.

[root@kbserver ~]# su - user1
[user1@kbserver ~]$ kinit
Password for user1@KDC.COM: 
[user1@kbserver ~]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user1@KDC.COM

Valid starting       Expires              Service principal
06/13/2016 18:30:24  06/14/2016 18:30:23  krbtgt/KDC.COM@KDC.COM

To Configure NFS Server for Kerberos

Install the following package for nfs server.

[root@nfsserver ~]# yum groupinstall file-server -y
Loaded plugins: fastestmirror, langpacks
There is no installed groups file.
Maybe run: yum groups mark convert (see man yum)
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * extras: mirror.nbrc.ac.in
.
.
.
libtevent.x86_64 0:0.9.26-1.el7_2.1                               
  libwbclient.x86_64 0:4.2.10-6.el7_2                                     lvm2.x86_64 7:2.02.130-5.el7_2.2                                  
  lvm2-libs.x86_64 7:2.02.130-5.el7_2.2                                   pytalloc.x86_64 0:2.1.5-1.el7_2                                   
  samba-common.noarch 0:4.2.10-6.el7_2                                    samba-libs.x86_64 0:4.2.10-6.el7_2                                

Complete!

And create a new directory for nfs share and change the permissions as follows.

[root@nfsserver ~]# mkdir /kerberos
[root@nfsserver ~]# chmod 0777 /kerberos/

To assign the SELinux context for the new directory, install the following package.

[root@nfsserver ~]# yum install setroubleshoot-server -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * extras: mirror.nbrc.ac.in
 * updates: mirror.nbrc.ac.in
Resolving Dependencies
-->  Running transaction check
--->  Package setroubleshoot-server.x86_64 0:3.2.17-2.el7 will be updated
.
.
.
Updated:
  setroubleshoot-server.x86_64 0:3.2.24-1.1.el7                                                                                             

Dependency Updated:
  setroubleshoot.x86_64 0:3.2.24-1.1.el7                                                                                                    

Complete!

[root@nfsserver ~]# semanage fcontext -a -t public_content_rw_t " /kerberos(/.*)?" 
[root@nfsserver ~]# restorecon -R /kerberos/

Set the SELinux Booleans.

[root@nfsserver ~]# setsebool -P nfs_export_all_rw on
[root@nfsserver ~]# setsebool -P nfs_export_all_ro on
[root@nfsserver ~]# setsebool -P use_nfs_home_dirs on

Export the nfs shares in the /etc/exports file as follows.

[root@nfsserver ~]# vim /etc/exports
/kerberos    nfsclient.kdc.com(rw,sync,no_root_squash,sec=krb5p)
[root@nfsserver ~]# exportfs -arv
exporting nfsclient.kdc.com:/Kerberos

Add the following services in the firewall to allow permanent.

[root@nfsserver ~]# firewall-cmd --permanent --add-service=nfs
success
[root@nfsserver ~]# firewall-cmd --permanent --add-service=rpc-bind 
success
[root@nfsserver ~]# firewall-cmd --permanent --add-service=mountd 
success
[root@nfsserver ~]# firewall-cmd --reload
Success

Start and enable the rpcbind service.

[root@nfsserver ~]# systemctl start rpcbind nfs-server
[root@nfsserver ~]# systemctl enable rpcbind nfs-server
ln -s ' /usr/lib/systemd/system/nfs-server.service'  ' /etc/systemd/system/nfs.target.wants/nfs-server.service'

To verify the exported shares

[root@nfsserver ~]# showmount -e localhost

Export list for localhost:
/kerberos nfsclient.kdc.com

Install the Kerberos client package in the nfs server.

[root@nfsserver ~]# yum install krb5-workstation pam_krb5 -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * extras: mirror.nbrc.ac.in
 * updates: mirror.nbrc.ac.in
Resolving Dependencies
-->  Running transaction check
--->  Package krb5-workstation.x86_64 0:1.13.2-12.el7_2 will be installed
.
.
.
Installed:
  krb5-workstation.x86_64 0:1.13.2-12.el7_2                                  pam_krb5.x86_64 0:2.4.8-4.el7                                 

Complete!

Edit the same configuration file /etc/krb5.conf, as we did in the Kerberos server. Copy the /etc/krb5.conf file from the Kerberos server to nfs server.

[root@nfsserver ~]# scp root@kbserver.kdc.com:/etc/krb5.conf /etc/krb5.conf 
The authenticity of host ' kbserver.kdc.com (192.168.7.235)'  can' t be established.
ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' kbserver.kdc.com,192.168.7.235'  (ECDSA) to the list of known hosts.
root@kbserver.kdc.com' s password: 
krb5.conf                                                                                                 100%  458     0.5KB/s   00:00

Add the nfs server machine' s host name to kadmin principal as follows. And then add the keytab file.

[root@nfsserver ~]# kadmin 
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM: 
kadmin:  addprinc -randkey host/nfsserver.kdc.com
WARNING: no policy specified for host/nfsserver.kdc.com@KDC.COM  defaulting to no policy
Principal " host/nfsserver.kdc.com@KDC.COM"  created.
kadmin:  ktadd host/nfsserver.kdc.com
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsserver.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  quit

Edit the sshd configuration file as we did in the Kerberos server as follows.

[root@nfsserver ~]# vim /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Now reload the sshd configuration and configure the PAM component.

[root@nfsserver ~]# systemctl reload sshd
[root@nfsserver ~]# authconfig --enablekrb5 &ndash update

To verify about the configuration, login to the user1' s account and run the below command.

[root@nfsserver ~]# su - user1
[user1@nfsserver ~]$ kinit
Password for user1@KDC.COM: 
[user1@nfsserver ~]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user1@KDC.COM

Valid starting       Expires              Service principal
06/13/2016 19:03:10  06/14/2016 19:03:08  krbtgt/KDC.COM@KDC.COM

You can try to take SSH connection for your Kerberos server, it should not require for any password to login.

[user1@nfsserver ~]$ ssh kbserver.kdc.com
The authenticity of host ' kbserver.kdc.com (192.168.7.235)'  can' t be established.
ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' kbserver.kdc.com,192.168.7.235'  (ECDSA) to the list of known hosts.
Last login: Mon Jun 13 18:30:14 2016
[user1@kbserver ~]$ exit
logout
Connection to kbserver.kdc.com closed.
[user1@nfsserver ~]$ exit

Specify the principals for nfs in the kadmin command as follows,

[root@nfsserver ~]# kadmin
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM: 
kadmin:  addprinc -randkey nfs/nfsserver.kdc.com
WARNING: no policy specified for nfs/nfsserver.kdc.com@KDC.COM  defaulting to no policy
Principal " nfs/nfsserver.kdc.com@KDC.COM"  created.
Generate the keytab file for the nfs share in nfs server as follows. And this file will be used while sharing from nfs to clients.

kadmin:  ktadd nfs/nfsserver.kdc.com
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsserver.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  quit

Thus the configuration for nfs server is done. Now just restart the services to take effect.

[root@nfsserver ~]# systemctl restart nfs-server
[root@nfsserver ~]# systemctl restart nfs-secure-server
[root@nfsserver ~]# systemctl enable nfs-secure-server
ln -s ' /usr/lib/systemd/system/nfs-secure-server.service'  ' /etc/systemd/system/nfs.target.wants/nfs-secure-server.service'

To configure the NFS Client with Kerberos based Authentication. Install the client package to mount the nfs share from the nfs server.

[root@nfsclient ~]# yum install nfs-utils -y
Loaded plugins: fastestmirror, langpacks
adobe-linux                                                                                                          |  951 B  00:00:00     
base                                                                                                                 | 3.6 kB  00:00:00     
extras                                                                                                               | 3.4 kB  00:00:00     
updates                                                                                                              | 3.4 kB  00:00:00     
updates/7/x86_64/primary_db                                                                                          | 4.9 MB  00:00:30     
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * extras: mirror.nbrc.ac.in
 * updates: mirror.nbrc.ac.in
Resolving Dependencies
-->  Running transaction check
--->  Package nfs-utils.x86_64 1:1.3.0-0.el7 will be updated
.
.
.                               
Complete!

Install the client package for Kerberos in the nfs client machine.

[root@nfsclient ~]# yum install krb5-workstation pam_krb5 -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * extras: mirror.nbrc.ac.in
 * updates: mirror.nbrc.ac.in
Resolving Dependencies
-->  Running transaction check
--->  Package krb5-workstation.x86_64 0:1.13.2-12.el7_2 will be installed
.
.
.
Installed:
  krb5-workstation.x86_64 0:1.13.2-12.el7_2                                  pam_krb5.x86_64 0:2.4.8-4.el7                                 

Dependency Updated:
  krb5-libs.x86_64 0:1.13.2-12.el7_2                                                                                                        

Complete!

Now copy the /etc/krb5.conf file from the Kerberos server.

[root@nfsclient ~]# scp root@kbserver.kdc.com:/etc/krb5.conf /etc/krb5.conf 
The authenticity of host ' kbserver.kdc.com (192.168.7.235)'  can' t be established.
ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' kbserver.kdc.com,192.168.7.235'  (ECDSA) to the list of known hosts.
root@kbserver.kdc.com' s password: 
krb5.conf                                                                                                 100%  458     0.5KB/s   00:00

Add the principal and keytab file for nfs client machine using the kadmin command.

[root@nfsclient ~]# kadmin 
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM: 
kadmin:  addprinc -randkey host/nfsclient.kdc.com
WARNING: no policy specified for host/nfsclient.kdc.com@KDC.COM  defaulting to no policy
Principal " host/nfsclient.kdc.com@KDC.COM"  created.
kadmin:  ktadd host/nfsclient.kdc.com
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/nfsclient.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  quit

Edit the sshd configuration.

[root@nfsclient ~]# vim /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration. And configure the PAM component.

[root@kbserver ~]# systemctl reload sshd
[root@kbserver ~]# authconfig --enablekrb5 &ndash update

Test the configuration file in user1 account.

[root@nfsclient ~]# su - user1
[user1@nfsclient ~]$ kinit
Password for user1@KDC.COM: 
[user1@nfsclient ~]$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user1@KDC.COM

Valid starting       Expires              Service principal
06/13/2016 19:17:01  06/14/2016 19:16:59  krbtgt/KDC.COM@KDC.COM

Try to log into Kerberos server via SSH.

[user1@nfsclient ~]$ ssh kbserver.kdc.com
The authenticity of host ' kbserver.kdc.com (192.168.7.235)'  can' t be established.
ECDSA key fingerprint is 03:b1:88:9e:3d:c6:eb:fe:38:6c:3f:90:06:51:4b:c9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ' kbserver.kdc.com,192.168.7.235'  (ECDSA) to the list of known hosts.
Last login: Mon Jun 13 19:03:42 2016 from nfsserver.kdc.com
[user1@kbserver ~]$ exit
logout
Connection to kbserver.kdc.com closed.
[user1@nfsclient ~]$ exit
logout

Add the nfs principals and generate the keytab file for nfs cilent by using the kadmin command.

[root@nfsclient ~]# kadmin 
Authenticating as principal root/admin@KDC.COM with password.
Password for root/admin@KDC.COM: 
kadmin:  addprinc -randkey nfs/nfsclient.kdc.com
WARNING: no policy specified for nfs/nfsclient.kdc.com@KDC.COM  defaulting to no policy
Principal " nfs/nfsclient.kdc.com@KDC.COM"  created.
kadmin:  ktadd nfs/nfsclient.kdc.com
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/nfsclient.kdc.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  quit

Start and Enable the nfs-secure service for client.

[root@nfsclient ~]# systemctl start nfs-secure
[root@nfsclient ~]# systemctl enable nfs-secure
ln -s ' /usr/lib/systemd/system/nfs-secure.service'  ' /etc/systemd/system/nfs.target.wants/nfs-secure.service'

To list available nfs share from the nfs server

[root@nfsclient ~]# showmount -e nfsserver.kdc.com
Export list for nfsserver.kdc.com:
/kerberos nfsclient.kdc.com

To mount the nfs share permanently, create an entry in /etc/fstab file.

[root@nfsclient ~]# vim /etc/fstab
nfsserver.kdc.com:/kerberos    /mnt    nfs    sec=krb5p    0 0

Once the setup is done, mount all the entries mentioned in the fstab file.

[root@nfsclient ~]# mount -a
[root@nfsclient ~]# df -h
Filesystem                   Size  Used Avail Use% Mounted on
/dev/sda3                     18G  5.1G   13G  29% /
devtmpfs                     486M     0  486M   0% /dev
tmpfs                        494M  140K  494M   1% /dev/shm
tmpfs                        494M  7.0M  487M   2% /run
tmpfs                        494M     0  494M   0% /sys/fs/cgroup
/dev/sda1                    497M  116M  382M  24% /boot
nfsserver.kdc.com:/kerberos   18G  5.1G   13G  29% /mnt

Tags:

Author:

Comments ( 2 )

nice work

Very Informative , Thanks for Sharing , keep Good Work.

Add a comment

Frequently asked questions ( 5 )

when I am trying to mount the filesystem on NFS, I am getting “mount.nfs4: Operation not permitted” error.

NTFS file system is also the same as another file system like ext4 and xfs, but NTFS falls under Windows.

How to solve this error, while getting mount.nfs: access denied by the server?

if you are using Kerberos-based Authentication please make sure realm should be in a capital where it was in capital by default.

I'm using RHEL 7.0 but also let me know the procedure for NFS resides same for centos 6 or not?

Only the daemon related like "systemctl" differ from version 6 and 7 rest remains same.

Where does kerberos configuration file lies for NFS server?

Kerberos configuration file lies under "/var/Kerberos/krb5kdc/kdc.conf "

Is NFS is platform dependent?

Yes, NFS can only be configured in Linux Distributions.

Rank

User

Points

Top Contributers

naveelansari

135850

Top Contributers

ayanbhatti

92510

Top Contributers

hamzaahmed

32150

Top Contributers

linuxhelp

31035

Top Contributers

muhammadali

24500

Can you help rio ?

Screen Recording tool for Ubuntu

Hi..

is there any light-weight screen recording tool available for ubuntu....